Standard way to do access control for an online service - web-services

I was wondering what could be a standard way to do access control for some private online services which are hosted on the cloud?
Basically, the service on the cloud is a MapProxy, which itself does not support much authentication methods. Therefore, I was thinking to build a proxy in front of that Map Proxy to do some connection handling. We have decided to use cookies as a way of authentication, and now what is a standard way to do authorization?
Is there any well-documented library could help to build a connection handler for authorization ?

It all depends on what you mean with authorization. If your goal is to define true access control logic e.g.:
a user can call this method of my API if the user role is manager and the user location is the same as the location of the document requested in the API,
then you can use XACML, the eXtensible Access Control Markup Language. I have already replied to a similar question here: RESTFul API endpoint design with filtering and authorization and https://stackoverflow.com/questions/24514711/authorization-framework-in-a-java-web-application/24526891#24526891
To implement ABAC, you will need XACML, the eXtensible Access Control Markup Language. It's an OASIS standard (the same body behind SAML and many other standards). XACML defines:
a policy language to express the authorization requirements above
a request/response scheme to query the authorization e.g. "Can Alice view document d?"
an architecture which defines standard components such as the policy decision point (PDP) and the policy enforcement point (PEP). The latter protects your app and sends the authorization question to the PDP.
When to choose XACML (and ABAC) over other frameworks e.g. Spring Security (and RBAC)? If you have relationships between your users and your data (e.g. ownership, doctor-patient, team leader - team member...), then XACML is for you. If you have many different apps in different languages (Python, Java, .NET, Ruby...) then XACML is for you. XACML is technology-agnostic so it makes it easier to reuse across all your apps.
There are several frameworks that provide you with XACML. Some are vendor-based such as Axiomatics (where I work). Others are open-source such as SunXACML or Heras AF.
HTH,
David.

Related

Authorization: Any Benefit of OAuth2 for First-Party Web and Mobile Clients

I would like to know whether there is any security benefit to using OAuth2 for authorization where all clients are developed, owned and controlled by the API developer/owner/controller; as opposed to using token authentication per Django Rest Framework's Token Authentication.
My understanding OAuth is that it was created for the purpose of delegated authorization - allowing third party applications access to your user's data without knowing the user's credentials. It seems to now have become a standard, even where delegation is not required. I do not understand why. Is there any benefit at all where delegation is not required?
My setup will be a Django Rest Framework API with a web SPA client and mobile clients. Permissions are associated with user accounts. Users login with email and password.
I do not think that this is an opinion question, because I'm not asking which is better, I will make that decision myself, I'm just trying to understand whether there is actually any security benefit at all to the OAuth option. This question might be somewhat open-ended but hopefully is within an acceptable margin since I'm restricting the considerations to security considerations. Developer effort etc are not necessary to discuss.
OAuth is primarily a set of best practice security design patterns, represented by standards specifications that map to use cases for software companies. It is not just about delegation.
I wouldn't say solutions are more secure just because OAuth is used. It is more a case of the threats being better thought through, as well as the general architecture.
PROTECTING DATA IN APIs
The OAuth solution involves validating a JWT access token on every request, then using claims to implement the real authorization work.
This scales well to zero trust architectures, where JWTs can be forwarded between APIs, and the scope and audience claims can be used for boundary checks. The IAM Primer provides a good overview.
UI FLOWS
Web and mobile are tricky, and it is worth being aware of SPA Best Practices, whether you use OAuth or any other solution, such as a site that manages its own passwords.
FULL OAUTH SOLUTIONS
A full OAuth solution involves use of a third party Authorization Server (AS), which manages the difficult security work, but there is a learning curve in integrating one. It also enables you to use the code flow, which is worth reading about.
Sometimes companies adopt an AS when they want multiple sign in methods, custom authentication, business partner integration, or to use advanced flows or financial grade security, which is required in some industry sectors.
YOUR SOLUTION
Securíty for web, mobile and APIs is difficult however you do it. Usually companies identify requirements and design how they want end-to-end flows to work, rather than it just being a developer task. My blog post suggests a people process.
My general recommendation would be to follow OAuth patterns to protect data, even if you implement UI flows in a simpler way initially. Your code will then be migratable to a full OAuth architecture in future, if your security requirements evolve.

Is XACML the unique alternative for access granularity

I currently use WSO2is 5.9, but I want to be more thorough, when creating rules of access to resources of my web application, limit the action to a certain button within my application for example.
I have read the documentation of WSO2is and other resources, everything guides me that I must use XACML to apply such restrictions within my application.
Is there another alternative to XACML? I see a very high complexity in using this proposal.
For now in OIC claims I get the role but I don't see how to limit to functionality.
You can use adaptive authentication scripts also for having some access control in the service provider level instead of using XACML. Please refer to this documentation on Adaptive Authentication script.https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication/
For example, if you want to have some role-based access control, you can use the adaptive script by referring here: https://is.docs.wso2.com/en/5.9.0/learn/configuring-role-based-adaptive-authentication/.
There are some pre-default scenarion, and you can refer them as well. https://is.docs.wso2.com/en/5.9.0/learn/adaptive-authentication-scenarios/

