How do I architecturally Kerberize an AngularJS application with a JBoss API - javascript

I have a nifty AngularJS application that uses a JBoss (WildFly 8) RESTful API to retrieve data. To integrate it into my corporate environment, it requires Kerberos authentication. I've see miles of documents and examples, and even some customized advice from an internal Java developer. My problem, at this time, is where in the architecture can/should the Kerberization take place?
Is it upon entry to the AngularJS app? As in do not allow unless the ticket is authorized?
Or do I challenge each API call? If this is the case, then how would I pass along the client Kerberos ticket information to the API call?
If my question sounds disjointed, or naive, it is. This is my first interaction with Kerberos.
Help appreciated, thanks.

I ran into the same problem / challenge with a PHP REST API on an Apache webserver with Kerberos auth.
Since Angular is pure client side every request is made as 'you' in Kerberos terms so you don't have to send the ticket. Your browser already sends the ticket when the request is made.
I created a login (or check logged-in) API endpoint in my PHP API which is called before every locationChange in Angular. If the login action returns false or nothing at all you are redirected to a access_denied.html page residing next to index.html (Angular).
The login action REST endpoint returns some userdata and permissions so you can do authorization.
In my case (also still searching) I also have some authorization on the API level.
Since my implementation involves a corporate webapplication I will add some code examples tomorrow ;)

with a jboss api, it means with java code not with php and httpd in front, you can do it directly in jboss an example :
https://github.com/dstraub/spnego-wildfly
we ar doing exactly this and it works a charm, there is some example with tomcat, jboss and wildfly (different)... tell me if you have any problem... with front Angular JS and API java

Related

Suggestion: Single Page application architecture issue

I have written a web app (Single Page application) which has only frontend technologies involved (Vuejs) and when I compile it, it will ultimately generate web pages (only HTML and JS). I can run this app anywhere by opening the index page.I am consuming REST API powered by oAuth on this SPA (making direct Ajax call to REST API endpoints).
But the problem is, My lead developer is saying the SPA must be powered by back-end service (Server) for example nodejs, apache. And the backend should make call to the REST APIs not directly Ajax calls from the browser (Frontend JS ajax). My SPA app runs anywhere and works perfectly on browsers even without any server.
My question is, do I really need to render and run my SPA using webserver, whats the reasons behind making my SPA (Plain html, js) app server powered??
Also please suggest me, if people simply write app using JS and HTML (pure front end) and upload on the server and point a domain name to that html-js web app which will be consuming remote REST APIs.
Thank you for making my doubts clear in advance.
I have remote REST API provider, suggest me best way to write an SPA to consume that remote APIs.
There may be some reasons to setup a back-end service, for example:
Hide REST API endpoints
Setup your own caching / throttling / failovers etc. to REST API endpoints
Override / control REST API responses / requests
Still, you can use only pure html+js SPA, but adding back-end service gives you additional options, not possible to achieve on front-end.

How to couple django oauth2 with javascript (reactjs) frontend correctly?

I've got a big problem to correctly implement (couple) oauth2 within Django project with Javascript (reactjs) frontend.
As a backend we are using Django server - this server offers some APIs to store or retrieve data from SQL database.
I am following this guide: Django OAuth Toolkit Documentation and using password based grant type (there are three others at disposal).
What is working for me is that I can access server's API calls via command line using curl. That is, I know how to acquire token using URL like example.com/o/token and then I can call some of my APIs with granted token within header as "Authorization: Bearer acquired_token".
I am new to OAuth within little knowledge on this topic so far.
For information:
all the stuff is running within Docker container. Reactjs is build using webpack. Within first request (clean browser cache - no javascript/reactjs available) django server is contacted and it servers index.html page with all the javascript stuff. Then Reactjs is present in browser and runs the Reactjs frontend which makes calls to APIs to get data from database and show them within some tables, etc.
My problem and question is what needs to be done on frontend side (javascript - reactjs) and in what order.
Yet I am also not sure, what to use actually within OAuth - password or authorization token and also what yet needs to be done on backend side.
Last note: I know there are lot of resources on this topic on the world wide web. However, somehow I could not find clear procedure how to deploy it.
Any good piece of advice on this perhaps with pointers to some resources is welcome and appreciated.

