There seems to be an inconsistency in the Slack API docs in that the OAuth flow requires a client_secret be provided as part of the exchange of the code for the OAuth token as documented at https://api.slack.com/methods/oauth.access
However the client secret then needs to be embedded into the mobile app which goes against Slack's recommendations at https://api.slack.com/docs/oauth-safety which states:
Your Client Secret should be treated delicately. It is how you securely identify your application's rights and identity when exchanging tokens with Slack. Do not distribute client secrets in email, distributed native applications, client-side javascript, or public code repositories.
Are there any best practices available in terms of how to manage this discrepancy where the client secret seems to be required for auth but at the same time should not be embedded into the mobile app?
Slack only supports the Authorisation Code Flow for OAuth2.0 but it doesn't support public clients only confidential clients. It doesn't support the PKCE flow either.
Their FAQ page suggests using the RTM API if you a re developing a mobile app:
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
I'm struggling theese days on the possible way to configure an Authentication + authorization system to consume a REST API from a mobile application.
Scenario:
We've developed 3 independent portals for a big customer that serves several users.
To enable a SSO for the 3 portals we've implemented a SAML authentication system using SimpleSAMLphp.
Every portal has a service provider and they make assertion requests against a central IdP.
The IdP checks username and password against a database where passwords are hashed and stored during registration.
After the login, the authorization on the portals is handled by the session on the server, and so far everything was fine.
Now the customer asked us to develop a mobile application that will require the users to login and access several of their protected resources collected during the usage of the 3 portals.
We've decided to develop a frontend application using ionic that will consume a REST API made in node.js that will serve all the data (both protected and unprotected resources).
Now here comes the question: to authorize access to protected resources on the Api we'd like to use JWT to easily achieve a stateless system.
The doubt is how to perform the authentication? We've the opportunity to check the credentials directly against the database skipping the SAML process, otherwise we've to implement a solution where the SSO IdP acts as authentication provider and then when an attempt is successful the API app will get the response from the idp and then issue a signed jwt to the consumer client. Is this second way a common implementation? Is it possible?
What path do you suggest to follow? The first could be very easy to achieve, but since we're using html+js for the app's frontend, if we decide to use the second solution probably in the near future we could recycle some code from the app to modernize some functions on the web portals, maintaining the jwt pattern and consuming the new Api also on the web.
I believe that in this case will be easier to ask a token to the new api using someway the logged in user's data already in the session of the portal. Sounds possible?
I hope that everything was clear, any help will be appreciated!
Thanks
The key goal here is to code your apps in the best way, via
the latest security standards (OAuth 2.0 and Open Id Connect).
SAML is an outdated protocol that is not web / mobile / API friendly, and does not fit with modern coding models.
Sounds like you want to do OAuth but you do not have an OAuth Authorization Server, which is a key part of the solution. If you could migrate to one you would have the best future options for your apps.
OPTION 1
Use the most standard and simple option - but users have to login with a new login screen + credentials:
Mobile or Web UI uses Authorization Flow (PKCE) and redirects to an Authorization Server to sign the user in
Mobile or Web UI receives an access token after login that can be sent to the API
Access token format is most commonly a JWT that the API can validate and identify the user from
The API is not involved in the login or token issuing processes
OPTION 2
Extend option 1 to federate to your SAML Identity Provider - enables users to login in the existing way:
The Authorization Server is configured to trust your SAML based identity provider and to redirect to it during logins
The SAML idp presents a login screen and then posts a SAML token to the Authorization Server
The Authorization Server issues OAuth based tokens based on the SAML token details
OPTION 3
Use a bridging solution (not really recommended but sometimes worth considering if you have no proper authorization server - at least it gets your apps using OAuth tokens):
Mobile or Web UI uses Resource Owner Password Grant and sends credentials to a new OAuth endpoint that you develop
OAuth endpoint provides a /oauth/token endpoint to receive the request
OAuth endpoint checks the credentials against the database - or translates to a SAML request that is forwarded to the IDP
OAuth endpoint does its own issuing of JWT access tokens via a third party library (if credentials are valid)
Web or Mobile UI sends JWT access token to API
API validates received JWT access token
OAuth 2.0 spec defines confidential and public clients. https://www.rfc-editor.org/rfc/rfc6749#section-2.1
Here is the prescription according to the OAuth 2.0 spec
Confidential client - Web application - Auth code grant flow.
