Two-legged OAuth - looking for information - web-services

I want to implement a new REST-based API on our infrastructure, and OAuth seems to be the way to go.
For our implementation, there will first just be server-to-server access, which will be completely unrestricted. I believe this is called two-legged authorization.
Later on, we'd like to allow the API to be consumed by the browser, which will turn our authorization into three-legged.
Is there a good starting point for implementing this? How can we fully authorize a server and down the road add restricted authorization per-user?
The OAuth specification is not really helpful in these scenarios, but I believe this implies we need to create a never-expiring session for the server-to-server access, and later on add normal sessions with limited access for user-only APIs.
I'm hoping to find starting points for more information, let me know!
Is OAuth for me? I'm only looking for a authenticated request system, and only the consumer and service provider exist in this scenario. The end-user does not come in to play!

Ya, OAuth is probably for you.
There are actually two OAuth specifications, the 3-legged version and the 2-legged version. The 3-legged version is the one that gets most of the attention, and it's not the one you want to use.
The good news is that the 2-legged version does exactly what you want, it allows an application to grant access to another via either a shared secret key (very similar to Amazon's Web Service model, you will use the HMAC-SHA1 signing method) or via a public/private key system (use signing method: RSA-SHA1). The bad news, is that it's not nearly as well supported yet as the 3-legged version yet, so you may have to do a bit more work than you otherwise might have to right now.
Basically, 2-legged OAuth just specifies a way to "sign" (compute a hash over) several fields which include the current date, a random number called "nonce," and the parameters of your request. This makes it very hard to impersonate requests to your web service.
OAuth is slowly but surely becoming an accepted standard for this kind of thing -- you'll be best off in the long run if you embrace it because people can then leverage the various libraries available for doing that.
It's more elaborate than you would initially want to get into - but the good news is that a lot of people have spent a lot of time on it so you know you haven't forgotten anything. A great example is that very recently Twitter found a gap in the OAuth security which the community is currently working on closing. If you'd invented your own system, you're having to figure out all this stuff on your own.
Good luck!

Remember to distinguish between authentication and authorization. In some places, I believe that the OP mixes the two.
For example, once a server authenticates someone, it usually explicitly or implicitly (using cookies) provides an authentication token so that subsequent requests are already authorized.
It is up to the server how long the credentials last. It is smart to plan that the credentials will time-out at some point. Just have the client server be prepared to re-authenticate itself whenever it receives the "authorization expired" error response.
You don't want to try to provide a "never-expiring" session since:
Everything expires at some point. For example, how will the client server be able to start accessing the application again if it loses power or is rebooted?
You're creating an inflexible system. They tend to break more often.
Since you know that you want to add additional types of logins in the future, instead of two types of logins (server clients and browser clients), make just one type of login now. The additional work for the client server will be to implement a "re-login as necessary" capability.

OAuth will end up being too difficult for our needs. I've decided to adopt Amazon S3's authentication scheme, simply because it fits our model better.
Thanks for helping out finding an answer though..

Related

Authorization: Any Benefit of OAuth2 for First-Party Web and Mobile Clients

I would like to know whether there is any security benefit to using OAuth2 for authorization where all clients are developed, owned and controlled by the API developer/owner/controller; as opposed to using token authentication per Django Rest Framework's Token Authentication.
My understanding OAuth is that it was created for the purpose of delegated authorization - allowing third party applications access to your user's data without knowing the user's credentials. It seems to now have become a standard, even where delegation is not required. I do not understand why. Is there any benefit at all where delegation is not required?
My setup will be a Django Rest Framework API with a web SPA client and mobile clients. Permissions are associated with user accounts. Users login with email and password.
I do not think that this is an opinion question, because I'm not asking which is better, I will make that decision myself, I'm just trying to understand whether there is actually any security benefit at all to the OAuth option. This question might be somewhat open-ended but hopefully is within an acceptable margin since I'm restricting the considerations to security considerations. Developer effort etc are not necessary to discuss.
OAuth is primarily a set of best practice security design patterns, represented by standards specifications that map to use cases for software companies. It is not just about delegation.
I wouldn't say solutions are more secure just because OAuth is used. It is more a case of the threats being better thought through, as well as the general architecture.
PROTECTING DATA IN APIs
The OAuth solution involves validating a JWT access token on every request, then using claims to implement the real authorization work.
This scales well to zero trust architectures, where JWTs can be forwarded between APIs, and the scope and audience claims can be used for boundary checks. The IAM Primer provides a good overview.
UI FLOWS
Web and mobile are tricky, and it is worth being aware of SPA Best Practices, whether you use OAuth or any other solution, such as a site that manages its own passwords.
FULL OAUTH SOLUTIONS
A full OAuth solution involves use of a third party Authorization Server (AS), which manages the difficult security work, but there is a learning curve in integrating one. It also enables you to use the code flow, which is worth reading about.
Sometimes companies adopt an AS when they want multiple sign in methods, custom authentication, business partner integration, or to use advanced flows or financial grade security, which is required in some industry sectors.
YOUR SOLUTION
Securíty for web, mobile and APIs is difficult however you do it. Usually companies identify requirements and design how they want end-to-end flows to work, rather than it just being a developer task. My blog post suggests a people process.
My general recommendation would be to follow OAuth patterns to protect data, even if you implement UI flows in a simpler way initially. Your code will then be migratable to a full OAuth architecture in future, if your security requirements evolve.

