What is Reddit's opinion of
Auth0?
From 3.5 billion Reddit comments
➔ Auth0 website
By popularity on Reddit, this Service is:
100 reviews of this app found across Reddit:
Building your own Auth system is hard, like very, very hard.
I would advise you piggyback of another system until you scale to get a competent security tech team to build this architecture OR consider additional security like SMS confirmation on login?
I've used Auth0 in the past, which is great: https://auth0.com/
I agree with some of these, in particular the Observables. Both because of the issues with Rx being in beta as well as the fact that I don't see much of an improvement over Promises in return for the complexity introduced. I'd love to learn more about using Rx for actual data streams, and I understand how it's being used to abstract web app design into a stream of actions and whatnot, but I have yet to actually see a concrete way in which that translates to a better development experience.
However, complaining about domain specific terminology for Angular 2 is silly considering that it's a complete MVC framework, and that many of the terms are used elsewhere.
>Angular replaces the DOM with its own grotesque mutation of HTML, the browser history and location API with its own routing and location service, and XHR and websocket with its HTTP client.
Again, it seems like this dude just doesn't want a full fledged MVC framework. Or that somehow he's able to tolerate all the jargon and functionality with vue.js but not Angular 2.
I'll agree that it's silly that the JavaScript documentation still hasn't been done, but honestly I think Angular 2 should just go full TypeScript anyway, since using JavaScript for it is such a pain.
The rest of his complaints mostly boil down to it being too complex and looking icky. ¯\_(ツ)_/¯ Matter of opinion I guess. As for the speed, it seems to perform in the middle of the pack. Here's another benchmark. Vue, especially Vue 2.0, seems to have a slight performance edge, but it doesn't seem to be even remotely large enough to warrant disregarding Angular 2. I wish I could comment on development efficiency differences for large applications between the two, but I haven't used Vue much.
Javascript was written in a couple of weeks, so they just didn't have a lot of time to think things through.
https://auth0.com/blog/a-brief-history-of-javascript/
Non AMP link:
https://auth0.com/blog/implementing-nanoservices-in-aspnet-core/
I don't know, you can scale microservices in cloud just as easily as these nanoservices. Not sure I see the point in them
Unless you have a good reason not to, use what your Authentication provider says. Check azure ad, auth0, Google/Facebook/apple auth. Generally they will all use oauth2, so that’s worth checking. If you’re looking for a general understanding, read these:
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/
https://auth0.com/intro-to-iam/what-is-oauth-2/
https://jordanfinners.dev/blogs/make-one-resolution-this-year-never-write-your-own-authentication
> How to handle Authentication?
Do yourself a favor and pick something pluggable that can evolve with you, supporting both API consumption and web applications/apps. Do you already have a user database with passwords? If so I’d look at https://github.com/IdentityServer/IdentityServer4
If not let someone else handle the heavy lifting like https://auth0.com
One are that hit me late in the game with a "traditional" web app of mine is how insufficient is the whole auth/authorization support. I even consider move to https://auth0.com just for this.
The thing is that security is not the forte of many, and you need someone with the proper skills to vet decision, but I think a "pluggable" auth flow is a necessary thing on the ecosystem.
Actually, no. Best practices have changed in recent years (Correct Horse Battery Staple!) and NIST has changed official advice last year.
In short, the new advice is to use longer passphrases, but to not routinely expire and to not mandate the usual special characters.
With no expiration, you should have far fewer cases of old device passwords locking out accounts. With no expiration and no weird special character requirement, your users should lock themselves out far less often.
And you should be using short, temporary lockouts after 10 or more incorrect passwords anyway. Not permanent lockouts after 5 wrong passwords. The point is to prevent high-volume brute forcing, not to lock users out just because that's what you do.
When you start introducing strict rules, is when you start having security issues. More places should start following the NIST recommendations, if anything, for the length and expiration rules.
Honestly, that example looks horrible. It uses Laravel but the author has no clue what he is doing.
Your easiest solution would be to use a provider like Auth0: https://auth0.com/authenticate/laravel/azure-active-directory/
If you do the manual approach, you’ll have to lookup the documentation on Azures site and do it manual. I wouldn’t copy that code from the repo your shared.
