We have a small website with API connected using AJAX.
We do not ask for usernames and passwords or any authentication like firebase auth.
So it's like open service and we want to avoid the service to be misused.
OAuth 2 is really effective when we ask for credentials to the user.
Can you suggest the security best practice and how it can be implemented in this context using python?
Thanks
Use a firewall
Allow for third-party identity providers if possible
Separate the concept of user identity and user account
Related
I'm going to use FastAPI Users for my application. I saw that it generates JWT tokens to perform verification processes in the application. For example, in order to verify user email address or to request password change. Is it a good idea in terms of security?
JWT is state-less authentication and is so useful if you use backend with multiple frontends (mobile app, website UI and ...)
Its security is also Depends on your implementation.
If you use different secret key than default fast-api tutorial (I saw it on some projects!) and use rational expiration date, its secure enough to handle big projects.
consider you should logout every login sessions of specific user, which is logged-out from one client if you have multiple clients. which means you should implement some kind of black-list JWT.
About verifications, I recommend using two factor verification. I usually use security code send to email or SMS code. It's more secure if you consider this scenario:
A user is logged-in on a device and JWT token is not expired. another user using same device in office and can change password without any second factor security layer. If you have code send to the mobile, its more secure and no one can access it easily!
I am using python flask to develop web services. I want to make web service secure.
Need to consume those from Ajax.
I have tried Okta integration but as it is depends on redirect I couldn't achieve the integration.
I am thinking to go for windows authentication with our org ldap directory.
Getting windows username and password from windows logged in user and authenticating with ldap.
Could anyone please help me how to achieve it or please post the suggestions for better solution.
You won't get the username and password from the Windows client -- being able to grab the logon user's password from a remote web site would be an enormous security nightmare.
Assuming not simply asking the user to supply credentials is a non-negotiable design parameter, you need something that can use the logged on user's token ('I trust this token and it says you are this user ID') instead of trying to validate the user/password directly. Kerberos-based authentication if the Windows boxes are logging into an Active Directory & your app is on the same network. Otherwise you'd need some sort of SSO (I frequently use ADFS, if that's set up for the organisation, via MS Graph) -- what would depend on the specifics of the directories available.
I am building a Python web API where I want to use Azure AD as authentication backend. On certain scenarios the clients needs to authenticate through the API to authorize to certain endpoints. The client itself is not able to authenticate to AD directly, so it needs to do it through the API using raw credentials (username, password). The API will then authenticate the user and receive the AD token and give it to the user.
So in short I am looking for a way to programmatically authenticate a user using username/password and receive the token using Python.
You can find the different authentication flows relevant for an application type and topology in this Azure AD article. The article links to the protocol overview for the authentication flows if you choose to implement.
There is also the ADAL Python auth library for Azure AD which you can use to do these flows.
Based on your scenario, you have a few options. If your client app can authenticate directly with Azure AD, you can take a look at the client credentials flow sample. If your application needs a user to authenticate and can have the user authenticate interactively, you can check out this auth code flow sample. Finally, if you must use the user's credentials to authenticate programmatically(without user interaction) in the app, you can refer to the resource owner password flow, but this is not encouraged as mentioned in the other answer.
What you are describing is the OAuth 2 Resource Owner Password Credentials Grant flow.
Note: using this one is in general a really bad idea and some other flow should be considered instead.
What you are doing here, is sending POST request containing user credentials in clear text directly to the authentication endpoint. Thus bypassing all possible added security that might be put in place.
Also, it will not work when
MFA is enabled for the user
User is federated or a MS account
This flow has no way to handle expired passwords
Consider some other authorization flow if possible, you got e.g.
Authorization code flow
Implicit grant flow
Client credentials flow
Device authentication flow
See this link to help you select which flow to use.
There are multiple mobile apps.
I want people using one app to login with their same login credentials into all other apps.
What is the best approach to implement this?
I'm thinking to create a separate authorization server that will issue tokens/secrets on registering and logins. It will have a validation API that will be used by mobile app servers to validate requests.
There is a protocol for handling this called Central Authentication Service(http://www.jasig.org/cas), or CAS. CAS utilizes OAuth2 protocol to provide a secure way to manage a single sign on procedure -- users have a single login credential that is used via tokens and proxy tickets to authenticate the user across a variety of applications using a single CAS authentication server. This is a procedure the company I work for uses to authenticate users across multiple applications (we use Java with Spring Security and Spring CAS) however this summer we built out a proof of concept with Django and an internal company API in which we implemented CAS procedure with the Django application -- Django authenticated users via the CAS server we run and returned them as valid, authenticated Django users. To do this we used the django-cas middleware and custom backend library which can be found here: https://bitbucket.org/cpcc/django-cas/overview.
CAS is definitely the way to go if you're looking to handle user authentication with a single sign on across multiple applications -- it was the reason CAS was created in the first place. The learning curve with CAS can be a little steep but django-cas does a good enough job making it easy to get set up with CAS in the Django project.
First check if OAuth could be adapted to using this, that would save you a lot of work. Of course all the services and apps would have to talk to some backend network server to sync tokens issued to apps.
Half-secure/maybe-abusable solution: have symmetric cipher encrypted cookie that webpages (and apps?) hold and use it for authorization with different network services (which again have to verify cookie for authorization with authorization service that knows the passphrase used to encrypt the cookie)
I've used approach #2 on internal systems but I am not sure if it is advisable to use it in in the wild - this may pose some security risks.
The authentification method in every application connects to the same webservice for autentification.
I am attempting to utilize Google App Engine as an Authentication Server for a mobile application that runs on android natively. User names and passwords will be stored in GAE and my goal is to be able to both store and verify credentials from the mobile application using GAE. Is this possible? I've looked into OAuth and JSON, but I don't think I have the proper setup for that.
Also, if I'm going about this the wrong way, please point me to the proper path.
If you are interested in having a more API-like implementation in your GAE instance, I would definitely look more into OAuth. But if you are only interested in validating credentials for this one mobile application then you need not go that far.
Fortunately you can call your GAE instance over SSL, that means that you can offload all the business of handshaking and encryption. Then I would simply use either http-basic authentication, or simply send user-id and encrypted password as parameters in the request.
On the iPhone there is a KeyChain for password storing, maybe there is an Android counterpart? Anyway, make sure to store passwords encrypted on the device and in the GAE-datastore. Send the encrypted password when validating credentials. You should never know your user's clear text passwords. That would provide a level of obscurity which I think is enough (definitely so when sent over SSL).
Then you can simply return whether the account credentials are verified or not.
If by "storign credentials" you mean storing username and password, then I imagine you are going about this the wrong way. Whether you are talking about OAuth or OpenID, the idea is that you never see or have access to the password (and perhaps not username either) of the delegated authentication mechanism. Instead you receive an authentication or authorization token to do your work (and in the case of OpeniD, some meta information about the person like first / last name and e-mail address).
By the way, have you considered a 3rd party, such as Janrain?