Using AWS Cognito to Authorize a Client Application and Users

Let me just start with I am extremely new to OAuth 2.0 and security is not exactly my strength. Because of this, if something in my question sounds strange or hints that I have no idea what I am talking about, that is precisely why.
Moving on, we have a need for users to have access to our system, hosted on AWS, both through a user interface that we will be building and also through our API directly. The challenge is: when it comes to our API users, I am unsure how authorization should be performed for them. All of our users are mandated to reset their passwords every 6 months for legal reasons, which means that I cannot register any of the applications that will be accessing our API as app clients because Cognito does not allow client secrets to be changed once generated.
I am also getting the feeling that OAuth seems much more heavily geared for granting access to a service on the behalf of someone else rather than being geared toward granting access to a known entity directly, but I could be wrong.
I have been told that we need our customers (both UI and API) to be able to submit a username and password and get a token. I understand that the implicit grant has many security flaws and should not be used, so I don't want to use that, but how can I keep the experience easy for our API users?
Cognito's hosted UI makes things easy enough for people who will be logging in manually to use our system, but most of our business is all automated and I am just stuck on how to proceed.
They don't want the login process to be any more complex than (username + password) = token. With that being the case, and me not being a security expert, I am not sure how I should proceed with Cognito. I know this question might illicit opinions, but I'm hoping it's specific enough of a problem to get some specific responses. I'm just at a loss and don't know what else to do. I've been researching this for 2 weeks non-stop and I'm just totally lost. Any help is seriously appreciated.
Thank you.

Securing webservice endpoints without user authentication

My scenarios is simple and perhaps not only me deal with. I have an webservice that is used my a number of my mobile apps. I would like my webservice only be accessed from my mobile apps but I don't wish my apps's user be bothered with registering an account. How can I achieve that kinds of security?
I have read about API KEY and OTP, but it doesn't really convince me.
It isn't possible to do what you want 100%. The reason is that if the security is in your Mobile App, or travels over the internet, it is theoretically possible for someone to read your code or scan your traffic and then impersonate your Mobile App.
However, you can get good results with simple server side checks. EG, from your Mobile App, add a variable into HTTP calls which is checked by your backend. And, most importantly, use SSL. You can make this more complex as well, such as providing a token from the server and then requiring this token back on every call.
It's not unbreakable... but it will deter the casual hacker. And it will probably only take you 10 minutes to implement.

specific concerns for encrypting C++/Perl based apps so that database access credentials are never hacked