First thing that I would recommend is to *not* store your JWT in local storage. It leaves your app open to XSS.
See this link for more details: https://auth0.com/docs/security/store-tokens
DI, classes, Java-style code, annotations/decorators, class-based rather than interface-based typing (generally), etc. From Auth0's tutorial:
@Pipe({
name: 'tempConvert'
})
// The work of the pipe is handled in the tranform method with our pipe's class
class TempConvertPipe implements PipeTransform {
transform(value: number, args: any[]) {
if(value && !isNaN(value) && args[0] === 'celsius') {
var temp = (value - 32) * 5/9;
var places = args[1];
return temp.toFixed(places) + ' C';
}
return; } }
... functions masquerading as annotated classes and using inheritance. Just add some AOP and AbstractFactoryProxyBeans and we'll be good.
You could just enumerate the teams a user is a member of in the claims portion of the JWT. When validating the JWT, check to see if the current team being accessed is part of the JWT claim.
​
https://auth0.com/docs/tokens/json-web-tokens/json-web-token-claims
(Also directed at OP, /u/k1ll3rM)
OpenID Connect != OAuth 2
OAuth 2 is a protocol designed to authenticate users of an API and to authorize access to certain features of an API.
OpenID Connect is a protocol for authenticating end users on a website in order to outsource the need to store personal data belonging to the user to the OpenID Connect Service Provider. It may therefore be used to realize Single Sign-On.
OpenID Connect uses OAuth 2 internally but the OAuth 2 client == OpenID Connect Relying Party == the website and the OAuth 2 Server == OpenID Connect Service Provider == for example auth0, Google, Facebook, GitHub etc..
But someone offering for example a single page app with an API may also make the API server the OAuth 2 server and the end user the OAuth 2 client thereby implementing OAuth 2 itself, not OpenID Connect.
> jwt
You are conflating "authentication" and "session/grant" management. Passportjs is designed for "authentication". JWT is designed for "grant" management.
Difference:
- Authentication - A negotiation process (however simple or complex) that allows two parties to recognize each other as who they claim they are. Common examples of the "negotiation" (use password, use OAuth2, use single-sign on, etc)
- Session/Grant/ - Persistence of prior secret (i.e. prior authentication data)
If you look at JWT documentation by Auth0 here, all use cases are after successfully login (... When a user successfully logs ... Once a user is successfully logged in ... ).
So you still need to figure out how you going to "authenticate".
Part of the NIST recommendation is also to eliminate character requirements (ie must contain one capital, one number, etc) and only mandating a minimum length. Doing ba simple passphrase like "dog,jar,house" is easy to remember and extremely difficult to crack.
It's really easy to authenticate straight from the client via 3rd party authentication like Auth0 or AWS Cognito. It's safer to use a pre-established auth system. They handle cookies, have fantastic documentation, and can be integrated very quickly.
edit: added more info
Check out this page, it has a simple diagram that helps, at a very high level, pick which oauth flow is right:
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Btw, mobile apps should not use the client credentials Flow.. this is really only to be used when there is no user available to log in. Ex: a script that runs on a server as a cron job, or some other daemon.. ie, when the Client is authenticating, without a user.
The problem with SPA's is that they are 'untrusted clients'.. ie, they cannot safely store a Client Secret. So they must use the Implicit Grant flow, where you don't need to submit a Client Secret.
Now to your point about presenting a username/password login box, this is actually done by the Authorization Server... which is usually a different system than your app backend/frontend.. Imagine Login with Facebook buttons, you're taken to FB, the authz server, and that's where you give your credentials. The client, your app that uses FB, should not know/receive/pass through, the user's credentials.
Sometimes, the Auth Server and the clients are part of the same organization, like when you actually use facebook, those are called First Party clients.
If you have a very very simple case of just a SPA with it's own backend, you probably don't need OAuth... it'd be a lot of overhead to setup (securely) anyway. Just POST the user/password, and use a JWT/Cookie for session management.
Or you can singup with Auth0 (have have a decent free tier) to try out these other flows w/o writing your own oauth server.