Public clients - Desktop App, Mobile App, SPA(Single page app) - Implicit flow.
However AD B2C's prescription according to Microsoft documentation is as follows
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code
Confidential client - Web application - OpenIDConnect signin (Built on top of auth code grant)
Public clients - Desktop App, Mobile App - Auth code grant flow
Public clients - SPA(Single page app) - Implicit flow
Based on the above inference, we are clear with Web Apps and SPAs, no confusions here.
However for Desktop and mobile apps why is Microsoft suggesting Auth code grant flow instead of implicit flow [even though they are public clients according to Microsoft documentation as well]?
Posting the answer that i received from Microsoft, which i find as more appropriate in this case.
Please refer to https://www.rfc-editor.org/rfc/rfc8252#section-8.2 which says below -
The OAuth 2.0 implicit grant authorization flow (defined in
Section 4.2 of OAuth 2.0 [RFC6749]) generally works with the practice
of performing the authorization request in the browser and receiving
the authorization response via URI-based inter-app communication.
However, as the implicit flow cannot be protected by PKCE [RFC7636]
(which is required in Section 8.1), the use of the Implicit Flow with
native apps is NOT RECOMMENDED.
Access tokens granted via the implicit flow also cannot be refreshed
without user interaction, making the authorization code grant flow --
which can issue refresh tokens -- the more practical option for
native app authorizations that require refreshing of access tokens.
I believe the authorization code flow is being recommended for mobile and native apps so that a refresh token can be issued to these public clients.
The implicit flow does not issue a refresh token to a public client -- this flow requires the public client to send a hidden iframe request.
tldr: Authoirzation code flow is ideal for confidential clients. But it is not limited only for them;
Your perspective on client type and grant is not correct.
Confidential clients are the ones which can protect the client secret. For example, a web application with a secure back-end is one such. But a SPA cannot be considered one as it does not have a way to protect the client secret. SPA runs on a browser and observing the source from browser will reveal such secret if used. Same applies for a mobile app and a windows installed app (native). If you embed the client secret, then it can be obtained by some reverse engineering from the device.
Now about grant type, authorization code grant is suitable for any client which can do a back-channel token request. This token request happens outside the browser. This can be done by a mobile app or a windows app too. Also, there is PKCE specification dedicated to security enhance the flow for such native clients. If you read the spec, you will see that token request's client credentials are required only if client is confidential.
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
But SPA not having a back-end cannot perform the token request mentioned about. It runs on the browser. Thus implicit grant is defined to cater such apps.
Background
I'm looking into securing a selection of APIs for a client. I'm pretty familiar with the Auth0 offering and quite confident that it will serve me well as an auth provider.
The APIs will be deployed on GCP (Google Cloud Platform) and I've been looking into using Apigee to manage the life cycle of my APIs.
Question
Does Apigee offer an auth store for users similar to what Auth0 offers or is Apigee's OAuth implementation limited to application level authentication using Consumer Key and Consumer Secret as described here?
Apigee OAuth implementation is not limited to Consumer Key/Secret (client credentials grant) but you also can implement different OAuth grant types. Apigee can generate/validate JWT and it's own opaque tokens.
The problem is that Apigee does not provide Identity Provider (IdP) service, it means that it does not have a store for user credentials. You may utilize Apigee's BaaS (Backend-as-a-Service) to store users or integrate Apigee with other IdPs, but there's no built-in solution to authenticate users.
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.