I have recently inherited a rails api application that uses devise_token_auth for authenticating users from a react frontend. The scope of the project has grown and now we have multiple other services that need to make API requests from Lambdas and other applications that don't require the user to be logged in or authenticated. Is there a way to configure devise_token_auth so that we can still authenticate these services without using a user profile? Essentially just looking for a way to authenticate an application similar to how you would when connecting to any other companies API to pull data and such.
We have tested Basic Token Authentication as laid out in this article: https://www.joshqn.com/rails-api-token-authentication/, but the lack of expiration dates and the static token instead of generated access tokens after an authorization request seems less than ideal.
I've spent way more time than I would like to admit googling rails authentication methods but it seems all the resources out there are only for authenticating users. Am I just missing something? Do we just need to set up a "Service User" to authenticate these services to the API? Any suggestions would be much appreciated.
Related
I have developer an API that is secured by oAuth2 and Azure B2C. I now want to access that API from a legacy web forms application which is using Forms as it's authentication mechanism.
I have used hellojs successfully on the client side to trigger the authentication method in a separate browser window and then use the access token successfully to call my API but how do i do this from the server side?
All the examples I've seen when setting up oAuth2 involve securing an API using the OWIN middleware (e.g. with Facebook login, etc) but I need to retain the existing forms authentication and simply invoke code that calls the API and handles the access code/token etc.
If I need the backend system to make requests on behalf of a user, should I be storing the access token securely somewhere?
The simplest approach would be to have the users authenticate against B2C separately. Think of this in terms of "linking" their account in your Web Forms app to their B2C account. If you also request the offline_access from Azure B2C, you'll receive a Refresh Token that you can exchange for a valid Access Token when needed.
Ideally, you should pivot away from Forms authentication. It's a very outdated model. It may, however, be a non-trivial amount of work which is why many folks often choose to start with the "linking" strategy and only tackle Forms Auth when they're doing a larger refactoring of their app.
I have been researching oauth2 for a while now and haven't come up with the perfect solution and wanted to see if anyone else has done this before. Currently I have two applications inside of one code base. The only thing these applications share is authentication. What I am looking to do is to create a third application for the oauth2 server. Then I want to separate the existing applications into two applications. Trying to follow how Google handles their oauth stuff. So the domains would be something like this.
http://accounts.domain.com
http://app1.domain.com
http://app2.domain.com
I found some good information in these two posts about doorkeeper and devise. Currently I am using devise so that makes that part easier.
https://dev.mikamai.com/2015/02/11/oauth2-on-rails/
https://dev.mikamai.com/2015/03/02/oauth2-on-rails-the-client-application/
So each of these applications app1 and app2 will have API's that the use will need to be authenticated against.
So I have the following questions.
If app1 needs to validate with accounts sub domain does that mean from an API perspective I need to call the oauth2 server application on each request? That seems like a lot of overhead. Is this the way that Google does it or do they have some trick?
Would app1 and app2 each be responsible for their own session timeout? What happens if app1 session is valid but the user deleted their accounts directly by going to the auth2 server application?
If app1 and app2 are responsible for session then would they also want to call back to accounts oauth2 server to validate the user still exists?
I'm trying to flush all of this out and haven't found a good example of how this would work when the oauth clients are actually API's plus they are web apps too. Maybe I am over thinking it too and that making the extra call for each API request is the way.
Any help or tutorial on this would be greatly appreciated.
The OAuth 2.0 Authorization Framework provides five grant techniques:
Authorization code grant
Implicit grant
Resource owner credentials grant
Client credentials grant
Refresh token grant
I believe our discussion is about Client credentials grant (I think google uses it generally).
Let's try to understand this flow chart:
So, here in the step [E]:
Steps (C) and (D) repeat until the access token expires. If the
client knows the access token expired, it skips to step (G);
otherwise, it makes another protected resource request.
It means it actually does not hits Authorization Server on each request. It only hits authorization server when client found that token is expired. So, if our deletes itself, it makes the token expired!
Maybe these document could help you more:
https://www.rfc-editor.org/rfc/rfc6749
https://alexbilbie.com/guide-to-oauth-2-grants/
Cheers!
I'm trying to figure out how to use Auth0 with an Angular/Rails application.
I've set up Auth0 with an Angular-only application and it worked fine. I can see the Auth0 docs for Rails and as far as I can tell it makes sense.
What I don't understand is how to connect the front-end authentication with Rails, since I'm not finding documentation on this anywhere.