If you're thinking about not storing them yourself like he says in the video, this is a service you can use: https://auth0.com/
It works really well and setup isn't to much work either and integrating facebook/google/github login only takes a few minutes
Although RSA is getting old and clunky, it is fairly common to use it for signing JWTs. At a previous company, we used it. I tried to suggest ecdsa instead, but it was not supported in enough libraries so RSA was the only option for us.
Having said that, JWTs do carry risks that are more serious than the concerns of whether you should use RSA. The most common flaw is people changing a JWT signature to the ‘none’ algorithm to bypass signature verification altogether. There’s an additional risk when public key algorithms are used for signing: attacker changes your algorithm to hmac, then forges a hmac signature using the public key. These vulnerabilities are well known in security and described in many places, such as here.
Bottom line: it is okay to use RSA provided that your modulus is at least 2048 bits (many people will recommend higher), but regardless of what you use, make sure you test that your jwt implementation is not vulnerable to common attacks.
Hey there, this is an intermediate topic and good luck with your voyage. I use Auth0 and it is really making things simple. It helps you to keep your code base clean BUT (this is a big “but” because it is important) you need to get your hands dirty first to understand stuff. Instead of a 3rd party, I would suggest you to create your own authentication to begin with. You can just use Basic authentication if you only keep it in your portfolio. Or you can go for an OAuth 2.0 flow if you really want to use it on production. I suggest JWT format and this is the best document I found for you in a similar scenario; https://jasonwatmore.com/post/2020/04/22/react-email-sign-up-with-verification-authentication-forgot-password#running-aspnet-core When you have this successfully, you will know what you want and need, then you can compare 3rd parties and go for an https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
I think Angular2 is great if you can accept that they changed the framework dramatically. Sure conceptually it's still angular and shares many ideas, but the syntax is very different.
The things I like about Angular 2:
An Angular2 app is just a series of components, makes it easier to visualize what is going on.
Services are now just plain old JavaScript objects like models. No need for factories etc.
The revamped binding mechanism is neat. Instead of directives like ng-click etc, you actually subscribe to browser events via the binding. If you want a different event or something new (like touch specific for example) you don't need a new directive.
It's faster, significantly faster due to optimizations and not having watches and the beefy digest cycle.
With angular universal it's possible to do server side rendering to speed up the initial load (while still turning it into a single page app once the javascript loads).
It's conceptually easier to understand for newbies. As much as I love Angular1, it does have a steep learning curve. One of the core design principles with Angular2 was to make it easier to newbies to get involved.
The Angular CLI is pretty cool and I hope they continue to work on it.
Just my 2cents :)
Edit2: forgot to add working in TypeScript is actually quite a pleasure. It's clean , concise and imo makes the entire app more maintainable.
I took a quick look through your code on github and so far I'm impressed. Your code structure and organization is very modular and very easy to read and understand. It's actually one of the most organized source codes I've read for a personal project.
As to your second question, when integrating user roles, the authorization part usually involves having an express middleware check the user request and either allowing/denying that request based on the user's role.
I see you're using jwts! Awesome :) One way to do that is to bake the user/role's permission into the jwt you grant it upon login. And then have an express middleware check the jwt against a list of scope the endpoint has. There's an awesome article on it here https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/
Hope that pushes you in the right direction.
Auth0 has great documentation.
https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization
You'll also want to review their pricing page. If it's for a personal project you should fall into the free tier. If it's for work then I suggest reaching out to their sales team.
The normal way to do it is to create a one way hash of the password plus a "salt" which is a bunch of extra data to increase the complexity and uniqueness of the password hashes.
Then when checking the password you don't decrypt the stored password, you encrypt the password that has been entered and compare that "hash" with the saved "hash". If they match you let them in.
At no point is it possible to decrypt the original saved password because of the one-way nature of the hash computation. The only way to work it out (if you have a copy of the database) is either using a pre-computed list of hashes or to brute-force it by performing the hashing on a dictionary/password list.
The upshot of this is if you ever deal with a company that on losing your password sends you the existing password, they have shit password security.
First off, drop that table and shut down that app now if any of that data is actual users… whatever you’re doing, it’s not ready to be in use if you’ve got any idea what the user’s password is, server side. Think of the user’s secrets as radioactive… you do not want them in your hands.