SSO Implementation ColdFusion

This is a very basic question. I want to do an SSO integration using ColdFusion but do not know where to start. I found the website ssoeasy.com through a google search, but am very confused about how to use it and where to find documentation.
I think it has something related with cfldap or cfhttp but not sure what and where:
<cfhttp method="get" url="http://testsso.com/login.cfm">
</cfhttp>
It really depends on what role you want to play in an SSO ecosystem. Are you an app in a larger federation (Service Provider), or are you trying to implement an SSO style login across multiple applications that you control, or are you looking to setup so that your users can log in with Google or Facebook or such other identity registers?
A few years back we did an implementation with Shibboleth (https://shibboleth.net/) and CF where our intended place in the system would be that of a Service Provider to other companies Identity Providers. It works pretty straight forward as we let Shibboleth handle all the SAML federation grunt work and then when it's completed we get an e-mail address (the unique identifier we decided on) back from Shibboleth saying that the user has been authenticated via the Identity Provider.
Other 'SSO' implementations are around for other types of integrations.
From CFCs to handle OAuth -- https://github.com/coldfumonkeh/oauth2
To integrated oauth support if you're running a new enough version of ColdFusion https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-m-o/cfoauth.html
Hope this is of assistance to you.
If I understand your SSO use case, the application will be a cloud service provider (SP). There are three things you need to determine to help in the selection of the appropriate technology, mainly (1) SSO protocol to integrate, mainly SAML, OAuth, OpenID Connect (OIDC), etc. (2) Hosting, mainly Cloud, On-Prem, or hybrid, and (3) whether or not IdP discovery is needed for your business partners.
Being ColdFusion based as well as working to be a cloud SP web application, my experience is that the application is to be hosted by your organization, such that an on premise SSO capability is desired, as well as IdP Discovery will be needed for your partners.
As noted in your question there are some options for integration. I have found the most popular approach to being a SP website is to utilize a vendor product that handles the SSO protocol (e.g. SAML, OIDC) where the integration with your ColdFusion application is based upon a simple REST API integration. With this design pattern, the vendor product manages all the security of the SSO protocol and then simplifies integration to your application as a secure REST API exchange of identity information. This will minimize the impact to your application and also give the most support for modern identity. One product that offers this capability is PingFederate via the Agentless integration (also referred to as Reference ID integration). I have had much success integrating ColdFusion applications following this type of approach.
SAML seemed to be the easiest to implement for our team. Phil Duba's 2013 Beyond Encrypt() presentation is a good starting place. His website is down right now, but I'm sure you can find the downloadable file somewhere. Learning about SAML in general would be a good idea. Also, you can use Java, so maybe look at SAML/OAUTH Java examples and try doing that for Coldfusion since it is based on Java.

Develop Coldfusion Web Service

I need to develop/design Coldfusion Web Service which uses few object calls and functions.
What is good source of samples to develop in terms of OOP?
What is best way to secure the web service?
how to authenticate external/internal users, any sample?
FYI, This web service is going to be used by multiple department.
thanks
A
OOP examples are all over the web. I don't have any handy, so I'll skip that part, and go straight to authentication and security.
First, authentication. There are several possible answers depending on what kind of users you are authenticating. For example, if you are authenticating users connnecting via a 3rd parth tool -- like a desktop or phone app posting to Twitter -- I would say that OAuth is a good solution. There is a good library for both publishing and consuming OAuth integrations at oauth.riaforge.com. If you are looking for someting lighter weight, we used a simple token creation scheme for a webservice that was only consumed by partner services. Basically, the partner service sends what amounts to a username and password pair, a token is created with a "last used" timestamp, and every time the webservice interacts after that, we do a check against the token store.
Security is, similarly, very dependent on your end goals. However, there are a few basic principles I've always tried to follow. First, build your basic CFCs as you normally would for constructing your objects. Entry points should be public, helper functions private, etc. This includes building an object to handle whatever authntication model you choose. On top of that, build your public API. These should all simply be access functions. They are called by outside applications, call the security object, then call the appropriate objects and methods to achieve the goal of the call. This way, you never have to bake the security layer into your base functionality calls, but you also have an easy way to include security. Remember, a single API call does not have to reflect a single base call -- you can build more complex routines if needed.
So, to recap.
Authentication
OAuth
Temporary Token Generation
Security
private/public (not remote) base layer
private/public (not remote) authentication layer
remote API layer

Would OpenID or OAuth work for authorization/authentication on a distributed web service?

We're in the early stages of designing a RESTful/resource-oriented web service API for a computational lingustics application. Because many of the resources we plan to serve are rights-encumbered, a key design decision has been to specify the platform so that each resource provider can expose their own web service that complies with the API spec. This way, the rights owner maintains control over their content (and thus the ability to throttle or deny access at will) and a direct relationship with the consumer, while still being able to participate in in the collaborative network.
At the same time, to simplify the job of writing a client for this service, we want to allow a client access to the distributed service through one end-point, with the server handling content negotiation and retrieval from the appropriate providers.
Right now, we're at an impasse on authentication/authorization schemes. One of our number has argued for the (technical) simplicity of a central authentication registry, but others are concerned about the organizational complexity of such a scheme.
It seems to me, based on an albeit limited understanding of the technologies, that a combination of OpenID and OAuth would do the trick, with a client authenticating with the end-point via OpenID, and the server taking action on the user's behalf with the various content providers using OAuth.
I've only ever seen implementations (e.g. stackoverflow, twitter, etc.) where a human was present to intervene, and I still need to do more research on these technologies.
Would a scheme like this work for an automated web service, or would it make the client too difficult to implement and operate?
OpenID does assume the user is present to drive a web browser to interact with their OpenID provider and do that initial authentication. But you could have the user authenticate to the end-point with OpenID, and there get an OAuth authorization for their client's automated use.
You should be able to do this without making the client too difficult to implement, particularly if the client is on a platform that allows it to spawn a web browser to drive that initial OpenID bit.