ServiceStack Auth API from PHP website - web-services

I have a ServiceStack API set up which uses the auth plugin to allow users to register through the api.
The front end UI is a PHP site. So when the user clicks 'log in via twitter' they are redirected to the ServiceStack API and then onto twitter, back to the ServiceStack APIv and then back to the PHP site.
My question is - how can I manage the auth between the PHP site and the ServiceStack API? Would giving the PHP site the auth token be the way forward? I'd want there to be some per request authentication - would I pass on some cookie info from the browser with each request?
[UPDATE]
So - the website is hosted at http://somedomain.com
and the api is hosted at api.subdomain.com
so they can share cookies
from that cookie the website can retrieve the ss-id, ss-pid and the X-UAId
I can see that the [Authenticate] attribute tries to get these values from the request
So... if we provide these values in the request the API should be able to authenticate based on that.
Except it can't
What else do I need to provide to allow this to work? Is this even possible?

Related

How to set up javascript and django applications to exchange jwt tokens

I have a SAP implemented on the Netlify platform. The processing for the app is implemented in a django api running on a hosted server.
Users are authenticated on the Netlify app, but do not need to be authenticated in django.
I now want authorised users to be able to post data to the api and the django server objects with the message
Forbidden (CSRF cookie not set.): /api/save-archive/{...}/
I am looking at implementing JWT cookies and have considered djangorestframework_simplejwt but that seems to require that the user is authenticated in django
My question is, what software elements do I need to be able to generate and consume a token is this scenario?

Accept only authentificated requests to backend

I have this question. I am quite new in this area.
I have web app.
This consist of services deployed on Docker engine.
The main services/containers are:
Frontend : React on Nginx web server
Backend (API) : Django, DRF on gunicorn on Nginx
For frontend I use Auth0 provider. It works as expected. If user is not authenticated/authorized it is redirected to login page.
Now I want also to "secure" my backend that it only would accept authenticated connections from frontend.
For backend (Django) I also have CORS enabled (django-cors-headers package), but I still can connect from my browser my-site/api/ and get the response.
Does anybody know which strategy should I use.
Should I somehow secure it using JWT tokens. Somehow pass it to backend in my request?
There is various ways of authorizing API calls from your front-end applications to execute actions on your back-end. These will tend to vary in a few aspects:
Complexity
Needing to know who sent the request
Access surfaces
Duration of access
Roles
and so on...
In this case if you have authenticated users on your front-end using AuthO then a JWT could make sense since using this method you can encode specific user data that will allow you to make the decision on your backend as to if that user should have access to that action at that time.
Here is an article explaining a few popular methods of authentication

Need Help to do Login authentication oauth2.0 while load testing

I have a BlazeMeter Pro account and I am stuck on the step I try to record in Jmeter and also try with BlazeMeter recording but not able to do it.
Now flow is I have to login into the system and perform the operation, we implement oAuh2.0 from the development side to authenticate the user from the Gmail and we face issue while record script that user is not able to authenticate to login when you hit with single or multiple users.
to authenticate I need all the below parameters and I have all details but now in Jmeter or BlazeMeter, I do not understand where I add all details.
client_id=
client_secret=
refresh_token=
grant_type=refresh_token
we are implementing a following steps at record time
Load a respective URL and open Gmail Login page
After Enter email and password page is redirect and particular website will be display
After enter user name and password on the website UI is display.
Please guide me on how I implement this and process my flow for load testing.
As per Google documentation in OAuth 2.0 for Client-side Web Applications you need to
Send a request to https://accounts.google.com/o/oauth2/v2/auth with:
client_id
redirect_uri
response_type
scope
parameters.
This request you should be able to record using your favourite recording option.
In your case you need to change this redirect_uri to some web server which you control as you will receive the token there in form of https://your_redirect_url_here/callback#access_token=your_token_will_be_here&token_type=Bearer&expires_in=3600
It's a good idea to use HTTP Mirror Server for this purpose.
Once you get the token you will be able to add HTTP Header Manager and configure it to send Authorization header with the value of Bearer ${your_token}
More information:
OAuth 2.0 Documentation
OAuth 2.0 Playground (if your application uses different flow you can replicate it there and see relevant requests/responses which can be later on implemented in JMeter)

adding login function in custom salesforce webservice

I have a custom salesfoce webservice, but to access that webservice we need to login from salesforce enterprise wsdl. but i dont want to add that wsdl file. Is there any way to add login function on custom webservice or login with out that wsdl webservice???
Yes, see SOAP request to APEX webservice without requiring authentication.
go into the site detail page in setup, click Public Access Settings,
and then add the Apex Class there. This is effectively granting your
anonymous running user account (guest license) the ability to directly
access this class.
There are more detailed instructions at Public Web Services via Apex and Force.com Sites.
Note that your data exposed via this web service will no longer be secure.
As you mention, you need to authenticate, the login method is not included in the custom apex WSDL, you have lots of choices, depending on exactly what sort of app you're building.
Add either the enterprise or partner WSDL to your app and call login from there.
Use an interactive OAuth flow which will result in you getting an access token & instance Url, which you can then use with the apex WSDL.
Use a programamtic OAuth flow (username/password), again resulting in an access token * instance Url which you can then use with the apex WSDL.
if you have a web based app, you can create a custom link/tab in salesforce to pass you an existing serverUrl/sessionId info.
For the OAuth flows, you would pass the received access token in your apex requests as the sessionId (just like if you got it from login), and you would combine the host name from the instance URL with the path from the apex WSDL to set the endpoint URL of your stub.

Securing REST web service in GlassFish

everyone.
I have a problem securing my REST web service. It's part of Java EE web application. To secure the pages I used login-config tag and set up "FORM" authentication. Now I don't know how to secure web services, because "FORM" is not appropriate for it and I can't have two login-config tags for app. I considered splitting into 2 apps, but don't think it's a good idea. Any suggestions?
This has info on how to create secured web services using NetBeans: http://netbeans.org/kb/docs/websvc/wsit.html
Many web service providers use an api key to authenticate access to the service. You may want to consider doing something similar for your service.
It is pretty common for the REST API to have a separate subpath - that way you can specify the auth constraint just to the URL's specific to your application and for the URI's corresponding to your REST API implement authentication using jersey OAuth filter or something else.
In case your app is all written in Jersey and you would like to expose exactly the same URI's for REST clients as well as browser (and differentiate just based on the requested media type), you can have a "login" URL (for displaying a login page) and only that you could protect using FORM authentication. Then again you would add Jersey OAuth filter (or other auth filter) which would not kick in unless there is OAuth header in the request, and another filter where you would check if ContainerRequest.getUserPrincipal() is null. If it is null, you could return Response.seeOther(UriBuilder.fromPath("/login").queryParam("redirect", request.getAbsolutePath()).build()).build() - that will redirect to the login (for oauth this would not kick in, since either the oauth request would succeed, or the previous filter would fail and return Unauthorized or Bad Request status codes). In the login resource you can use the redirect query parameter to redirect back to the original page once successfully logged in.