Second, don’t handle this yourself at all… auth as a service is available, including from Amazon, and you should almost certainly use it, if you don’t already know what the current industry standard practice for password hashing algorithms is, with a plan for how to upgrade your hashed data to the then-current standard, year after year.
I think you've got a couple of things wrong here. Feel free to discuss what I'm bringing up, because I'm by no means an expert here.
>And you should send them a new token after x amount of time if they haven't been idle.
This isn't possible without using either HTTP/2, web sockets, or some other persistent, bi-directional TCP connection. If it's a program that will be consuming a standard REST API, the server has no way to send the client data unless you send a new access token back with every successful request the client makes, which I guess would be doable.
>This refresh token is stored on the server and never given out. Only the short lived tokens are given out.
How would the client request another access token if they aren't storing a refresh token? There are ways to do this, but I would say that the "typical" access/refresh token setup requires the client to store the refresh token in a "secure" location (httpOnly cookies, like you mentioned). Check out this writeup on an example architecture: Refresh Tokens: When to Use Them.
- Use a Web Application Firewall
- Make sure you code according to Laravel standards
- See https://auth0.com/blog/why-laravel-is-the-recommended-framework-for-secure-mission-critical-applications/
- Rehearse your backup/restore policy
- Make sure you're GDPR compliant
- Have a password recovery strategy for all accounts
- Use localStorage
- (Usually) there are two tokens. One is the actual auth token, the other is a refresh token used to re-authenticate in case the actual auth token expires.
- None? Use HTTPS and don't save it elsewhere is pretty much all.
use spring boot.
https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/
this should be all you need to get up and running with jwt. really good guide, best one online. they try to upsell you to use their service for authentication at the end but it's not needed at all.
when you talk about manipulating database models as objects in java, what you want is JPA. that article uses it. if you look at the ApplicationUser class they make, it's annotated with @Entity. this will end up being an application_user table with the fields id/username/password. you can see them doing what you're talking about:
user.setPassword(bCryptPasswordEncoder.encode(user.getPassword())); applicationUserRepository.save(user);
they have an older guide here saying how to do it, but the first link in this post is a more up to date/better approach. if you want, you can look at this one just to see the differences or whatever. https://auth0.com/blog/securing-spring-boot-with-jwts/
The more secure solution is authentication strategy with Access and Refresh tokens. Refresh token has long (or no at all) expiration length and is used to create a short-living Access token. Read more
In our application we allow user to have multiple Refresh tokens which are created for a specific device that user signs in from. This eliminates an issue with simply copying someone else token, as even opening Chrome Device Emulator will not allow user to use locally saved Refresh token, because it is signed for specific device id (which we generate based on user agent and other browser info).
Google's captcha is pretty good. I use it for forms etc, works very well.
If that's not an option I'd suggest you check out auth0: https://auth0.com/ They got pretty much everything there regarding user authentication.
As someone who has had to roll his own single sign-on implementation, please believe me when I say that you do not want to do this. Look into Auth0. For your use case, it'll probably be free. It solves all of the nasty OAuth2/OpenID Connect negotiation and has a pretty slick UI for wiring everything up.
I think your implementation is vulnerable to a long known vulnerability of JWT:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
The documentation of jwt-go also states that you need to check the signing method when validating:
token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) { // Don't forget to validate the alg is what you expect: if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } return myLookupKey(token.Header["kid"]), nil })
You can't simply use a permanent password or a 'secret token' for SPAs and mobile apps because it can be easily extracted from the code. With oAuth you can set up a more secure flow with temporary token being granted using the predetermined redirect URI. This article sums it up pretty nicely: https://auth0.com/blog/oauth2-implicit-grant-and-spa/
Check out Secure Your React and Redux App with JWT Authentication and Flask-JWT.
I’ve used this doc a bunch of times when thinking about how to auth an api based on who is consuming it. Maybe it’ll help you. https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use
You realize that the SSO vendors like Auth0 don't offer MFA on their free plan?
So you're too cheap to pay for a paid plan, but you want me to pay for it with the vendor?
Hate to burst your bubble, but this is just obfuscated javascript code - I guarantee that Shopify stores the password as a hashed value in a database and not in client side javascript.
