I am building my REST API to be used with my IOS app. I have a little problem...
How do I implement the "resource owner password credentials grant"? I cannot store the client credentials in the IOS app code (not secure) so I have no idea how to secure the API.
So basically, I would be using HTTP Basic Authentication over SSL which would return a token. However, this means that anyone can make a simple post request to my API endpoint from wherever and also obtain a API access token. Basically I'd have a open API.
What do you recommend?
you can actually use keychain to store the data you need .. it's totally secure.. but sure don't store password in it, it will be a deal breaker for you :)
you can request with the password of the user an access_token from the oAuth as you've suggest
and store the access token into the keychain.. it proved that it's secure for me .
Related
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.
So I have an application that currently logs the user using linkedin. We are using several oauth services to register and login the user into our application, however we do need to validate the authentication in our own server to make sure any requests to our API are valid.
Currently the linkedIn SDK is not functional in our application due to minimum API level restrictions, so we are using a different library (LinkedIn-J), I am able to retrieve the user access token and secret, I cannot find any reference as to validate them in the server.
How can we go around to making this work? Is it even possible to achieve such a thing?
Thank you very much.
LinkedIn does not have a token validation endpoint. Your best bet is to make a simple non-destructive call like https://api.linkedin.com/v1/people/~ and watch the response to determine whether the token is still valid.
I am working on a mobile application that uses an api built with ASP.NET web api framework. We decided to use ACS alongside a custm STS as a mechanism to secure the api.
We are using a custom STS because we need to authenticate users against our own identity store.
The information flow is as follows:
Mobile app calls the custom STS with user credentials.
User is authenticated against our own identity store.
Once user is authenticated an authorization code is retrieved from ACS and used to retrieve an SWT access token.
Token is returned to mobile app.
Mobile app embeds access token in authorization header and fires request to API
HTTP module in API validates the access token and data is returned if the token is valid.
Everything is done over SSL as we are using oAuth 2.0.
The problem with oAUth 2.0 is that it is at risk from man-in-the-middle attack as the SWT token issued by ACS is a raw token and not encrypted in any way. It is however, signed using a 256bit symmetric key.
We are using swt tokens because we are using an http based approach and the token fits nicely into the auth header of an http request.
Microsoft have provided some ACS security guidelines in the following post:
http://msdn.microsoft.com/en-us/library/windowsazure/gg185962.aspx
we currently implement 2 of these as we check the issuer and the audience i.e that the token was issued by our trusted issuer (ACS) and that the token was issued for the correct audience (our api).
our scenario is based on the following article:
http://msdn.microsoft.com/en-us/library/hh446531.aspx
as such WIF is not used to handle incoming tokens. WIF is only used in claims processing.
given the above mentioned scenario is there anything else that we could be doing to improve the implementation we have to secure our rest based api?
any and all comments/criticism/suggestions welcome.
Thank you.
I think you're already taking the correct approach. The most important thing is to verify if the token is signed by ACS. Never share your ACS secret key with anyone else. If they don't know the key, they cannot forge the signature.
Also do not store confidential information in the token (such as password, credit card number, etc.). You should expect the token may be obtained by someone else, but no one can forge a token with the correct signature.
I am trying to do a Twitter connection using a webview in the excellent Appcelerator Titanium. I know there is a great library from David R out, but I do not want to use a popup and I feel that I need more control over the flow.
My question is: During the authentication flow I need to get an oauth_token which (in my knowledge) is a combination of the consumer key and other values. How can I do this? How can I generate this token so that I can continue the process?
I am of course using Javascript.
Thankful for all input!
It is a multi-step process based on the OAuth 1.0 specs, you can find the details at <http://oauth.net/core/1.0/>
Before doing anything, you will need to register an application with Twitter and they will provide you with a Twitter API Key and a Consumer Token (Key and Secret).
For the next steps, I highly recommend you use OAuthConsumer or some other library, but the steps include generating a proper request to get a "Request Token" from <https://api.twitter.com/oauth/request_token>
then using this Request Token, you need to request the user to authorize your application using <https://api.twitter.com/oauth/authorize?oauth_token=REQUESTTOKENKEY>.
This last step provided you with a Request Verifier allowing your application to make the final request for a permanent Access Token from <https://api.twitter.com/oauth/access_token>.
When you receive the Access Token, you should store a copy somewhere so the user does not have to re-authenticate your application every time (unless that's what you desire). This Access Token does not expire until the user specifically removes the access rights of your application from his Twitter profile. Make sure to store the entire Access Token, meaning storing both the Key and the Secret.
Good luck!
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.