Created a Flash Restful API with various end points for my website. Some endpoints need the users username and password to get user specific data. I’m currently sending these as parameters in the API call but I’m assuming this isn’t secure so how does one do this safely?
There are plenty of differing ways to do this but it's generally accepted that using tokens, which can be revoked, are a more secure way of doing auth than using a username/password combo. This is due to the inability to retract a username/password if they got leaked.
I'd suggest reading the following blog by Miguel. He explains password authentication followed by tokens.
Miguel Grinberg
you can make a seperate api route that acts as a login and returns a sessionID/token on a successful login that can be used for authenticating to those endpoints you mentioned.
Related
I'm attempting to make SOQL queries to the Salesforce API using the Python salesforce_api and simple-salesforce modules. I had been making these requests with a client object:
client = Salesforce(username='MY_USERNAME',
password='MY_PASSWORD',
security_token='MY_SALESFORCE_SECURITY_TOKEN')
a = client.query("SELECT something FROM some_object_table WHERE some_condition")
However, my company recently restricted Salesforce sign-in through SSO only (you used to be able to login directly to Salesforce without SSO), and the funciton is throwing either:
simple_salesforce.exceptions.SalesforceAuthenticationFailed: INVALID_SSO_GATEWAY_URL: the single sign on gateway url for the org is invalid
Or:
salesforce_api.exceptions.AuthenticationMissingTokenError: Missing or invalid security-token provided.
depending on which module I use. I suspect this is because of the SSO implementation.
I've seen the docs about creating a new app through Okta, but I need to authenticate and access the API of an existing app. What is the best way to access this API with Okta IdP enabled? It there a way to have a get request to Okta return an access token for Salesforce?
Uh. It's doable but it's an art. I'll try to write it up but you should have a look at "Identity and Access Management" Salesforce certification, study guides etc. Try also asking at salesforce.stackexchange.com, might get better answers and Okta specialists.
I don't know if there's pure server-side access to Okta where you'd provide OAuth2 client, secret, username and password and it'd be silently passed to login.
If your app is a proper web application that needs human to operate - you can still make it work with SSO. You'd have to read about OAuth2 in general (you saw it on the web, all the "login with Google/Facebook/LinkedIn/Twitter/..." buttons) and then implement something like this or this. Human starts in your app, gets redirected to SF to enter username and password (you don't see password and you don't care whether he encountered normal SF login page or some SSO), on success he/she is redirected back and you receive info that'll let you obtain session id (sometimes called access token). Once you have access token you can make queries etc, it's just a matter of passing it as HTPP Authorization Bearer header (simple-salesforce docs mention session id at top of the examples).
Look, I know what I've written doesn't make much sense. Download Data Loader and try to use it. You might have to make it use custom domain on login but there is a way for it to still work, even though you have SSO enforced. Your goal would be to build similar app to how Data Loader does it. This might help a bit: https://stackoverflow.com/a/61820476/313628
If you need a true backend integration without human involved... tricky. That might be a management problem though. They should not enforce SSO on everybody. When Okta's down you're locked out of the org, no way to disable SSO. You should have a backup plan, some service account(s) that don't have SSO enforced. They might have crazy password requirements, maybe login only from office IP address, whatever. It's not a good idea to enforce SSO on everybody.
https://help.salesforce.com/articleView?id=sso_tips.htm
We recommend that you don’t enable SSO for Salesforce admins. If your
Salesforce admins are SSO users and your SSO server has an outage,
they have no way to log in to Salesforce. Make sure that Salesforce
admins can log in to Salesforce so that they can disable SSO if
problems occur.
(If you have a web app and it's embedded as Canvas in SF - there's another clean way to have the session id passed to you. Again - this works only if you have a human rather than backend integration)
If you check the profiles in SFDC and uncheck the box that requires SSO.
