I am building out a REST service using Flask-RESTful that will allow users to connect to their salesforce Environment and pull data.
Is it possible to secure a restful API with oauth2?! I cannot seem to find any documentation this.
The short answer is yes
Miguel Grinberg talks about securing your REST api (in which he talks about oauth) in his blog post here:
http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
and he has a general guide to using oauth with flask here:
http://blog.miguelgrinberg.com/post/oauth-authentication-with-flask
His blog posts answered all of my questions when I was building my flask app and is in general a good resource.
** The long anser **
Oauth2 doesn't have any specific functionality that makes it better for authenticating a REST api than any other method of authentication. It's just one method of authentication. The hard part is when a user gets authenticated that they don't have to send their username and password with every request. To do this you generate a token for them and store it on the server side and store it in their session on the client side. Now all you need to do is send the token with any REST requests from the client to authenticate it. This is discussed in the first link (you can find it if you do ctrl-f token)
Related
Created a Flash Restful API with various end points for my website. Some endpoints need the users username and password to get user specific data. I’m currently sending these as parameters in the API call but I’m assuming this isn’t secure so how does one do this safely?
There are plenty of differing ways to do this but it's generally accepted that using tokens, which can be revoked, are a more secure way of doing auth than using a username/password combo. This is due to the inability to retract a username/password if they got leaked.
I'd suggest reading the following blog by Miguel. He explains password authentication followed by tokens.
Miguel Grinberg
you can make a seperate api route that acts as a login and returns a sessionID/token on a successful login that can be used for authenticating to those endpoints you mentioned.
I'm currently developing a REST API with DRF for a web application. So I decided to use OAuth2 authentication system. After a little research, I understood that OAuth mostly used for authenticating third-party apps and what I want is simply authenticate the user to my website, not with Facebook or Google accounts. So token authentication seems to be the most secure way to do it and with OAuth is being too confusing and not suitable to me which authentication method should I follow? Is django's built-in TokenAuthentication secure to make a web-app? Should I use OpenId connect?
OAuth2 is a protocol to allow your website to access some API on behalf of the user whose data your trying to access (delegated authorization).
If you just want to know who your user is on your site (authentication), OpenID Connect is a protocol built on top of OAuth2 that gives you that information. It will give you a JWT id_token that has claims about the authenticated user.
I have a website in Django and I'm developing an Android app. In one activity I have to login the user. I have installed the Django Rest Framework but I'm afraid that is insecure to send the username and password. What's the best way to do a login using Rest Framework?
You may use basic authentication, by providing an user name and password, but it has to be done over https. Otherwise, there are different other authentication mechanism you may use. Have a look here. The appropriate one for a mobile application would probably be token authentication.
One of the most popular ways to authenticate with REST APIs is through tokens. What this essentially means is to set up an API endpoint that receives the "username" and "password" and responds with a token. And then each request make to the API should go with this token as a header or a param, and get resolved and validated before running the function behind the API. This way you username and password will only be send once. Of course, even with this, it is recommended to use HTTPS.
A good way to do this is to use djangorestframework-jwt (http://getblimp.github.io/django-rest-framework-jwt/). This is an app providing JSON Web Token functionality for Django Rest Framework APIs.
I want to build an app engine project that posts to a single pre-defined twitter account. I do not have any problem of including username and password hard coded inside the app. This is normally supposed to be just a post request + authentication. My question can I achieve this using simple http authentication instead of oauth?
Twitter has stopped supporting basic auth long time ago...
Please see this Twitter developers documentation about Moving from Basic Auth to OAuth.
I have an application that has a "private" REST API; I use RESTful URLs when making Ajax calls from my own webpages. However, this is unsecure, and anyone could make those same calls if they knew the URL patterns.
What's the best (or standard) way to secure these calls? Is it worth looking at something like OAuth now if I intend to release an API in the future, or am I mixing two separate strategies together?
I am using Google App Engine for Python and Tipfy.
Definitely take a look at OAuth
It is quickly becoming the "de-facto" standard for securing REST APIs and a lot of big companies are using it, including Google, Twitter and Facebook just to name a few.
For Python on GAE you have two options:
The most straightforward way (IMHO) is using David Larlet's library for OAuth Support in Django available on BitBucket.
But since you're not using Django, maybe you want to take a look at the python-oauth2 library that's available on GitHub, and is considered the most up-to-date and unit-tested implementation of OAuth for Python 2.4+.
Either way I think you'd be much better using OAuth than rolling your own service security solution.
Securing a javascript client is nearly impossible; at the server, you have no fool-proof way to differentiate between a human using a web browser and a well-crafted script.
SSL encrypts data over the wire but decrypts at the edges, so that's no help. It prevents man-in-the-middle attacks, but does nothing to verify the legitimacy of the original client.
OAuth is good for securing requests between two servers, but for a Javascript client, it doesn't really help: anyone reading your javascript code can find your consumer key/secret, and then they can forge signed requests.
Some things you can do to mitigate API scraping:
Generate short-lived session cookies when someone visits your website. Require a valid session cookie to invoke the REST API.
Generate short-lived request tokens and include them in your website HTML; require a valid request token inside each API request.
Require users of your website to log in (Google Accounts / OpenID); check auth cookie before handling API requests.
Rate-limit API requests. If you see too many requests from one client in a short time frame, block them.
OAuth would be overkill in your current scenario (potentially insecure), in that it's designed to authorize a third party service to have access to resources on behave of the user.
Securing AJAX request via an authorized user
AFAICT, you are in control of the client, resources and authentication; so you only need to secure access to the URL's and possibly the communication between client and server via SSL [2].
So, use Tipfy's auth extension to secure your URLs:
from tipfy import RequestHandler, Response
from tipfy.ext.auth import AppEngineAuthMixin, user_required
class MyHandler(RequestHandler, AppEngineAuthMixin):
#user_required
def get(self, **kwargs):
return Response('Only logged in users can see this page.')
Securing AJAX request without an authorized user
If a user is unknown, then one could apply CSRF preventions to help protect the REST service from being called from an "unauthorized" client. Tipfy has this built-in to it's WTForms extension, but it's not AJAX. Instead, the session extension could be used to apply an "authenticity_token" to all calls, that needs to be verified on the server.