I'm trying to implement NetSuite with an external application. My application is embeded to run in an iframe, so I'm using a portlet to load it up and simply display it. Now, the issue is that my app uses OAuth 2.0 for authentication and I would like the users to be able to login using this. NetSuite doesn't seem to provide any kind of support or straightforward way to do this, so I tried to elaborate something on my own.
The idea I had was to configure the app to redirect to a NetSuite restlet to exchange auth_code for tokens and finally get and save the token, but I couldn't make it work for several reasons.
First, RESTlets calls coming from external applications need to have all the authentication headers required by NetSuite.
Second, even if I was able to pull that off, how am I supposed to save the token in a secure way and use it on every subsecuent call on my application? (which again, runs inside an iframe).
In short, I don't see any light at the end of the tunel and was wodering if anybody was able to work this out.
Thanks in advance for all your help.
You can use Restlet to communicate with NetSuite for that you'll need to enable Tokens based authentication in NetSuite. Also you'll need to create an app in NetSuite and generate OAuth tokens in NetSuite and save them in your app or server whichever you are going to use and then use these tokens to communicate with NetSuite.
Related
I'm trying to get my head around OAuth from the context of having an API that I want to secure and a javascript based single page app made in Vue.js that will consume this API. I've been told that OAuth is the industry standard for this type of thing.
I want to let other clients like a mobile app also use the same API.
From what I can gather the right flow is Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/
The bit I am confused over is how I seem to need to get users to approve access. For example you don't have Twitter saying "Would you like Twitter to use Twitter". If I was in the position of people using the account to create another account I wouldn't have any confusion but when the client is your own website what is supposed to happen?
I can sort of imagine that I could automatically approve the website or just bypass the part where the user approves but then I feel like I'm going off script. Then I think to myself, have I completely got the wrong end of the stick- is OAuth not designed for this?
If anyone can see where my ignorance is I'd be more than happy to be corrected!
Thanks!
OAuth and OpenID Connect enable you to authenticate users in many ways, for web and mobile clients. Each app implements a code flow and redirects to an authorization server (AS).
Each client is configured with an entry in the AS, and consent can be disabled when required. It is typically only enabled when personal assets are involved. Eg to grant a security code scanning service access to my GitHub repositories.
From asking around a bit and reading a bunch more found searching for "first party" providers: it is okay to just have the main website bypass the bit where they approve access and just send over the token.
i am currently searching for a way to login into the Twitch-API using an already given id-token (oauth or even better oidc) with or without a NodeJS backend.
Background: I am using firebase connecting to various services next to Twitch-API such as Youtube (Google API), Twitter and Co. I want to use my id-token for each service.
The official documentation doesn't tell if that is possible or maybe i just couldn't find it.
Hopefully there is a solution just not yet documented.
I will struggle with the same problem using the other services aswell.
Thanks alot
You absolutely would need to create your own OAuth token as it is tied to the same Client-ID as the account that generates it.
https://dev.twitch.tv/console
Authentication has it's own flow and endpoints with the way kraken v5 and helix work.
https://dev.twitch.tv/docs/authentication
With the latest changes to the API everything now requires both the Client-ID and OAuth before it will return the requested values.
https://discuss.dev.twitch.tv/t/requiring-oauth-for-helix-twitch-api-endpoints/23916
I'm not sure exactly what "id-token" is but i'm going with "twitch-user-id and access-token".
If you have a valid access token, you have access to whatever the scopes were defined when that token was generated, you can update the token with the refresh token if you need to.
You would need to supply the Client-ID of the application the token was generated for aswell.
Unless "id-token" is meant for a different system.
OK. So i need some guidance as I am a total iOS authentication noob.
I have a simple app. Users can login to the app, and send messages to friends. There is a web server and a MySql Database that holds the users and login information.
Question: How do I authenticate a user when he logs in safely and securely?
I have spent the last several hours hurting my brain on the following authentication stuff i found from google:
OAuth 1.0 - is said to be good. But it is a protocol and not a library. Do i have to implement this from scratch? Is this even needed in my case for authentication?
OAuth 2.0 - it seems that some sites are using this. I have the same questions for this as version 1.0. I also saw this this message from the library's lead creator literally saying f*** version 2.0 because it was bad for security. But yet so many still use it. Is it dangerous?
The creator of 2.0 has now gone on to make a completely other library because of how bad 2.0 was and because of how unscalable 1.0 was. His library is called OZ. Should I be using this for my server?
I see AlamoFire/ AFNetworking have basic authentication shown in their documentation. Should i just screw the oAuth stuff and just use theirs?
Being new to the authentication thing, all this is very confusing to me. Can anyone knowledgeable in this provide some guidance?
I am currently in the process of creating a cross-platform application and have spent quite some time researching this!
My approach to the project is using a ASP.NET Web API using OWIN middleware.
This uses bearer tokens to authenticate the user.