"is single sign-on Enabled [] Delegate username and password authentication to a corporate database instead of the salesforce.com user database. "
I'm working on a project which has it's backend on python/django and front end in react and redux with client side routing using react-router. Please suggest me some ways of doing user login authentication/validation in react with the django token generated/stored at the backend. The login flow should be something like this:
User table with email and password created in django, auth token generated by django.
User logs in for the first time, api gets called by react, on successful validation server responds with a token which I'll be storing in a session. All the subsequent calls to the api will include this token for authorization.
Secondly, I'm confused about how the secured client side routes will be authorised? On the basis of the user logged in state or what?
PS: I'm only asking suggestions for the best ways to achieve this and nothing else.
With this a year old, you may not need this, but maybe others could use it. I ran into a similar problem and wrote a package so I wouldn't have to keep writing authentication for django...
drf-redux-auth
It's just provides actions, reducers, and basic (example) components for authenticating with Django Rest Framework using token authentication.
I'd be interested to hear how you decided to handle the authorization piece with react-router...
I am building out a REST service using Flask-RESTful that will allow users to connect to their salesforce Environment and pull data.
Is it possible to secure a restful API with oauth2?! I cannot seem to find any documentation this.
The short answer is yes
Miguel Grinberg talks about securing your REST api (in which he talks about oauth) in his blog post here:
http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
and he has a general guide to using oauth with flask here:
http://blog.miguelgrinberg.com/post/oauth-authentication-with-flask
His blog posts answered all of my questions when I was building my flask app and is in general a good resource.
** The long anser **
Oauth2 doesn't have any specific functionality that makes it better for authenticating a REST api than any other method of authentication. It's just one method of authentication. The hard part is when a user gets authenticated that they don't have to send their username and password with every request. To do this you generate a token for them and store it on the server side and store it in their session on the client side. Now all you need to do is send the token with any REST requests from the client to authenticate it. This is discussed in the first link (you can find it if you do ctrl-f token)
I have a website in Django and I'm developing an Android app. In one activity I have to login the user. I have installed the Django Rest Framework but I'm afraid that is insecure to send the username and password. What's the best way to do a login using Rest Framework?
You may use basic authentication, by providing an user name and password, but it has to be done over https. Otherwise, there are different other authentication mechanism you may use. Have a look here. The appropriate one for a mobile application would probably be token authentication.
One of the most popular ways to authenticate with REST APIs is through tokens. What this essentially means is to set up an API endpoint that receives the "username" and "password" and responds with a token. And then each request make to the API should go with this token as a header or a param, and get resolved and validated before running the function behind the API. This way you username and password will only be send once. Of course, even with this, it is recommended to use HTTPS.
A good way to do this is to use djangorestframework-jwt (http://getblimp.github.io/django-rest-framework-jwt/). This is an app providing JSON Web Token functionality for Django Rest Framework APIs.
I have an existing, working Django application that implements numerous Django-REST-framework APIs.
I've just added user authentication with Django-rest-framework-JWT and now I'm trying to learn it up. I have verified that it does issue me a token if I do the following curl:
curl -X POST -d "username=myuser&password=mypassword" http://localhost:3050/api-token-auth/
But I have a series of questions that I don't see being addressed in the documents. Please answer the following questions:
How do I invalidate the token using curl? I need to do so when the user logs out.
Where are these tokens stored in the DB? After implementing django-rest-framework-jwt, I don't see any new tables in my Django Admin interface
I would like to allow my users to login with their usernames or their emails. So I would like to wrap the api-token-auth endpoint in a custom endpoint that checks if the given string is an email or username. If email, I will lookup the username. Then call the api-token-auth. How should that endpoint look? I don't know how to wrap this api-token-auth method.
When using JWT for authentication you'd usually store the token in the browser's localstorage or sessionstorage. To logout you just remove the token. There's nothing else to invalidate.
One of the benefits of using this kind of approach for authentication is that tokens are not persisted in the database, so you don't have to query a session store for anything when authenticating.
This should be possible with a custom Django Authentication Backend as well.