I created a bunch of RESTful API using Python, Flask and mongodb, mostly GET and POST.
I am planning to use this API in my mobile app, also to one of two trusted developers in the android applications they make.
I would like to know what's the possible & easiest way to secure the API to only the applications I authorize.
I don't want to use login or password. Is there any way i can authenticate using headers securely? or is there any alternative ?
Thanks in advance.
I think especially for a scalable use I would use Flask-Restless together with Flask-JWT token authentication with token.
Here is a pretty nice example > https://github.com/graup/flask-restless-security
I am not sure I understand how you planning to authenticate without any user, or you just trying to lock app to use specific domain only?
Related
I was using Flask for a small personal project of mine, and using render template and simple HTML files for the front-end.
I recently decided to switch over to a react front-end with a REST API in Flask.
However, since a lot of my old flask code depended on using sessions within Flask, I was wondering if sessions can still be used with a REST API.
There are essentially two parts to the question:
Is it technically correct (i.e. would it even work)
Is it advisable (If no, why not)
Thanks
Yes you can use sessions for login for a front end API. For backend APIs I suppose you could as well but something like jwt or oauth2 is much more common for a few convenience reasons. Not sure the set cookie header works when called via the JS fetch api so you may need to create your own session cookie with JS and possibly in middleware. You also have the option of having the login page not part of the API which would solve this problem.
Other than that as long as the session cookie is being passed to the API every time it is called which should happen automatically you will be able to use sessions in your Flask code.
I have a quite simple usecase. From my product I have to implement some kind of authentication / authorization backend for my custom application. The application itself supports LDAP as AA backend (w/o kerberos), but I'm not sure if Azure AD can be used this way externally. Is this possible?
If not, I'm going to implement some authentication / authorization using standard python libraries. I've already found a lots of resources on this, however the whole picture still quite foggy. Basically I need two functions, authenticate the user (by evaluating the username/password received by the python script), and also check some kind of group membership for authorization as I would do in LDAP.
I don't want to invent the hot water, so, if there is any snippet for this, it would be great
Thank you
L:
If you want to use Azure AD for that, you would want to work against Azure Graph API
High level steps:
Create Azure AD Application
Figure out token auth
And using the REST API link figure the API calls to find appropriate permissions (probably adal can do that, not sure)
I am currently working on a project where we need to establish communication like an ESB, between a REST API and the apps services on a small scale.
Scenario:
Assume a web app front end (e.g. Django/Python or Ruby/Rails) and services that are accessible via a HTTP RESTful request.
How can I:
make it configurable which web services are called on a web request depending on the request and not requiring code changes (through keys for example)
encapsulate or implement the services in a way to make it easy to manage them e.g. start/stop etc.
I have been looking at spring.io, but cant work out whether this could be used for the this??
I am open to all suggestions,
Thanks
From what I understand, you want an authorisation solution.
In Rails, Pundit and CanCanCan are very popular. You could also implement it from scratch. Here is a screencast to help you get started.
I am just learning python and django and I put up a pretty decent website to manage a database and also a search page. The new requirement that I am a bit confused now is that the authentication should be done through an external provider (unknown yet, but probably LDAP or Kerberos Tickets).
My idea was to authenticate the users through this service and if successful add the user to my django created database with syncdb (where I have permissions and groups) and then bypass this user as authenticated to enable them to perform actions in the site.
Does that sound reasonable? Is there an 'accepted' approach to this kind of authentication? I am not sure if I will have to write my own authentication view.
Thanks.
Django has support for hooking up other authentication backends.
I believe that you will have to write your own authentication backend or use a third party backend if you are authenticating through some common interface such as LDAP.
The docs explain how to write an authentication backend here: https://docs.djangoproject.com/en/1.5/topics/auth/customizing/
If you plan on using LDAP, I suggest that you take a look at django-auth-ldap (https://pypi.python.org/pypi/django-auth-ldap).
This sounds quite reasonable. There are several ways to achieve this: use a third party library like django-social-auth which handles using third party applications to authenticate users via the Django user model. The other way to do this is to write your own custom backend that uses OAuth2 protocol to authenticate users via a third party application (e.g. Twitter) and saves/authorizes them as a Django user for your application. This might sound difficult but it's quite easy. I wrote an example Django application to demonstrate this functionality as well as provide a tutorial for custom backend authentication. This app/tutorial uses Django 1.5: djangoauth.thecloutenproject.com/
I'm building my startup and I'm thinking ahead for shared use of services.
So far I want to allow people who have a user account on one app to be able to use the same user account on another app. This means I will have to build an authentication server.
I would like some opinions on how to allow an app to talk to the authentication server. Should I use curl? Should I use Python's http libs? All the code will be in Python.
All it's going to do is ask the authentication server if the person is allowed to use that app and the auth server will return a JSON user object. All authorization (roles and resources) will be app independent, so this app will not have to handle that.
Sorry if this seems a bit newbish; this is the first time I have separated authentication from the actual application.
Assuming you plan to write your own auth client code, it isn't event-driven, and you don't need to validate an https certificate, I would suggest using python's built-in urllib2 to call the auth server. This will minimize dependencies, which ought to make deployment and upgrades easier.
That being said, there are more than a few existing auth-related protocols and libraries in the world, some of which might save you some time and security worries over writing code from scratch. For example, if you make your auth server speak OpenID, many off-the-self applications and servers (including Apache) will have auth client plugins already made for you.
Your question isn't really a programming problem so much as it is an architecture problem. What I would recommend for your specific situation is to setup an LDAP server for authentication, authorization, and accounting (AAA). Then have your applications use that (every language has modules and libraries for LDAP). It is a reliable, secure, proven, and well-known way of handling such things.
Even if you strictly want to enforce HTTP-based authentication it is easy enough to slap an authentication server in front of your LDAP and call it a day. There's even existing code to do just that so you won't have to re-invent the wheel.
There is also CAS that you might wont to look at,