Using Microsoft.Identity you can limit endpoints down to roles or even individual users (Autherization)
Currently I create a user on the REST API, They log-in at the /token endpoint and then receive a token. This token is then saved to the Apple key chain and can be used to authenticate the user for further requests to the API.
As long as you use SSL this is a secure method and is used widely in many applications.
This approach uses OAuth2 also, so you'll be albe to easily integrate Facebook/Google/etc integration.
Here is a link to the Microsoft Documentation for some further reading on how I did it:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Currently this is working perfectly for me for an angular front-end but would work exactly the same in iOS except you may want to save the token to the KeyChain Storage.
We mostly use OAuth 2 creating custom system on iOS to handle the authentication.
Nothing is ever bullet-proof but the 2 token system decreases the chance for stealing credential quite nicely.
The AlamoFire, AFNetworking or any other libraries you amy find have nothing to do with this though. What type of credentials you use depends on your choice or rather the choice of the API. You may use these tools to ease your communication with the API though.
So what the idea behind this is you will try to send your user name and password only once when logging in and then you will receive the two tokens which are further used to communicate. This will decrease a chance for someone to intercept the request with the user name and password which are the ultimate key to get the access to the user data.
Next is "refresh token" which is used to receive a new "access token". This call should be made every few hours or so (controlled by the API). If someone was to steal this token he would be able to use it to get further access for an infinite duration or until the owner chooses to invalidate the refresh tokens (this is what happens when you click "log out from all devices"). So this is still quite bad if someone gets it.
Then there is the "access token" which is used for each and every further request to the server. These tokens have a limited time till they are invalidated so if someone was to intercept it somehow he would have the access to the data for the duration of the token.
So assuming this is the procedure that is done on the backend this is what you need to do:
If you have the access token and is valid simply use the service
If you receive the error that the access token is invalid you need to refresh the access token using your refresh token
If refresh token reports an error you need to navigate back to the login screen
If the app has no refresh token then simply go to the login screen
There are some other things that are nice to cover such as if the request reports an invalid token you should pend the request, refresh the token and then repeat the call to the pending request. A system around this may be quite large.
This is pretty much it about the tokens and authentication but there are other parts of the communication which increase the security such as using a https secure connection. When talking about security you must take a look into every part of the communication.
So I have an application that currently logs the user using linkedin. We are using several oauth services to register and login the user into our application, however we do need to validate the authentication in our own server to make sure any requests to our API are valid.
Currently the linkedIn SDK is not functional in our application due to minimum API level restrictions, so we are using a different library (LinkedIn-J), I am able to retrieve the user access token and secret, I cannot find any reference as to validate them in the server.
How can we go around to making this work? Is it even possible to achieve such a thing?
Thank you very much.
LinkedIn does not have a token validation endpoint. Your best bet is to make a simple non-destructive call like https://api.linkedin.com/v1/people/~ and watch the response to determine whether the token is still valid.
I read about token based authentication and get the general id. What I don't understand is why on the frontend (ember in my case) I would need such a token if all communication is with your own restful api backend (rails in my case). If you communicate strictly with your own backend, and you leave the authentication in that backend then why do you need the token in your ember app?
Your backend would serve as a proxy sometimes but is that bad? Is it better to do it directly from the ember app if possible?
I would (mainly) go to twitter for queries.
Thanks for sharing your ideas.
I'm a bit new to this topic myself, but your question is also a bit unclear. If you mean the consumer key tokens that are used in oAuth systems, these are required to ensure that the third-party using your API has actually been granted access to use it - anyone without a consumer key cannot use your API.
Alternatively, if you are referring to users being authenticated using an authentication token...
When you create a rails app that has authentication (for example using the devise gem) a sessions controller is also created/used. Sessions(/cookies) are basically a way of 'remembering' that the user has logged in. This avoids having to resend username/password with every action the user performs in order to authenticate him/her for that action.
This approach works perfectly fine when it comes to web apps because all browsers support cookies. However, this is not true when it comes to mobile apps. It is not possible to keep a session/cookies when using a native app (well it is technically possible, but from what I've read it seems to require quite a bit of manual labor and a bit of code wizardry to get it working correctly).
Now, when you create an API for your app, you need to bear in mind that your API may be used for creating a mobile app (either by you in the future or if you open it to the public). This means that using sessions probably isn't a good idea. For each request that requires authorization the username/password will need to be sent to ensure the user has access to perform the requested action. But sending username/password with each request is definitely a bad idea. That's where token authentication comes in. If you've ever used devise, you will notice there is an option to enable token authentication. This basically allows the 3rd party to send a token rather than the username/password and works just the same. The good thing about this approach is that even if a token gets stolen they can expire and a new one can be generated without the user even realising and without the users password being stolen.
(I'm fairly new to the topic myself, from what I've gathered so far that seems to be how things work. Now if I have made any mistakes in my explanation/understanding I hope people will jump in an correct me.)