I've been trying to find a good solution for authenticating a user with OAuth 2.0 using the ASI HTTP library. I'm coming up a bit short. Does anyone know of a library that adds this to ASI HTTP? I found one that only works with OAuth 1.0, and another that adds methods to the request for OAuth, but none that handle logging in etc.
Thanks so much for any insight.
I see a few implementations floating around. The question has also been asked here. This set of classes seems to add support.
I actually recommend switching over to something like AFNetworking since ASIHTTPRequest is no longer updated/supported. If you do that, there is an official extension to do what you're asking here.
Related
I want to implement security and authentication when i am calling an API.
So that my data will not be lost and hijacked by some one in middle.I have searched so many times on net but there is no good article with example.Some one has asked to implement NSURLSession with AFNetworking.
I have used encryption with key before 2 years is there any new things to implement security with authentication when we make request and getting response(is there need of encoding and encryption?).
Please eleborate with suitable example.
what Type of suggestion i have to give also to API developer
Thanks in Advance.
You can use SSL ceritificates (HTTPS) to avoid man-in-middle attack.
No need to invent your own crypto. It is not recommended at all. You should use SSL. That will be good enough. Refer to this article
Refer to this article. In addition there are plenty of other examples in internet. Hope this helps
I have spent the past three days researching OAuth 2.0 and I understood how OAuth can be used to interact with a service provided by a heavy weight such as Google or Facebook. However, I'm struggling to see how someone without a team of tech wizards (aka Me) goes about protecting their API with the protocol.
I have a number of questions and was wondering if someone with some experience can help me.
Here goes nothing...
Is there a clear cut leader in terms of an OAuth Authorization Server implementation (Java)? If yes, is there any good resource out there to teach me how to use it?
Its my understanding that I would need to either build an authorization server or leverage a library to dish out client secrets/tokens.
Should I even be thinking about a library or should I be building my own implementation?
Is OAuth still relevant? From what I can see, it seems like the hype around the technology has leveled off or diminished since 2010. I also saw an article where the spec lead disassociated himself from the protocol.
I appreciate any advice or help, I can't find many resources on this topic that address it clearly (tons of Powerpoints, no code). There seems to be a bunch of talk about how it works, yet no book or article can give a solid tutorial. The documentation for the providers I have found is also very spotty at best. I'm just really starting to question whether this is a legitimate undertaking for someone looking to protect their own simple API. Thanks ahead of time.
Take a look at the Libraries on the OpenID Connect developer pages here: http://openid.net/developers/libraries/
I don't think there's a clear cut leading Java implementation yet
I would not recommend implementing the Authorization Server part on your own, that is the complex part and details matter because this is about security; the client part is easier and should be possible to build even without a library
OAuth is very relevant as it is the only standard out there for securing REST APIs; the hype is over, and now it is common technology; just take a look at all big vendors/SaaS out there, they all use it (starting with Google, Microsoft, Facebook, Twitter etc.)
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)
I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How is oauth 2 different from oauth 1
I know these 2 are not backward-compatible. But, having implemented OAuth 1.0 already, is it easy to switch to OAuth 2.0? Thanks
OAuth 1.0 and 2.0 are two completely different protocols. However, they are designed to solve pretty much the same basic set of use cases and most of the people developing the new version have working 1.0 implementations. So they all made sure it would be trivial to upgrade.
With 2.0 you get more choices when it comes to how you want to issue and authentication access tokens. The providers with early 2.0 support use Bearer tokens which are send over HTTPS and don't include any cryptography on their own. Another (much better) option is to use MAC tokens which are similar in design to OAuth 1.0 HMAC-SHA1 but are simpler to use (no crazy parameters normalization).
The main difference and where the transition can be more complex is when dealing with large scale. 2.0 handles scale significantly better than 1.0 (which actually sucks at it). So if you have needs for scale, 2.0 would make your life much easier, but to take advantage of it, you'll need to do some work.
OAuth 2 relies on https for security, you don't have to "sign" requests anymore, just send your API key and tokens as querystring parameters.
It's really easy to implement, you don't need libraries or anything like that.
Check facebook's graph api to start playing with OAuth2!
OAuth 2.0 is not finalized yet, and is quite different from 1.0. So 1.0 experience is not that much help for 2.0, though it is some help.
As already pointed out, the major difference is that it relies on HTTPS for security so you no longer need to sign requests. This would be good if not for XSS attacks and Firesheep!