Is it possible to authenticate to Microsoft Graph without a server?

I'm trying to create an integration to OneDrive using the Microsoft Graph API. Our app is fully client-side, there's no moving parts on a server, so authentication has to be directly browser to Microsoft.
We have an existing integration with OneDrive that uses the older OneDrive API. That does permit client-flow authentication.
There is an example for AngularJS, but that turns out to require a NodeJS server and have a server-flow authentication, again. NodeJS authentication requires a secret to be passed over, which I obviously can't put in public JS.
I cannot find any examples of authenticating to the graph API without a secret, am I right in saying that client-flow authentication is not supported?
p.s. I have looked at Writing a simple microsoft graph client without using a web server, but this question seems to be asking whether it's possible to make API calls without user interaction, rather than what I'm asking.
If I understand your scenario correctly, you're looking for the implicit grant. I wrote a blog post on using this a while back that might also be helpful.

Keep an API call private/protected

I'm working on a web app that is mostly static - just HTML/CSS/JS + assets. I'm using a Rack server (Thin, actually) to serve it.
While the app is mostly static, there are a couple of server-side needs that have cropped up along the way. Since the app needs to interact with those needs via JavaScript, I've added Sinatra to the stack to allow me to easily set up some routes to serve as a simple API.
One such API call is to send an email - the web app needs a way to send an email to users. I set up a route (/api/mail) that can be called with a POST that includes a JSON object, and Ruby will fire off an email (via SendGrid).
Here's my issue - by nature, these API calls are public. Most of the time, that is fine - but with the email API, I want to protect it so that nobody can just start sending malicious emails with a simple POST, posing as my app.
Problem is, I'm not quite sure how to authenticate this. The web app itself is the client, not the user, so a password or API key seems worthless, since anyone could just sniff out the POST header and grab the credentials that the app is posting to the API.
Is encrypting everything via SSL my only option, or am I missing some glaringly obvious solution?
At the end of the day, anything you do can easily be scraped. I would do some aggressive rate limiting by ip and session, don't think if anything else would be possible (or effective)

Interacting with RESTful API's via Javascript?

to start off, I know C++, C#, Python, some Ruby, and basic Javascript. Anyway, my question revolves around how to interact with RESTful API's via Javascript. I haven't been able to find any good examples on various websites, and so I've come here.
So my basic question is: How do I interact with RESTful API's via JS? And where can I find out how to implement OAuth in JS? I know how to get my keys and such, just not how to actually code them in.
Below is an example of a twitter API status update run from my MAC terminal with curl:
curl -u username:password
-d "my tweet"
http://api.twitter.com/1/statuses/update.json
How can I implement this in Javascript (preferably with OAuth authentication)? This would at least start me going in the right direction.
Thanks so much!!
The problem is that you will need to use AJAX to query the remote REST API, and AJAX is only allowed to query resources on the same domain as the page. So, a request to api.twitter.com will fail because it is on a different domain than your server.
To correct this you will need to code your server to make the request to twitter. You can however create your own AJAX stubs that will accept data directly from your page, and then build / send requests to twitter server-side using data supplied by your client.
Generally Justin's approach is the correct one, however if you must have your client script interact with the REST service then you can do it with JsonP. that's JSON data wrapped in a function call.
see this page how to do it
http://www.ibm.com/developerworks/library/wa-aj-jsonp1/
OAuth version 1.0 in JavaScript is a bad idea because you need to expose your application's secret key, by doing so you may be allowing anyone else to impersonate your application. OAuth 1.0 was intended for use with a server under your control. So your users can send their tokens to your server and then you fire off the request to twitter on their behalf.
OAuth 2.0 solves this though twitter does not support it yet.
If you really want OAuth 1.0 you use my plugin: https://github.com/jpillora/jquery.rest and also make the change specified in this GitHub issue

Categories