Current set-up:
App2 is an existing web app created to enable users to do
transactions. Has login. Accessed globally.
App1 is a purely informational app with no login. Accessed globally.
Proposed changes:
App1 will now have user login and some new functions
Part of its new functions is to have some of the transactional back end
of App2
Plan
Create web service in App2 to expose functions that would be accessed
by App1.
Dilemma
The web service exposed by App2 should only be used by logged in
users from App1.
Settings
App1 and App2 are deployed on the same app server (and will likely have this setup for a long time)
App1 and App2 has a different set of users from different databases.
Question:
whats the best way to solve the dilemma?
Would it be practical just to copy App2's back end in App1 instead?
Would having the two apps as Single Sign also be a practical choice? (e.g. just provide a direct page link in App1 to App2 while under SSO. )
that is all. thanks. Any advise would be appreciated.
The solution to this problem is part of any token based authentication solution.
After your users authenticate against App1, you allow them to retrieve a token to access the API in App2. This token must be signed (to guard against tampering) and contains a relying party identifier or audience URI.
The API you expose in App2, checks whether the token is valid and is intended for use to call it (has correct relying party identifier or audience URI).
Related
I am building a web app with a Django backend and React/Redux frontend running on separate servers. I have begun to try and start working on authentication and I cannot find a tutorial that suits my needs. Every tutorial either uses deprecated modules like drf-jwt (as opposed to simple-jwt) or has a simple mono-server that houses both the backend and the frontend in one directory. The former is useless and I do not want to do the latter as I like having the two separate servers for when I move on to deployment. Now can someone direct me to a good source of knowledge for getting this done? It doesn't have to be a tutorial it can be anything. I am really lost and I do not know how to begin.
you can use 3rd party packages djoser: Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. for more information: https://pypi.org/project/djoser/
I'm using token authentication from Django Rest Framework so, after a login/password verification, the token on response can be used on any DRF endpoint.
I'm working on a flask web application using flask-login for user authentication.
Now the current layout is going through some changes and it was decided that some of the components should obtain data from the server in order to update on user request.
I intended to create some api routes but I'm not sure how should I now handle user authentication accessing these routes.
I'll be happy to hear what's the best practice in these cases.
Thanks
we are developing an application using Angular2 as frontend and Django as a backend. A Django backend is already in place, while the Angular2 application is in development. We chose, for obvious reasons, to use Django REST as a way to communicate with the backend.
The application login and the backend login are done in two different pages but of course the login domain and the user base is the same. The two login are working properly by themselves, but we wanted to find a way to implement a transparent login (so an user can log into any of the two application and be recognized by the other one without re-logging).
The Angular frontend is currently using Token Authentication. The server does send the csfr and session cookie along with the token. Moving to the backend, the csfr cookie is preserved, while the session is not, so a new login is required (of course, backend and Angular frontend are on different subdomains but in the same domain, the cookies are set on the domain, with two dots: '.domain.com') .
Is it possible to do what we desire? Could someone help us find the proper way to do it?
We've done some research and found Django CAS, but it's not clear for us what's about and if it fits our use case.
Thank you very much
I created a rest web service on my site, through Drupal Service module. Now, i need it to expose registration to the site for my app to use it, but if i allow anonymous user to do that, is the same that opening spread doors to spammers.
So, how do i prevent anonymous users to use my web service to register? I tried using session authentication but giving it a try, i could register users as anonymous...
Maybe oauth authentication could be helpful? Or using some hook like
mymodule_services_resources
Obviously i can't prevent anonymous user to register to the website in the canonical way. (which is protected by spam by captcha, which i cannot use, for obvious reasons, in the web service case)
Maybe the Services API Key module could help.
Hi All I am working on a single sign on system which a load of other web applications will use as its membership provider. I currently have the system up and running in ASP.NET MVC and everything works well, users can log into an application once and have access to all the other apps through that login cookie.
The problem is that users dont all have access to the same apps, this is currently handled at login and if they dont have access to the app they are denied. However with the cookie being set automatically by asp membership, if they do login to an application they have access to they are then given access to all the other apps via the cookie, including the ones they dont have access to.
Any ideas on how to fix this? Ideally I want the cookie to remain as part of the process as I like the idea of a user logging in just once to access all the apps they have. Ideally the applications will maintain the login details but check a webservice if those details have access to that app? I wont have access to the individual applications (they all use standard out the box asp membership, only the web config is altered to point to my system) and all this must be managed by the Signle Sign On area.
Many thanks in advance to those who contribute!
How about setting the names differently for each of the apps that use the membership system?