Here is the situation:
We use Flask for a website application development.Also on the website sever, we host a RESTful service. And we use Flask-login for as the authentication tool, for BOTH the web application access and the RESTful service (access the Restful service from browsers).
Later, we find that we need to, also, access the RESTful from client calls (python), so NO session and cookies etc. This gives us a headache regarding the current authentication of the RESTful service.
On the web, there exist whole bunch of ways to secure the RESTful service from client calls. But it seems no easy way for them to live together with our current Flask-login tool, such that we do not need to change our web application a lot.
So here are the question:
Is there a easy way(framework) so the RESTful services can support multiple authentication methods(protocols) at the same time. Is this even a good practice?
Many thanks!
So, you've officially bumped into one of the most difficult questions in modern web development (in my humble opinion): web authentication.
Here's the theory behind it (I'll answer your question in a moment).
When you're building complicated apps with more than a few users, particularly if you're building apps that have both a website AND an API service, you're always going to bump into authentication issues no matter what you're doing.
The ideal way to solve these problems is to have an independent auth service on your network. Some sort of internal API that EXCLUSIVELY handles user creation, editing, and deletion. There are a number of benefits to doing this:
You have a single authentication source that all of your application components can use: your website can use it to log people in behind the scenes, your API service can use it to authenticate API requests, etc.
You have a single service which can smartly managing user caching -- it's pretty dangerous to implement user caching all over the place (which is what typically happens when you're dealing with multiple authentication methods: you might cache users for the API service, but fail to cache them with the website, stuff like this causes problems).
You have a single service which can be scaled INDEPENDENTLY of your other components. Think about it this way: what piece of application data is accessed more than any other? In most applications, it's the user data. For every request user data will be needed, and this puts a strain on your database / cache / whatever you're doing. Having a single service which manages users makes it a lot nicer for you to scale this part of the application stack easily.
Overall, authentication is really hard.
For the past two years I've been the CTO at OpenCNAM, and we had the same issue (a website and API service). For us to handle authentication properly, we ended up building an internal authentication service like described above, then using Flask-Login to handle authenticating users via the website, and a custom method to authenticate users via the API (just an HTTP call to our auth service).
This worked really well for us, and allowed us to scale from thousands of requests to billions (by isolating each component in our stack, and focusing on user auth as a separate service).
Now, I wouldn't recommend this for apps that are very simple, or apps that don't have many users, because it's more hassle than it's worth.
If you're looking for a third party solution, Stormpath looks pretty promising (just google it).
Anyhow, hope that helps! Good luck.
Related
I'm new to Okta and I'm having a tough time wrapping my head around what I need to do in order to authenticate users.
I'm writing a web portal for a company that already uses Okta internally.
They have requested that I use Okta to authenticate users. That is the only Okta integration requirement.
The portal uses vanilla JS/CSS/HTML5 on the front end, and a custom Python api layer and Python back end for serving data.
I've read through the guide over at http://developer.okta.com/docs/guides/pysaml2.html and I can't help but think this seems like overkill to simply authenticate users.
I saw that when I created a sample app that I could create the app with Secure Web Authentication rather than SAML. Is that advisable in my case? Do we need to use SAML?
If SAML is the correct approach, I'm feeling a bit lost after reading through the documentation about where to even begin. The app itself isn't really a Python app, although Python is used.
I have the Okta app created. I have the custom web app created with a custom Python backend and API layer.
Any tips on how to connect the two in order to authenticate users?
Have you seen this: http://developer.okta.com/docs/guides/okta_sign-in_widget
Seems most appropriate to your situation.
I was going through googles's api python-client-library and google analytics api . I was able to do all steps mentioned in official docs but then I got some doubts. Since I've never done this kind of thing before, so I need your valuable suggestions/tips.
My Goal:
Want to design a web application in Python(using django/flask) and google-api-python-client. I have few matrices(coming from my web ecommerce product that is using GA.) and I'm not sure if google analytics dashboard by default support at that deep level. so I will use Google's analytic api to customize data according to my need and show in my analytic web app(which can be accessed by any one).
Doubts/Queries:
1) first of all which reporting api I would be needing for this mentioned here. core api or metadata api?
2) while I was setting up the project and client key, I chose 2nd option(OAuth 2.0 client ID)
is that ok or should I chose service account? once I selected 2nd options there were couple of radio buttons(web, android, ios, other, etc.) I chose other or should I chose web?
3) once i chose other option from radio button list, I executed my script and it prompt a browser to ask for permission, I allowed. here my question is if I put my application on production would there not be any browser, what would happen in that case?
I would really appreciate if you can help me in these queries, sorry for long question, this is my first question.
PS: Bottom line is how one should structure and develop there analytic web application in general.
The key thing to understand is that Google Analytics is an authenticated API. It is designed make it easy to allow the end user to access their own data. It is designed to be hard to allow the end user to access data they do not own.
If you are building a web application to allow your users to access their own private data It is recommended that you use a client side authentication method, such as in this example or this example.
