I have a dataprovider with a REST service. They said that the authentication goes as follows:
1. Username and Password are passed in the request header
2. If the authentication is successful I get a token which I have to store and use this token to make further requests.
Now I started reading into REST Authentication and just do not understand what kind of authentication they use. I guess I have missunderstood something, so please correct me.
There are three kinds of authentication
1. Basic Authentication (sending username and password base 64 encoded in the header)
2. OpenID (here I send my username and password to a provider to receive a token)
3. OAuth (The caller is identified with a trusted token to let application call another application on a end-user's behalf without requiring the calling application to store the users's username and password)
I cannnot see, where to classify my providers method. 1. I am not sending UserName Password everytime. 2. I do not use a provider, 3. I am not doing application calls and do not use only tokens. Could anyone help me here?
When you send username and password to provider if correct, provider will create a token for this user and this token will be sent to you by provider.
After this, you can use this token in any session and you can check only this token for expiration, you do not have to send username and password everytime.
Related
I am using django version 3.2.4 in combination with Django Rest Framework.
I also use https://github.com/jazzband/djangorestframework-simplejwt for JWTs.
Problem:
I need to enable Two Factor Authentication in the following way.
User uses an endpoint that he submits his username & password. He receives back a jwt token that includes in a claim the verification code he needs to enter hashed.
At the same time an email with this code goes to his email.
Once the user receives the email he posts in another enpoint the verification code received and the jwt token he received in the previous step.
If the code the user submitted matches the hashed code then he obtains the jwt token that it will be used in the subsequent requests.
P.S. Any other ideas, that achieve something similar with the above are welcomed.
The way I would approach this is by adding a confirmation_code field to user model and handle login using one view with two cases:
1st case, I have username and password in request but no code, after checking username and password, I would create manually and return a short lived access token only without refresh token (which would expire in 3 minutes for example), I'd create a confirmation code, save it in db and send it via mail or sms etc...
2nd case the user posts the received confirmation code using the access token in the request, but no username and password, this way I'd be sure the user has an available access token and confirmation code, I would then return access token and refresh token as usual, in this step I would blacklist the access token after login is confirmed.
In my login First place I wanted to send OTP and second place I wanted to verify the OTP and then return the token.
I am using rest_framework_simplejwt JWTAuthentication. First place I am verifying the user and sending the OTP, not returning the token and second place I am verifying the OTP and returning the token.
Let me know If this is the correct way to use? If not how can I implement this using JWTAuthentication.
OR If this is not correct way to use, can I implement like first place use Basic authentication to verify the user and second place jwt authentication to verify the OTP and send the tokens. Let me know your solution.
What I understood?
You need to send an OTP to the current user who is hitting your send_otp route after checking if the user exists or not in your system and then verify_otp route which will verify the OTP that the user has sent in the API alongwith it's corresponding mobile_number/email_id.
How to do it?
send_otp - Keep this route open, you don't need an authentication for this, not even Basic Auth (that's how it works in industry), just get the mobile_number from the user in the request, check whether it exists in the DB, and send the OTP to this number, and set the OTP to the corresponding user in your cache maybe for rechecking (redis/memcache). Use throttling for this route so that nobody will be able to exploit this API of yours.
verify_otp - This route will also be open (no authentication_class/permission_classes), get the mobile_number/email id + OTP from the user, verify it in cache, if verified, generate the token using TokenObtainPairSerializer and send the refresh + access token in the response, if the OTP is incorrect, send 401.
How to custom the default authentication method-username/password in WSO2 Identity Server 5.7.0? i.e. use password plus any of mobile/email/username to authentication an end user and provide the user an JWT token as response.
Please refer to the following[1][2] as per your requirement you can use basic(username/password) as authentication step 1 and SMS OTP or email OTP as step 2. Following examples are based on SAML but as you need to get JWT token as a responce you need to register an OIDC application as a service provider.[3][4]
[1].https://docs.wso2.com/display/IS570/Configuring+Email+OTP#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+Multi-factor+Authentication+using+SMSOTP
[3].https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
[4].https://docs.wso2.com/display/IS570/Try+Authorization+Code+Grant
I'm attempting to implement a Forgot Password button, utilizing the url /rest_auth/pasword/reset.
My assumption, from reading the docs on this endpoint, is that you only need to pass an email to the endpoint, and then the reset email will be sent, prompting the user to reset their password.
The issue is, this flow only works when the user is actually logged in, thus when the session has a valid token key to send back to the server.
If the user forgets their password, they obviously won't be logged in, and thus won't have a token to send back to the server. This is the error I get when trying to post to the endpoint with just the email and no token header.
{"detail":"Invalid token header. No credentials provided."}
I didn't think that we should need to include a token in the header because that defeats the purpose. Am I misunderstanding how this endpoint is supposed to be used?
Found out I was still sending an Authorization header by accident with an empty token when calling endpoints that didn't need a token key.
Authentication Required
The server http://api.mailgun.net:443 requires a username and password....
I am new in mailgun, and I dont understand that where I can find those username and password.
Can any one help me please ???
This really isn't an appropriate question, but ...
"When you sign up for an account, you are given an API key. You authenticate to the Mailgun API by providing your API key in the request. You can manage your API key in the ‘My Account’ tab of the Control Panel.
Authentication to the API occurs via HTTP Basic Auth. Use api as the user name and your API key is the password."
https://documentation.mailgun.com/api-intro.html#authentication