Best practices for the OAuth "application server" - Square - oauth

I have an application that uses personal access token to access to GET the list of items. I want to switch to using OAuth, the application will use ITEMS_READ only.
My application is a daemon running on an instance of secure Ubuntu server dedicated to this application(s). Regarding the "application server" is there anything that square recommends - what are typical best practices with the "application server"?
Thank you

The API documentation is fairly extensive, and includes a helpful section about OAuth. A few common pitfalls I've noticed with OAuth implementations in the past lead me to call these things out:
If you are only building a one-off integration for your own use, it is probably not worth using OAuth.
Make sure you understand how OAuth works. If you find yourself asking for users' client secrets or personal access tokens, or anything else that requires them to open the app management dashboard at connect.squareup.com, you need to rethink your implementation. Only you, the developer, should need to understand access tokens and other API credentials.
You can generally ask for more OAuth scopes than the bare minimum that you need. I'd recommend getting MERCHANT_PROFILE_READ as well. That can be useful to manage accounts, and so you can hit /v1/me to get various IDs you'll need.
The Square OAuth access tokens expire as described here. They last for thirty days, so this can tend to creep up on developers who aren't aware of it. You will need to use a scheduled task to renew access tokens that are about to expire and purge your old tokens after doing so. Something as simple as a cronjob should be fine.
In terms of the technology stack you use, that's entirely up to you. The Square Connect team is happy to help and provide recommendations when we can.

Related

New single page app needs to authenticate to legacy app using Shibboleth

I am creating a new React SPA. Users of a legacy app need be able to use the new app without re-authenticating. So I need to support SSO.
It's important to note that it is also required that users of other (currently unspecified) apps should also be able to use the new app without re-authenticating, so whatever approach I take needs to be sufficiently decoupled to potentially allow this.
The legacy app supports authentication via Shibboleth, the new app currently has no authentication method, but uses JWT for authorisation.
I'm wondering if anyone has any experience of such a scenario? It seems to me that I probably need to be create an OAuth2 authorisation server for the new app to talk to and I need to somehow bring Shibboleth into the mix for the authentication, maybe with the authorisation service acting as a Shibboleth Service Provider. Googling around hasn't revealed much useful info.
Is what I've described along the right lines? I know it's very high level and woolly, but I'm really not sure of the approach to take. Any advice, information or experience in this area would be gratefully received!
GOALS
It's a little bit of a subjective question, but the main goals are usually as follows:
Focus on building your UI and API security in a future facing manner
Also provide good Login Usability
Also deliver on non functional requirements such as availability / reliability
AUTHORIZATION SERVER
On the first point, the modern option is to integrate UIs and APIs with an Authorization Server - perhaps as in My Tutorial. Your architecture is then good, but the migration is not trivial.
FEDERATING TO SHIBBOLETH
The Authorization Server can then redirect to Shibboleth and talk SAML2.0 to achieve Single Sign On, as you suggest. It is a complex solution though, and may be a backwards step in some ways.
AVAILABILITY
This is usually a big concern, and most companies use a cloud provider such as Azure / AWS due to its high availability / low maintenance / low cost. Would this be a better option for you?

How do we handle service accounts after Exchange Basic Auth is retired?

https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/
Our organization is finding this announcement somewhat problematic! We use an IMAP library extensively to read various service based email accounts in o365. Any guidance on how to address this would be greatly appreciated.
Note, we have many console apps written in .NET (4.8) that run on a server based fired by many scheduled tasks. I understand we'd need to somehow register our "application" (I'm assuming that can be a generic one for our company), but we cannot involve any "user" interaction. These are utility apps. Glancing at the existing sample code for OAuth, they all seem to involve popping up a browser window to get someone to interact with "asking permission" which is exactly what we need to avoid.
We've used IMAP all this time to simply read and parse service based email accounts. I'm not sure I understand why IMAP over a secure connection is "less secure" than a more complex solution. Why take the option away?
On the other hand, the Microsoft Graph API looks significantly more complicated and appears to be OAuth based which, again, seems to involve quite a bit of authentication complexity.
Most REST APIs we've interacted w/ in other .NET console apps use a simple set of API "keys." Why not offer that at least?
As I say, we're looking for a way to write some process that run programmatically to automate a number of operations related to certain mailboxes. IMAP has worked like a charm so far, so we're looking for direct guidance on what to migrate to.
We understand your concerns. While a secure IMAP connection protects the data that's being transported, Basic Authentication exposes your Exchange Online accounts to attack techniques like phishing or brute forcing.
The primary objective of this change is to protect our customers from these threats. In addition, Modern Auth enables admin visibility into app access and enables fine-grained control of these apps.
To answer your question on implementation guidance, there is an existing approach in Graph to achieve exactly what you're looking to do. It's called "OAuth 2.0 client credentials flow". You can read more at https://learn.microsoft.com/en-us/graph/auth-v2-service
(Disclosure - I'm a Senior PM at Microsoft)

