I'm currently developing a REST API with DRF for a web application. So I decided to use OAuth2 authentication system. After a little research, I understood that OAuth mostly used for authenticating third-party apps and what I want is simply authenticate the user to my website, not with Facebook or Google accounts. So token authentication seems to be the most secure way to do it and with OAuth is being too confusing and not suitable to me which authentication method should I follow? Is django's built-in TokenAuthentication secure to make a web-app? Should I use OpenId connect?
OAuth2 is a protocol to allow your website to access some API on behalf of the user whose data your trying to access (delegated authorization).
If you just want to know who your user is on your site (authentication), OpenID Connect is a protocol built on top of OAuth2 that gives you that information. It will give you a JWT id_token that has claims about the authenticated user.
Related
I am trying to be sure that I understand it correctly:
Is OAuth a bridge for only third party authenticator those so common like Facebook, Google? And using it improves user experience in secure way but not adding extra secure layer to Django login framework? Or only Authorization Code grant type is like that? Can I take it like this?
What is OAuth?
According to RFC 6749:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Essentially, it is an authorization protocol used to share permissions between multiple applications.
If you decide to implement OAuth, your application will be the one to allow other services to programmatically view your users' data and act on their behalf, if needed.
Whenever an application requires access to another service that you use, it probably uses OAuth to perform those actions. (e.g. When games used to ask us to allow posting on Facebook on our behalf.)
What OAuth is not?
By looking at your question, I feel like there's a misunderstanding of OAuth.
OAuth is not a bridge for third-party authentication methods. If you are looking for this type of authentication mechanism, you should take a look into Single Sign-On (SSO). For Django, you can use django-simple-sso.
Does it enhance security?
Depending on the use case, yes, it can enhance security.
If your application needs to exchange information with other services, it is a good practice to limit what these third-party services are able to do in your app, feature and time-wise.
Let's say, for example, that your user needs to give permission to another application to gather information from yours:
If you were to use the old-fashioned e-mail and password combination method, these credentials would be exposed in case of this third-party service had a data breach.
Using OAuth on the other hand is much more secure, as the credentials stored in the server would not contain the user's password and have very specific roles, apart from being easily revoked.
If you have a Django app I would say that you don't have to implement OAuth - you should be fine with any login functionality Django offers.
OAuth is commonly used when different services talk to each other. These don't have to be third-party services, they can belong to the same party. For example, when you have a Single Page Application or a Mobile App that want to call your backend API to get some data. Then it's better to use OAuth as it is a standard and it helps you to implement authorization in a secure way.
When you think about "login with Google/Facebook", what you actually want is an SSO solution (Single Sign-On). That solution is very often implemented with OpenID Connect (OIDC), which is a protocol built on top of OAuth. Still, you can use just OIDC to log a user in with Google, get an ID Token, and then be able to authenticate the user to your Django app based on the ID Token from Google. You don't need OAuth for that (in the sense, that you don't need to get access tokens from Google, you don't need your own Authorization Server, and you can rely on cookie-based sessions).
I am trying to Authenticate O365 Mail Rest API using Python 3 urllib, I am not able to find any samples using basic authentication. When using browser it does ask for authentication through interactive windows. How to achieve the same using urllib.
The authentication based on oAuth requires a user interaction in order to authenticate:
The authorization code is sent back to the application after the user
has been redirected to the authorization end point and authenticated.
So no basic authentication, you have to go though the oAuth process.
A similar problem on the Google platform is handled in various ways, one of them being user-based authentication but there is also provisionning for token based ones (no user interaction)
I have an iOS app that uses an API powered by Django REST framework to store, update, fetch data from a database. I need to provide the two more following functionalities which stores the user data at the server:
Login with Email
Login with Facebook
There appears to be two different authentication systems that I can use:
Django User Authentication System
Django Rest Framework Authentication
How should I handle this in my API?
When you are using Django REST framework with iOS, unless you are using a browser, the standard Django authentication system is out of the question. This is exposed through the DRF authentication system as SessionAuthentication and it relies on your application being able to transfer cookies and the CSRF token with the request, which typically isn't possible.
In most situations where you are using the Django authentication system already, and you can trust your app storing passwords, you would use something like BasicAuthentiction. Most people can't though, or they don't trust their application ecosystem, so they use a token-based authentication system like TokenAuthentication or OAuth2Authorization (in combination with an OAuth provider). You can read more about each authentication type in this answer on Stack Overflow.
But in your situation, you are basically restricted to just using something like OAuth 2. This is because you need to associate a user with a token, and most authentication systems require you to provide a username and password. For social accounts, this usually isn't the case, and they would not normally be able to log in. OAuth 2 works in combination with the standard Django login, so you are not restricted to just a username and password. I've written more about how this works in this detailed Stack Overflow answer.
How does one authenticate to a ProtoRPC service?
It seems like a web services infrastructure, but designed for non-browser clients, so how do we authenticate the service's end user?
Thanks!
First of all, ProtoRPC can be used by browser clients, usually through AJAX requests.
Now for authentication on App Engine, there are a few possibilities:
You can use the built in user authentication app engine provides
You can build an authentication mechanism of your own
For the first one there is the regular Google accounts API, openID and OAuth.
If you have users with google accounts, and you don't need to perform actions on user's behalf (which is what OAuth is for), then you can use the regular google authentication.
This requires the client to have a google cookie. If the user is on browser, he can login to google and then he can access your app. If the user is on a mobile client, then for android there is the AccountManager API which gets you a Google token which the client uses to get an App Engine cookie, as explained here http://blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
I'm not sure if iOS has something similar to AccountManager. If the OS doesn't have the user's credentials then AFAIK you might have to go through some sort of browser authentication.
Appengine supports federated login in which arbitrary OpenID providers can be added to the list of parties who can authenticate a user. However, some organizations - notably facebook - don't support OpenID. How is it possible to combine the OpenID support provided with GAE with mechanisms that can support OAuth or other login mechanisms?
More details (GAE Python assumed)...
My understanding of the way the OpenID mechanism is intended to work is as follows:
I choose Federated Login from my app's configuration options
This allows me to easily add OpenID providers through the
create_login_url mechanism
There is some Google session management used to track the authenticated
user
I control access to resources using login: required in my
app.yaml
The session management will check if the user is authenticated
before allowing access to these resources
The issue that I have is that I can't see how this approach fits with facebook's OAuth - if the resources are access controlled by Google (per app.yaml), where is it possible to insert facebook authentication?
Notes:
I know that OpenID and OAuth are different - I am only interested in using facebook for authentication right now
I'm sure there are quite a few different ways to deal with this - I'm just wondering if there is some standard approach/best practice
I've done a little bit of digging on this and my conclusion is that it is not possible to integrate the standard Appengine authentication mechanisms (ie those provided 'for free' with Appengine) with facebook's OAuth. More specifically, the app.yaml login controls can only relate to Google's standard mechanisms and there is no way to extend them to incorporate facebook OAuth. The reason for this is that Google's standard mechanisms control the sessions and there is no mechanism to add new session controls which are recognized by the app.yaml login controls.
It is, of course, possible to integrate Google Accounts and other login mechanisms with facebook's OAuth on Appengine, but to do this you need to replicate some of the functionality that Google provide in their standard authentication mechanisms (session mgmt specifically).
I've put up a more general question comparing the different social authentication options possible with Appengine as I think it's interesting/useful, but slightly out of scope in this question: it's here
You could have a look at the Tipfy framework which has a Facebook authentication extension that would allow your users to use their Facebook login to authenticate.