I developed a JAX-RS project. I used Jersey for it. I'm trying to figure out what's the best solution for authentication, since my API will be consumed through a web and a mobile application.
OAuth2 seams to be the best solution for the case.
Does anyone know a good and easy to follow example on the subject?
Please try srb4j, a simple RESTFul backend for Java, with out-of-box, oauth2-based authentication.
Its tech stack is: Jersey2 + Spring + MyBatis + MySQL. Since it's an open source project, you can replace MyBatis/MySQL with the persistence frameworks and DBs you like.
It's "easy" enough, since you can set up the project in a few minutes.
Related
I created a Rails API application, that is currently do his job awesomely, but I realized that is missing the most important part, a login from the React application and at the same time the authentication from a python application I developed that should consume those API as well.
Now, looking at the various offering, seems all fuzzy, at least from my prospective and I would like to have an advice that is not from 2016 or before but that is actual today.
Many solutions on the net, was getting dirty the main ApplicationController, that didn't make sense to me.
So I thought that a 'modern' way or let's say, 'a way' is to use doorkeep and devise.
I thought about Doorkeep because allow me to have the 'Applications' therefore I can delegate to applications the authentication in the proper way while using the JWT for the SPA application, but honestly I don't know from where to start deciding :)
I wanted to share here also the link of a blog post that inspired this question: https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization/
Sadly something I found still, without an answer, at the moment, is Setting up DoorKeeper with multiple Rails/React applications?
Now, I can use doorkeeper to manage the JWT for the SPA and the applications for the client in Python ?
Thanks in advance!
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)
I'm developing a new website which is going to include web API. What I want to know is how easy (or hard) is it to develop the server side oAUTH service into my new website?
I'm using OE11.0 WebSpeed in combination with Apache. Because I'be been doing Progress/OpenEdge 4GL/ABL development for over 10 years and nothing else I find very hard to translate existing code like, PHP, Python, Java etc.
I've read the RFC related to oAUTH and I find my self get lost in "key-varner".
Has anybody develop a oAUTH server side code in OpenEdge WebSpeed? If so, are you willing to share?
The CLR bridge works in OE 11 onwards now and we use .NET dll's in webspeed sucessfully.
I think your best bet is to do this outside of Webspeed / ABL, otherwise you are stuck re-inventing the wheel. The easiest solution would be to call a .NET library directly from your ABL code but I think that the CLR bridge doesn't work for Webspeed / Appserver apps.
One solution is to have a separate, non-Webspeed app just to handle these oAUTH requests, using a ProxyPass directive on your Apache server to pattern match the URIs and route the requests to the appropriate app.
You could use any non-Webspeed tech. you want, but since I know Ruby best, I will point out the excellent omniauth gem, which supports arbitrary authentication strategies, including oAUTH. You can create a custom gem for your specific provider by working off of any of these strategies (see the "Notes" section and look at any of them that cite "OAuth API" or "OAuth 2 API").
If you want to go whole hog and write the entire app in a different language (yet still using an OpenEdge database), I will toot my own horn and point out the Ruby adapter for OpenEdge databases. This would allow you to use the Ruby on Rails framework for your Web app.
hello dear developers!
what are benefits of using rest api + oAuth in Rails 3 ?
where I can find a code examples of authentication (server + client)
Maybe I should use some different authenication ?
The main Idea is that clients can buy goods via restfull queries and I should
provide the highest level of reliability
Not a direct answer but a slight "redirect": Check out the omniauth gem.
Home: https://github.com/intridea/omniauth
A fork of the main repository, but more up to date right now: https://github.com/benschwarz/omniauth
While I usually don't like gems because they often cause more trouble than benefit authentication code usually does not get better when I write it myself, and this gem is pretty much standard and very widely used.
I am developing an API in Ruby on Rails 3 and I would like to secure it with Oauth2.
In other words, I need to create an Oauth provider. Is there a working gem for Rails 3 out there or perhaps a tutorial on the issue?
UPDATE
I know Rails are REST based so I find it very strange that there are no tutorials on how to create a public API and secure it. Does anyone know of any good tutorials. Preferable with oAuth.
Thankful for all help!!
Check out this gem https://github.com/applicake/doorkeeper
It is for Rails 3, the development it's early stages though.
There's also an example app that you take a look and see how the API is done.
http://doorkeeper-provider.herokuapp.com/
I've opensourced an OAuth2 server implementation yesterday.
It's well documented and there is a dashboard to control accesses. Right now I'm searching for somebody who wants to build an engine starting from it, or something cool on top of rack. That's why it is open-source.
https://github.com/intridea/oauth2 is the canonical gem right now for OAuth2 dev. If you are looking for a more complete solution, instead of rolling your own provider code, check out:
https://github.com/songkick/oauth2-provider
https://github.com/freerange/oauth2-provider
But I suggest messing around with the oauth2 gem if you aren't very familiar with the flow so that you can learn it better.
If you are using (or planning to use) devise for authentication, you can use https://github.com/socialcast/devise_oauth2_providable as plugin.
I'm developing a rugygem for OAuth2 provider, Rack::OAuth2.
https://github.com/nov/rack-oauth2
It requires to develop models (token, code, client etc) by yourself, but you can get a whole Rails3 sample OAuth2 server here.
https://github.com/nov/rack-oauth2-sample
I'm looking to implement an OAuth2 provider, too! I'm currently experimenting with this https://github.com/assaf/rack-oauth2-server, which seems to be a full-featured OAuth2 server, though it still supports only MongoDB, although implementing support for other DBMS seems simple enough. I am also looking at some of the other options posted here, lots of promising stuff!
"Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider functionality to your application."
https://github.com/applicake/doorkeeper