With our team, we are thinking about how to implement the refresh token rotation and reuse detection strategies in our authentication layer.
We want to use cognito for user authentication but we are dealing with how to apply those strategies to cognito.
One question we have is: Can we access to the cognito tokens database? I mean, if there is a way to connect to that database where cognito store the tokens (access, refresh and id tokens) and modify them.
Another possible solution is to use Auth0 solution to authenticate our users and use those strategies (rotation and reuse detection) but we are planning to have a lot of users (+100.000) and the cost could be a problem.
What solution/framework/service would you recommend us to use it as a user authentication service similar to cognito?
Thanks in advance.
We tried Cognito but I saw that there is no way to use refresh token rotation and reuse detection strategies.
Of course we can do this "in house" but we want to use a 3rd party solution that is really tested.
Related
At work we have never used 3rd party Auth solutions and I'm trying to inform myself of how they work for my personal projects. Getting the response is easy enough, but feel a bit lost on what to do after I get the response back. Am I supposed to send the auth token to the backend so it can be verified then trigger my app's login process for the given e-mail address/username? Logging them in essentially without a password?
There's two basic use cases for OAuth 2.0 which will determine what you do after the user is authorized. Your use case can also determine which OAuth 2.0 permission scopes you request the user to authorize your app for.
1. Single Sign-on
A simple use case for using a 3rd party OAuth solution is to leverage the 3rd party to perform authentication. Two reasons for this include:
Your users may wish the convenience of logging in with another provider (like Google, Facebook, Twitter, etc.), one where he or she may already have an active session.
You may not wish to implement your own login / authentication / password reset process.
Either way, a common way to implement this is to make an API request using the token to retrieve the user's email address after a successful authentication, which you then map to your own user database to establish an authenticated session for your service. Since you only need to retrieve the user's email address and minimal other information (e.g. name) in this use case, you can ask for a minimal set of scopes.
I do this in my oauth2more library where after receiving a token, I have a generic interface to load a user data which I convert to a SCIM user object. Because I've abstracted the code to retrieve user info in this manner, it's easy to support SSO across mulitple auth providers.
2. Using Service Features
A slightly different use case is that you want the user to authorize your app so you can make commands on behalf of the user via API. In this case, you will use the token to call more general APIs to accomplish your goals. A caveat is that you will need to make sure you ask for the proper permissions when asking the user to authorize your app.
As an example, one thing I've done is ask the user to sign in with Google so I can then make API calls to create and edit Google Sheets and Google Slides using APIs on their behalf.
In my application, I have separate microservices for user authentication and user profile information. The user authentication service is using Spring Security OAuth2/JWT. Once a user successfully logs in, a JWT token is issued with the user unique identifier.
My query is how other services should retrieve user profile information. Should I put this information (such as first name, last name etc) into the JWT token or should I create an API on the user profile service which retrieves the user profile information once the token is retrieved?
Any best practice advice would be appreciated.
So far most approaches i've seen was to store only user's login in JWT token and have another service which gives you other needed informations by login, and this seems like the best approach to me (in case of any security leak's login is the only thing that can be stolen, and not user's first or last name).
I think it is important to highlight that OAuth2 is intended to be an authorization protocol rather than authentication.
OpenID Connect solves this problem by separating the identity (ID_Token) and the authorization (access token) into two different tokens for the application to consume. Rather than implementing your own, may I suggest that you consider OpenID Connect?
I have had similar discussions with my team while working on the authentication microservice. Though it's important to understand that JWT is an encoding and not an encryption so it's always advised not to keep sensitive data in JWT. Though the items that we decide to keep in JWT should also depend on the problem statement we are solving. There can be use cases where saving the Username or email id is not a sensitive information and you may want to keep that in JWT just to avoid an extra API call.
So, I found asking myself this question several times while building iOS applications. Essentially, most of the applications that I have been developing involves Firebase for data storage and maintain a shared instance to store user object [locally] upon authentication process completes.
Main concern with this process is that upon authentication process the user object contains only relative user information such as email, full name etc. But throughout other app features, the app may be required to update the user object once in a while. And, with such approach, I had always end up maintaining both parties remote & local stored user object.
Is there a proper method/practice on how to handle such problem ?