is it secure to use ngork for a redirect uri for oauth2

Let me make this clear from the beginning: I'm a complete noob regarding oauth2 and not a dev (just monkey interested in tech stuff) so the question might be silly. If so please don't hesitate to smash the monkey as he truly deserved it...
Since I wanted to get a better understanding of how oauth2 is working I wanted to setup slack within emacs. This is not my first project with oauth2. I managed to get offlineimap working with gmail using oauth2. However, google did one step automatically with which I'm struggeling right now for slack.
My question is all about the redirect url. Google did setup this for me pointing to my localhost. Now slack doesn't do the job for me and since my localhost isn't reachable form the outside (of my home network) I need to setup a way to securely get to my localhost.
How does google set this up?
I came across ngork which looks to me like a solution to my problem. Again, I've never heard / used it before. I think I would be able to get that stuff up and running but I would like to know:
Is this a safe and secure solution? To what should I pay attention?
"Is this a safe and secure solution?" is a very broad question and you can surely find a lot of discussion and opinions on this forum on how safe VPN tunnels for HTTP are in general and ngrok is in particular.
So the answer is: it depends on what your requirements are. Any other answer will be opinionated or will have to make assumptions about your requirements, which you have not specified.
Having said that:
If you want to use it for local development (incl. Oauth) ngrok
appears to be safe enough to be recommend by the Slack team for
local development (see tutorial).
If you want to use it for a production environment and/or in a
company network I would recommend to verify with the responsible IT
security officer before using it. However, it is a professional and
well-known product used by many companies, so you should have a fair
chance that it gets approved.
I have not used Google Oauth, but in my experience with other Oauth services its pretty standard that its calling you via a redirect URL.

QuickBooks Online from Desktop application

I am new to QuickBooks and all my searching has been leading to conflicting answers. I really need to know this to move forward.
We have an on-premise application (legacy MFC app if that matters). Some of our customers use QuickBooks Online and we can send information up to it. In the past we have used QBXML which I believe is not supported for online anymore.
Everything I read at intuit.com talks about web applications. I think I have to have OAuth security and I do not see how intuit is supporting that from a non-browser based application.
I cannot believe that intuit would not have an answer for this situation so I must be confused.
So, can I send data to QuickBooks Online from a desktop application?
If yes, which API/SDK should I be using?
If I need OAuth how exactly do I implement this?
Does any of this require an independent security review?
I think I just need a little help getting pointed in the right direction.
Thanks
Unfortunately I think you have the most difficult scenario in the QB ecosystem.
I've used the DevDefined OAuth library with some success:
https://github.com/bittercoder/DevDefined.OAuth
You can get this to work on the desktop if you have a localhost server that the browser can redirect to on the OAuth callback.
Anything that talks to QBO needs to use the QBO API v3 now.
For a custom app that talks to QBO, you would need to set up your app # Intuit to run in development mode, so it wouldn't have to go through their security review, etc. But that limits the number of connections you can have (I think it's 10). So it might not work in your case. Also, if you're distributing your app to "normal" customers it may not be the best user experience, and probably isn't practical, to set it up so OAuth will work on the desktop.
You might just have to bite the bullet and create an intermediate web service on something like Azure or Heroku, then go through the whole process of getting Intuit to bless your app for production.

oAuth implementation from the beginning or later

I'm starting a new system creating using .NET MVC - which is a relatively large scale business management platform. There's some indication that we'll open the platform to public once it is released and pass the market test.
We will be using ExtJs for the front-end which leads us to implement most data mining work return in JSON format - this makes me think whether I should learn the OAuth right now and try to embed the OAuth concept right from the beginning?
Basically the platform we want to create will initially fully implemented internally with a widget system; our boss is thinking to learn from Twitter to build just a core database and spread out all different features into other modules that can be integrated into the platform. To secure that in the beginning I proposed intranet implementation which is safer without much authentication required; however they think it will be once-for-all efforts if we can get a good implementation like OAuth into the platform as we start? (We are team of 6 and none of us know much about OAuth in fact!)
I don't know much about OAuth, so if it's worth to implement at the beginning of our system, I'll have to take a look and have my vote next week for OAuth in our meeting. This may effect how we gonna implement the whole web service thing, so may I ask anyone who's done large-scale web service /application before give some thoughts and advice for me?
Thanks.
OAuth 1 is nice if you want to use HTTP connections. If you can simply enforce HTTPS connections for all users, you might want to use OAuth 2, which is hardly more than a shared token between the client and server that's sent for each single request, plus a pre-defined way to get permission from the user via a web interface.
If you have to accept plain HTTP as well, OAuth 1 is really nice. It protects against replay attacks, packet injection or modification, uses a shared secret instead of shared token, etc. It is, however, a bit harder to implement than OAuth 2.
OAuth 2 is mostly about how to exchange username/password combinations for an access token, while OAuth 1 is mostly about how make semi-secure requests to a server over an unencrypted connection. If you don't need any of that, don't use OAuth. In many cases, Basic HTTP Authentication via HTTPS will do just fine.
OAuth is a standard for authentication and authorization. You can read about it in many places and learn; Generally the standard lets a client register in the authentication server, and then whenever this client attempts to access a protected resource, he is directed to the auth-server to get a token (first he gets a code, then he exchanges it with a token). But this is only generally, there are tons of details and options here...
Basically, one needs a good reason to use oAuth. If a simpler authentication mechanism is good for you - go for it.

Resources