If you are trying to build a web application that shares your private data with your users there are a few ways to go about it:
You could collect the data server side in python using a service account (note you will have to add the service account the GA account you wish it to have access).
You can take a hybrid approach and have a service account generate an access token and use the embed api to actually make the query.
In the end I would encourage you to spend some time to read Using OAuth 2.0 to Access Google APIs, and understand senarios descussed and ask yourself which of these senerios will work best for my application.
I have a django project, in which i expose a few api endpoints (api endpoint = answers to get/post, returns json response, correct me if im wrong in my definition). Those endpoints are used by me on front end, like update counts or get updated content, or a myriad other things. I handle the representation logic on server side, in templates, and in some cases send a rendered to string template to the client.
So here are the questions im trying to answer:
Do i need to have some kind of authentication between the clients and the server?
Is django cross origin protection enough?
Where, in this picture, fit such packages like django-oauth-toolkit? And django-rest-framework?
if i don't add any authentication between clients and server, am i leaving my server open for attacks?
Furthermore, what goes for server-to-server connection? Both servers under my control.
I would strongly recommend using django-tastypie for server to client communication.
I have used it in numerous applications both server to server or server to client.
This allows you to apply the django security as well as some more logic regarding the authorization process.
It offers also out of the box:
throttling
serialization in json, xml, and other formats
authentication (basic, apikey, customized and other)
validation
authorization
pagination
caching
So, as an overall overview i would suggest on building on such a framework that would make your internal api more interoperable for future extensions and more secure.
To specifically now answer your question, i would never enable any server api without at least some basic authentication/authorization.
Hopefully i answer your questions on how you can deliver all of your above worries with a framework.
The django-rest-framework that you ask for, is also really advanced and easy to use, but i prefer tastypie for the reasons i explain.
I hope i helped a bit!
I'm trying to understand OAuth, and I'm having a hard time figuring this basic thing out...
I have developed a service (with Python and Flask), which supports classic authentification through a dedicated login & password combination, and an "official" client in the form of a webapp. I would like my service to support OAuth and looked into flask-oauthprovider, which seems like a perfect fit for this task, but I can't seem to understand how everything should articulate.
My questions are:
Today, all my API entry points required the user to be logged in: once my service supports OAuth, should every entry points become "oauth_required" rather than "login_required"?
What is the proper way to support my "official" webapp front-end? I'd rather not have it go through the regular OAuth flow (with the extra redirections to login on the service). Should it go through OAuth with automatically granted access tokens, or should it bypass OAuth and directly use the "resource owner" login & password?
I think one of the problems with the concept behind oauthlib is that it tries too hard to be everything and the result is a difficult-to-reason-about set of abstractions (this is very similar to the python-oauth2 approach). OAuth providers in particular are tricky because you implicitly need to persist things like tokens not to mention the assumption of some kind of pre-exisiting user management. As such a "good" or idiomatic implementation tends to be more opinionated from framework to framework. In my opinion this is part of why we don't see a single Python OAuth provider implementation as an abstraction: there just aren't great solutions, but plenty of messy ones. Looking at flask-oauthprovider and we see some direct examples of these issues. I've had similar problems with flask-login, which I maintain. At any rate, this past weekend I wrote a very rough first pass of a OAuth provider in Flask that "just works"; feel free to take a look and adapt it to your needs. It assumes some things like, like MongoDB but with minimal work I think any datastore could be used.
1) Protect whichever endpoints you want to be accessible via a third-party, e.g. your public API.
2) I would avoid automatic access tokens, that defeats the person of negotiating authorization on a per-user basis, unless of course you have a different scheme, e.g. a predefined set of clients. I believe the second option you're talking about is xauth, in which case, why not just use OAuth 2.0 and grant_type=password? Bearer tokens are similar in concept but may be a little easier to implement so long as you can provide HTTPS.
In my case I'm using the Dropbox API. Currently I'm storing the key and secret in a JSON file, just so that I can gitignore it and keep it out of the Github repo, but obviously that's no better than having it in the code from a security standpoint. There have been lots of questions about protecting/obfuscating Python before (usually for commercial reasons) and the answer is always "Don't, Python's not meant for that."
Thus, I'm not looking for a way of protecting the code but just a solution that will let me distribute my app without disclosing my API details.
Plain text. Any obfuscation attempt is futile if the code gets distributed.
Don't know if this is feasible in your case. But you can access the API via a proxy that you host.
The requests from the Python APP go to the proxy and the proxy makes the requests to the Dropbox API and returns the response to the Python app. This way your api key will be at the proxy that you're hosting. The access to the proxy can be controlled by any means you prefer. (For example username and password )
There are two ways depending on your scenario:
If you are developing a web application for end users, just host it in a way that your API key does not come to disclosure. So keeping it gitignored in a separate file and only upload it to your server should be fine (as long there is no breach to your server). Any obfuscation will not add any practical benefit, it will just give a false feeling of security.
If you are developing a framework/library for developers or a client application for end users, ask them to generate an API key on their own.