I'm trying to create an integration to OneDrive using the Microsoft Graph API. Our app is fully client-side, there's no moving parts on a server, so authentication has to be directly browser to Microsoft.
We have an existing integration with OneDrive that uses the older OneDrive API. That does permit client-flow authentication.
There is an example for AngularJS, but that turns out to require a NodeJS server and have a server-flow authentication, again. NodeJS authentication requires a secret to be passed over, which I obviously can't put in public JS.
I cannot find any examples of authenticating to the graph API without a secret, am I right in saying that client-flow authentication is not supported?
p.s. I have looked at Writing a simple microsoft graph client without using a web server, but this question seems to be asking whether it's possible to make API calls without user interaction, rather than what I'm asking.
If I understand your scenario correctly, you're looking for the implicit grant. I wrote a blog post on using this a while back that might also be helpful.
Related
So, I was looking at building a JS based front-end (probably with Vue.js) when I encountered a problem.
The backend already has OAuth based APIs, where I would need to authenticate all the API calls using an access token. So I went looking for ways to do so and found out that I should use Client Credentials grant.
The problem is that a frontend application would expose the client ID and secret. These can simply be tracked through the "Network" tab of the Browser's inspector. This makes it possible for anyone to obtain an access token and make dangerous API calls (like deleting stuff).
I also found that PKCE flows dont use client secrets.
However, I have 2 problems with PKCE as well:
Authorization is not needed for these APIs to call as these are very adminy (like user management) APIs.
PKCE will also expose the client ID.
Assuming that my understanding is correct, how should I implement the OAuth APIs such that it is secure and does not expose any credentials?
Also, if there needs to be more information, please let me know.
I'm trying to build my first API to be consumed by a mobile application built with Ionic.
Before starting I'm looking into the architecture and I can not understand exactly how to make secure my API routes.
Let's say I have an endpoint like http://myapi/v1/get-items and my application doesn't need an user to be authenticated to view those items in the mobile app.
How should I protect that route from external queries, using Postman for example?
I wish that route to be not accessible unless is not requested by the application.
Looking on Google I can find many solution using basic authentication but all of those require an user to log in... What if my app doesn't have users to log in?
I'm a bit confused but I think there is a solution and I don't know it yet...
I hope you can help me to understand it.
EDIT:
My Question is totally different from the following: How to implement a secure REST API with node.js
I'm looking for solution that DO NOT require a User Authentication.
If you don't want to use User Auth through something like Passport then you can institute a whitelist in your Node API instead. express-ipfilter is an express middleware module that allows you to filter requests based on the request IP.
Requiring a login would be the cleanest and safest way to make sure your api remains private. However, if you want to keep external users out of your services without requiring a login, you will need to "sign" your requests. By that I mean doing something like encrypting a current timestamp on the client using a key known to both the server and the client app, adding that encrypted string as a header, receiving that header in your server, decrypting it and checking that it's not too old of a timestamp before you return a response.
It's not really safe (if someone can see the code they can see the encryption key) but it's an obstacle and it down't require logging in. See this for an example on encryption/decryption
I'm having trouble finding out how to do something RELATIVELY simple..
I'm writing a node.js application which I would like to utilize the Google Tracks API https://developers.google.com/maps/documentation/tracks/
The tracks API uses OAuth2 to authenticate the server against the API account - https://developers.google.com/maps/documentation/tracks/auth
What I am trying to do is simply to authenticate my application with Google using node.js
The problem I'm having is that every module or framework I can find relating to this topic is all about redirecting a user to google and returning them to the application, this isn't what I want to achieve... Instead I want to simply hard-code my API credentials into the server and authenticate it directly so it can use the API, I also need some way to keep the session alive when the token expires.
Any help would be much appreciated
Found the answer myself! :-)
https://github.com/extrabacon/google-oauth-jwt
Looking at Twitter OAuth Libraries, I saw this note:
Be cautious when using JavaScript with OAuth. Don't expose your keys.
Then, looking at jsOAuth examples, I noticed that the keys are exposed in the code.
So my question is: How it is possible to not expose your keys when you use an OAuth library in Javascript?
Thanks.
UPDATE: Ok, maybe jsOAuth is not the right library to use, but how it is possible to do authentication with OAuth on a full Javascript web site?
As said in the documentation linked by you:
Written in JavaScript, jsOAuth aims to be a fully featured open source OAuth library for use in Adobe AIR, Appcelerator Titanium and PhoneGAP. In fact, anywhere that javascript can be used and has cross-domain XMLHttpRequests. For security reasons jsOAuth doesn't run in the browser. Browsers are only mentioned here for running the test suite. If you need jsOAuth in the browser, write an extension.
A good answer to your added question is available here:
Secure OAuth in Javascript
The only really reasonable way, right now, to do OAuth 1 in the browser, is to route API-calls via your server.
There simply is no way, as far as I have understood it, around this. If you do OAuth 1.0a calls through JavaScript from the browser -> You will HAVE to expose your consumer secret and access token secret, to at least the end user.
You cannot store these credentials in:
a cookie, the user can find them.
local storage, the user can find them (better than cookie though, since it does not entail sending a cookie back and forth all the time over HTTP)
in javascript, the user can find them (although this is probably your best bet since it is easier to obscure).
If it were only the access token secret that was exposed to the end user, that would be bearable - since it is in fact he/she who have authenticated your application. But losing your consumer secret is really not so hot, it means that your application is eligible for identity theft. I.e someone else could write an app that claims to be your app.
Even if you made it work securely in the browser, you are hampered by cross domain security blocks.
You could also make a script that sends all necessary values and parameters to the server to do the signing with.
The signed URL can then be sent back to the client (browser) that in turn does the actual request.
I have implemented OAuth 1.0a on the Twitter API that way using jsonp requests.
The benefit of this is that the response body is not relayed via your server, saving bandwidth.
That way you can have your cookie and eat it too.
to start off, I know C++, C#, Python, some Ruby, and basic Javascript. Anyway, my question revolves around how to interact with RESTful API's via Javascript. I haven't been able to find any good examples on various websites, and so I've come here.
So my basic question is: How do I interact with RESTful API's via JS? And where can I find out how to implement OAuth in JS? I know how to get my keys and such, just not how to actually code them in.
Below is an example of a twitter API status update run from my MAC terminal with curl:
curl -u username:password
-d "my tweet"
http://api.twitter.com/1/statuses/update.json
How can I implement this in Javascript (preferably with OAuth authentication)? This would at least start me going in the right direction.
Thanks so much!!
The problem is that you will need to use AJAX to query the remote REST API, and AJAX is only allowed to query resources on the same domain as the page. So, a request to api.twitter.com will fail because it is on a different domain than your server.
To correct this you will need to code your server to make the request to twitter. You can however create your own AJAX stubs that will accept data directly from your page, and then build / send requests to twitter server-side using data supplied by your client.
Generally Justin's approach is the correct one, however if you must have your client script interact with the REST service then you can do it with JsonP. that's JSON data wrapped in a function call.
see this page how to do it
http://www.ibm.com/developerworks/library/wa-aj-jsonp1/
OAuth version 1.0 in JavaScript is a bad idea because you need to expose your application's secret key, by doing so you may be allowing anyone else to impersonate your application. OAuth 1.0 was intended for use with a server under your control. So your users can send their tokens to your server and then you fire off the request to twitter on their behalf.
OAuth 2.0 solves this though twitter does not support it yet.
If you really want OAuth 1.0 you use my plugin: https://github.com/jpillora/jquery.rest and also make the change specified in this GitHub issue