Auth0 stores user information for your tenant in a hosted cloud database, or you can choose to store user data in your own custom external database.
You should check Auth0, I reckon that is the "proper method" that you're searching for.
Auth0 is a cloud-based platform that provides authentication and authorization as a service. As an authentication provider, Auth0 enables developers to easily implement and customize login and authorization security.
Why use Firebase and Auth0 Together?
One thing to notice is that Firebase does provide authentication features out of the box.
I quote:
You should consider Auth0 with a custom Firebase token if you:
Already have Auth0 implemented and want to add realtime capabilities to your app
Need to easily use issued tokens to secure a back end that is not provided by Firebase
Need to integrate social identity providers beyond just Google, Facebook, Twitter, and GitHub
Need to integrate enterprise identity providers, such as Active Directory, LDAP, ADFS, SAMLP, etc.
Need a customized authentication flow
Need robust user management with APIs and an admin-friendly dashboard
Want to be able to dynamically enrich user profiles
Want features like customizable passwordless login, multifactor authentication, breached password security, anomaly detection, etc.
Must adhere to compliance regulations such as HIPAA, GDPR, SOC2, etc.
Must adhere to compliance regulations such as HIPAA, GDPR, SOC2, etc.
Essentially, Firebase's basic authentication providers should suffice
if you have a very simple app with bare-bones authentication needs and
are only using Firebase databases.
Let me know if you need any further help. Now go and have an awesome day!
I'm suppose to build a web application and a mobile application (for iOS) that share the same database. Currently I'm thiking about having a RESTful API and have both applications (web and iOS) comunicate with the API to access data. My problem is the authentication method that I should use. I've been researching about OAuth2.0 but that's not quite the thing I want because I don't want the user to have to authorize the connection as it happens when you log in somewhere using facebook or google+. I just want to make the login with a username and password and then stay logged in. And this for both the apps (web and iOS).
I'm using Node.JS and MongoDB to build the API.
I'm trying to do things "the correct way" because this is suppose to be the final project for my masters.
Can you guys give me some lights in how I can achieve this?
Use OAuth 2.0 so you have an extensible standard and token-based authentication which enables users to revoke authentication tickets, e.g. if their phone was stolen.
OAuth 2.0 supports various grant types. Those that you from facebook and twitter logins can be summarized as '3-legged oauth', but there's also two grant types for 2-legged OAuth, especially the resource owner password credentials grant (section 4.3 at the end of the page) which will simply exchange username and password for an authentication token. There's no need to implement 3-legged oauth if you don't want to.
I'd suggest to use database-stored tokens over crypto-based self-validating tokens for most use cases. The possibility to revoke individual grants, or all grants of specific client applications is super helpful in practice. It also shortens tokens a lot and reduces the risk of a catastrophic security leak because of a flaw in the implementation. Make sure the token itself is crypto-strong random and use a simple crypto-wrapper around the actual token value to enable cheap identification of (badly) faked tokens.
Something like Passport (no, not the whisky, but the middleware) could be a good thing to test
It allows to choose among many different authentication methods in an easy and transparent way
I have my OAuth process working well, I have an application that requires Google Adwords and Google Analytics access tokens. For whatever reason, Google has made these separate in terms of acquiring OAuth tokens. I know there is limited capability of using the Analytics tokens to access an Adwords account, but this requires the user to actively connect their two accounts, and even then access is limited. I have the user redirected away to authenticate with Google and when they come back I have their token and token secret.
One main functionality I need to impose is the user must be able to authenticate one account, and just use that. Or authenticate both accounts (analytics and adwords) and be able to use the two in tandem, with the tokens stored separately.
My main question is this: how can I figure out which oauth token has been returned? Currently, I have the oauth process located on two separate pages (two seperate callback urls, one for analytics and one for adwords), but I want to make them on the same page, and I've realized that they both return oauth_token & oauth_token_secret. Has anybody come across this before? How did you decipher between the two when the callbacks are located on the same page?
What's the best practice for this situation? It's not the end of the world, if I have to authenticate the user for each service on two separate pages, but would like to know that I have tried to implement something like this :)
Thanks!
Generally you should have a separate callback page for each service. It's simpler and easier to keep the tokens separate.