Okay, I've figured it out. If I use Auth0 to authenticate on the Angular side and then make an HTTP request to my Rails server, that HTTP request will have an Authorization header with a value like this:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2JlbmZyYW5rbGlubGFicy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NTgzMDZmOTFjMDg4MTRlMDEwMTVmNDM0IiwiYXVkIjoiajNKdHpjYnNpTUkyR0JkRnZGb3FFTjM4cUtTVmI2Q0UiLCJleHAiOjE0Nzk4OTc3OTYsImlhdCI6MTQ3OTg2MTc5Nn0.2cGLY_e7jY0WL-ue4NeT39W4pdxJVSeOT5ZGd_xNmJk
The part after "Bearer", the part starting with "eyJ0", is a JSON Web Token. Henceforth I'll refer to the JSON Web Token simply as the "token".
When Rails receives the HTTP request, it can grab and then decode the token. In my case I'm using Knock.
Knock expects my User model to define a from_token_payload method. Here's what mine looks like:
class User < ApplicationRecord
def self.from_token_payload(payload)
User.find_by(auth0_id_string: payload['sub'])
end
end
My user table has an auth0_id_string column. If I manually create a user whose auth0_id_string matches what I find under sub in the decoded Auth0 token, then my from_token_payload method will find that user and Knock will give me a thumbs up for that token. If no user is found, thumbs down.
So it goes like this, roughly:
Angular asks Auth0 to authenticate a user
Auth0 sends back a JSON Web Token
Angular sends that JSON Web Token to Rails
Rails decodes that token
Rails tries to find a user that matches the data in that token
Rails sends back either a 200 or 401 depending on whether a matching user was found
There are some pieces missing but that's the gist of it. I'll probably end up writing a tutorial on Angular + Rails + Auth0 authentication since, as far as I've been able to tell, none currently exists.
Based on the information you provided I'm assuming that you want to have an application that has the front-end implemented in Angular and uses a Rails based API to provides the services required to the Angular front-end.
In this scenario you can model this as a single (client) application from the Auth0 side of things and do one of the following:
Use the ID token resulting from the authentication for two purposes:
to provide information about the currently authenticated user to the Angular application so that it can meet any applicable user interface requirements
as a way to authenticate calls made by the Angular application to the Rails API, that is, the Rails API uses a token-based authentication system that accepts the ID tokens issued by Auth0.
Expose an endpoint on the Rails API that can be used by Angular to exchange the ID token received upon user authentication by any other credentials that can then be later used to access the API.
The first option is the easiest to implement, but you'll have to include the ID token in every request. The second one increases complexity on your side, but it may allow you more flexibility.
If this does not address all your concerns, can you please update the question with more details about the exact scenario you're trying to accomplish.
A final note, if your intentions are to provide an API that can be later consumed by a different range of applications then the most correct way to secure it would be by using a token-based system where the tokens would be issued by an authorization server compliant with OAuth2.
Having your own OAuth2 authorization server is significantly complex to maintain so Auth0 is in the process of enabling this as an additional service that can already be used in preview mode for accounts in the US region. This would basically allow to obtain as part of the authentication process an ID token used by the client application to know the currently authenticated user and also an access token that would allow to make call into the specified API.
I am trying to build out a video collaboration platform. I wish to design it in such a way that there is an API and my web app is like a 'third party' app.
The way I see it working is with three main components..
JSON API written in Ruby
Web App written in Ruby/Rails
Front End Application in Coffeescript
I want to be able to make authenticated requests for resources such as 'projects'
As of right now, I imagine the front end application talking to the Rails app in order to get an authenticated request, and then the front end app using that authenticated request to call the API.
I have a few questions about this architecture.
If I plan to open the API up later, is OAuth what I should be using?
If so, what would the request flow look like?
I am only asking these questions because OAuth looks to be the standard and I can only see it in terms of authenticating a third party app to access resources in another app.
I guess I am mostly looking for some guidance, as I can build applications, I am just no security expert. Thank you all for the help.
I can tell you what I'm doing right now in my project:
Rails API (JSON); you can use rails api gem, grape or full rails framework.
Single page web app using AngularJs (it can be anything else you feel comfortable with, like backbone, emberjs, etc.)
How I'm authenticating the user:
The user posts to /login with username and password
The Rails part authenticates the user (by the username and password), creates an access token (persist it in a table, with expiration time, for example, 30 mins) and returns it to the user.
Each request from the client side (angularjs part) is passed with a Token authentication header like so: Authorization: Token token=[the token goes here]
The rails api uses to token to get the associated user
If the token has expired or is invalid, it returns 401 (unauthorized); once the angularjs part intercepts a 401 it redirects the user to the login page.
If the request is authenticated, the expiration time is reset to 'now' so the 30min i'm talking about acts like 30 mins of inactivity
You can do a lot more with the access token - you can do roles, like Admin, User, etc. and limit the user's access to resources.
Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.