I am working on a cross platform app that will be created using C++-> mobile devices, and using Perl-> Desktop PCs (like Windows /Linux/Mac OS).
Now, since the app will be downloadable, I have concerns regarding the ability of hackers to obtain the source code of my app.
Specifically, the app will connect to my central database-- at the minimum, I want that hackers are not able to obtain my database connection details. Ideally, I would want no part of the code to be hacked.
Basically, the user can update some of his information using this app-- if hackers get hold of this data they can easily change any unfortunate user's data. One thing that I have thought of is that the user will have to initially authenticate with OAuth/OAuth2 ( using his email ID #yahoo/#hotmail/#gmail)-- and only after that the app will actually show the admin interface. But at any rate, at some point the app will connect to the central database-- which is why I dont want the database's access details to be compromised.
Many organisations make such apps, so they must be facing this type of problem themself? I would like to know how I can protect my app (ideally entire code), and atleast the db credentials.
The simple answer is you do not expose your database. Ever.
Add a service layer (could be HTTP-based but doesn't have to be) on top that will deal with authentication and authorisation. Your app then logs in using the user's credentials and acts on their behalf. Your service layer exposes an API which your application talks to, but your service makes and controls all calls to the DB.
You already mention OAuth - that's a perfectly acceptable way of adding authentication to such an API.
You cannot.
On the bright side you can put security on your server. The connecting client provides credentials that they are a given user. The server generates the SQL command after proving the request is allowed. Backers can do anything your app can do, but your app becomes incapable of behaving badly to your database.
The previous answers are absolutely correct. You want a server based service layer that provides the authentication/authorization code and interacts with the database. However, it isn't always a perfect world and if you are stuck with the requirement that these applications must act as a database client you want to limit the exposure as much as possible. Typically this is done by having the client use a specific account which has not been granted any access to the general database. You then create specific stored procedures that can only do the operations and queries that are required of the application. This prevents anyone finding the credentials in the code from doing anything in the database that isn't intended, but you still have the problem that anyone can impersonate someone else by reviewing the code. There isn't a way to prevent that without a server side component. This might be okay for a closed/trusted group of users, but I wouldn't release anything to the general public with this method.
If you can do it, use OAuth2 and allow a trusted third party handle authentication. Twitter, Facebook and GitHub are all relatively paranoid about security; and the other poster is correct: never expose direct db access as part of the app the user has access to; put it behind a service of its own.
Good luck! :)

Why do some API providers require an API key?

Several web service APIs have you sign up for an API key. For example, UPS Web services requires a key, which is included in calls to their service -- In addition to the username and password.
What is this key used for by the provider? Perhaps UPS is the only one to require both API key and username/password?
One idea is that they use it to limit or measure API usage, but it seems to me that a setting in the users profile could easily do the same thing -- especially since you generally have to get an account w/ username and password to get the API in the first place.
There are two predominant use cases. The first is to measure, track and restrict API usage. If someone is building a service that allows third parties to access it, the service provider may want to control (or at least know) who has access so that they can try and prevent things like denial of service attacks. On the measure and track side, interesting information can be obtained such as knowing which applications are popular for accessing the service or which features people use the most.
The other use case is related to security and authentication. It is unwise for a service provider to have third party applications and services require users to give up their username and password for the primary service. This is a huge exposure. That is why many services are standardizing on protocols such as OAuth, which provides delegated access via authorization to a user's data. While not foolproof, it is definitely preferable to distributing user credentials to unknown, and untrusted, parties.
Most of the time it is to monitor how developers are using the web-api. If they somehow disagree with your usage of the api it provides a means for them to shut it/you down without hurting the other users. And the statistics per user/app are always valuable.
I've used the flickr api - in that situation the key is yours, but the login data might be those of people using your app, so the api key is the only way to differentiate between the apps.
Usually it used to get stats on how much application performing queries to API.
I think asking username/password with API key is ambigious in some cases, but it is a way how it is implemented - so we can't do something with it.
They ask for API key because you could have more than one API under same account - in case you have more than one site which are use same API.
They could use it to signify which version of the API you are trying to use. Perhaps in Version 1.0, there is a method that takes a POST on www.UPS.com/search and there is another one in version 2.0 at the same address, but takes a different parameter set, or even returns data in a different format/style. Your program was built on V1.0 and expects a certain API contract. They want to be able to create V2.0 without interfering with their customer's products.
That's just a guess, but it sounds good to me.
I think Gracenote does a similar thing for cddb. I forget the details, but I remember something about some token.
(They have/had really draconian rules about using their service too.)
Simon reminded me what the gracenote thing was. Gracenote and Fedex and other webservices have lots of developers writing apps for the software. So the developers get a token to put into their apps, but the end users have their own user name and password. It lets the services keep an eye on abusing programs, etc. That is probably te primary reason. (like a browser or a webbot informing the webserver who/what it is)
Originally, Blogger required you to apply for an API key (a la Google Maps) and used it to restrict access to the API. As Blogger evolved into Metaweblog, the requirement for the API became less important, and Blogger no longer requires you to apply for a key. As noted by others, it can still be used for tracking purposes.
In our situation, our clients want it for:
Tracking/analytics - figuring out who's doing what and building what products. Because a number of users are desktop apps, just looking at referrers isn't always enough.
Permissions - which resources should a user have access to? How can a user build apps that have access to specified resources?
Licensing/legal - enforcing that users have read and accepted ToU/licensing information.
Security - passing around usernames/passwords is a really bad idea.