I am using python flask to develop web services. I want to make web service secure.
Need to consume those from Ajax.
I have tried Okta integration but as it is depends on redirect I couldn't achieve the integration.
I am thinking to go for windows authentication with our org ldap directory.
Getting windows username and password from windows logged in user and authenticating with ldap.
Could anyone please help me how to achieve it or please post the suggestions for better solution.
You won't get the username and password from the Windows client -- being able to grab the logon user's password from a remote web site would be an enormous security nightmare.
Assuming not simply asking the user to supply credentials is a non-negotiable design parameter, you need something that can use the logged on user's token ('I trust this token and it says you are this user ID') instead of trying to validate the user/password directly. Kerberos-based authentication if the Windows boxes are logging into an Active Directory & your app is on the same network. Otherwise you'd need some sort of SSO (I frequently use ADFS, if that's set up for the organisation, via MS Graph) -- what would depend on the specifics of the directories available.
Related
I'm trying to make an app and I can't figure out how to sign in to a user with the python library firebase_admin. I don't have any code as of this moment. Let me know if you can help me out.
The Firebase Admin SDK is designed to be used in a trusted environment, such as your development machine, a server you control, or Cloud Functions/Cloud Run. It gets its authorization from its context or from a credentials file that you provide to it, and which gives it full, administrative access to the project. Therefor it doesn't need, and doesn't have a way, to sign in as a specific user.
If your use-case requires that you sign a user in to Firebase from your Python code, you can consider calling the REST API to authenticate. But the use-case for this would typically be to then pass the ID token you receive back to a user (similar to the use-case in creating custom tokens).
We have a small website with API connected using AJAX.
We do not ask for usernames and passwords or any authentication like firebase auth.
So it's like open service and we want to avoid the service to be misused.
OAuth 2 is really effective when we ask for credentials to the user.
Can you suggest the security best practice and how it can be implemented in this context using python?
Thanks
Use a firewall
Allow for third-party identity providers if possible
Separate the concept of user identity and user account
Are there any libraries that provide username and password login for Google AppEngine?
While I could try rolling one from scratch, I'd rather not try to reinvent the wheel if possible.
If not, would it be possible to turn my application into an OpenId provider and then use it to log in?
Try EngineAuth. It has many different options for authentication systems, including email+password authentication.
GAE, via its Users API, supports three types of login (Google accounts, Google Apps accounts and OpenId). For an example of the latter see this article.
The type of login used is defined when creating the app, see this for further details.
Is there a way in Python/Django to get the username of the currently logged-in Windows user, from an app that is not running locally?
UPDATE: sorry, to clarify, by this I mean the Windows username of the user viewing the web page, not the user running the server.
I've tried both:
current_user = os.environ.get("USERNAME")
current_user_getpass = getpass.getuser()
But I think they're returning the name of the user running the server.
Thanks!
FURTHER UPDATE: I don't care greatly about security. It really doesn't matter if users spoof a username. What does matter is convenience. I just need a way to get the username without users having to fiddle around with passwords or install client-side software. Any ideas?
Three ways, none of which work.
Use the Ident (AUTH) protocol. It's technically cross-platform.
...except there are exactly zero Ident servers for Windows that are able to return the real user name instead of a static string.
Edit: Apparently Retina Scan Identd can do this. (Awesome.)
Require HTTP NTLM or Negotiate authentication. You get more than a mere username check,
...except NTLM is insecure, only Internet Exploder and Firefox support it, and they only use it inside the LAN (intranet) by default. Negotiate is able to use the more secure Kerberos, but it (obviously) requires Kerberos on both server and clients. If the Windows PCs are in a domain, good. If not...
If you control all client machines, you can use simple SSL client-certificate authentication. Works in all modern browsers.
...but every user needs their own certificate. Creating an internal-use CA and issuing certificates is simple; getting them installed and working in client machines - not so.
I am attempting to utilize Google App Engine as an Authentication Server for a mobile application that runs on android natively. User names and passwords will be stored in GAE and my goal is to be able to both store and verify credentials from the mobile application using GAE. Is this possible? I've looked into OAuth and JSON, but I don't think I have the proper setup for that.
Also, if I'm going about this the wrong way, please point me to the proper path.
If you are interested in having a more API-like implementation in your GAE instance, I would definitely look more into OAuth. But if you are only interested in validating credentials for this one mobile application then you need not go that far.
Fortunately you can call your GAE instance over SSL, that means that you can offload all the business of handshaking and encryption. Then I would simply use either http-basic authentication, or simply send user-id and encrypted password as parameters in the request.
On the iPhone there is a KeyChain for password storing, maybe there is an Android counterpart? Anyway, make sure to store passwords encrypted on the device and in the GAE-datastore. Send the encrypted password when validating credentials. You should never know your user's clear text passwords. That would provide a level of obscurity which I think is enough (definitely so when sent over SSL).
Then you can simply return whether the account credentials are verified or not.
If by "storign credentials" you mean storing username and password, then I imagine you are going about this the wrong way. Whether you are talking about OAuth or OpenID, the idea is that you never see or have access to the password (and perhaps not username either) of the delegated authentication mechanism. Instead you receive an authentication or authorization token to do your work (and in the case of OpeniD, some meta information about the person like first / last name and e-mail address).
By the way, have you considered a 3rd party, such as Janrain?