CEO of DNSFilter here - yes, apologies, but of course any action that you'd like to take via the dashboard is impossible unless you were authenticated prior to the outage. To clarify, Auth0 (our authentication provider) is experiencing an outage. They're a major authentication provider used by thousands of organizations, so we're not alone and it has their full attention. For even more insight, their status page is available here.
​
We are in conversations with them directly. I apologize for the inconvenience - rest assured it does have our full attention and does not affect network access/performance or security/content filtering in any way whatsoever.
This sounds like a good project to learn Python and PIL/Pillow; basically downscale the image to something small, like 64x64, blur it heavily, and obtain the HSL value of the center point. Then rename it or do whatever you want from the Hue value of it.
https://auth0.com/blog/image-processing-in-python-with-pillow/
I've used AWS amplify for auth and IMO it's really clunky and not very flexible (specifically user management and access control) compared to using something like Auth0 or Firebase auth.
Rolling your own security isn't great either as you can't guarantee that what you've implemented is secure or not.
Auth0 works really well but is pretty expensive, and Firebase Auth has great pricing, but it's firebase auth UI library is awful - extremely huge payload size.
If pricing is an issue, you could roll your own JWT but it is really easy to shoot yourself in the foot with the integration.
Auth0 is the lead in pushing JWT, and have several articles on what not to do when rolling JWTs out.
Without knowing exactly the data you're storing, it's hard to say if it goes over the limit. Like /u/Questjon said, generally you can either change where you're storing it or store less of it.
That said: Are you actually hitting the Firebase free storage limit? You should calculate how much data you would use then compare that to the Firebase pricing. You're given 1 GB in the free tier, so what you should do is run the script for a day or so and see how much data it uses in the Firebase DB, then extrapolate that for a whole year.
There are also other data storage options you can use. Take a look here: https://auth0.com/blog/the-complete-guide-to-deploying-javascript-applications-part-1/#Database-Deployment While some aren't free, the paid tiers tend to start very cheap.
So let’s start with some terminology. It sounds like you’re trying to achieve SSO - that is, you log in once and you’re also authenticated in to several other apps.
You need to designate an app as the “identity provider” (IDP). It has the master list of users who should be able to authenticate, along with which other apps they should be allowed to use (aka scopes), and houses the login flow.
The other apps are known as “service providers” (SP). When a user turns up, the SP asks for a valid token that say who you are and what you should be allowed to do. If you don’t have a token, it can request a token on your behalf from the IDP, or redirect you there to log in. The SP makes fine-grained decisions about what you should be allowed to do eg view or update a specific record.
There are a couple of standards for how to set up communication between the IDP and the SPs, and I can’t say much more without getting in to the real details about how your apps are running. Read up on JWT, oAuth 2.0 and OpenId Connect. Auth0 is a paid IDP service that implements these protocols, but they also have really good docs about the protocols: https://auth0.com/docs/flows
>side door that's left open
​
And if you ask the guard a bunch of nonsense, he tells you the phrase you need to get in.
https://auth0.com/docs/security/bulletins/cve-2019-7644#overview
The blocked characters thing does not know how long your password actually is so the 5 characters thing is just a guess. The system only stores your password in a hashed form. https://auth0.com/blog/hashing-passwords-one-way-road-to-security/
Same story here. Symfony seemed daunting at first. After messing about with tutorials and watching some youtube videos, I was able to convert a few of my web applications to Symfony 4.0.9. I must add that the documentation is a little sketchy for some of the older bundles < Symfony 4. Apparently, they are updating much of the online documentation; I haven't had too much of a problem myself.
Check this tutorial out - setting up a secure blog authenticated by auth0.
+1 for Symfony :D
The problem about newbies creating a login system is, you end up with a non secure system.
Perhaps you should look into using a good 3rd party system like Auth0. PHP SDK: https://github.com/auth0/auth0-PHP
But of course, you still need some PHP knowledge to correctly implement it.
My recommendation is to pay someone competent to help you do this, or use an existing service.
As /u/neilg pointed out, there are a lot of fans of identity server. I personally like using Auth0 to outsource since I won't need a new app or server to host (that's my case at least). And I don't care who you are or what you do, auth hosts/apps/servers will require maintenance. Auth0 does things pretty darn well for not that much cost. That's my 2 cents, freed up a lot of time for me on personal projects, and my dev team for the larger ones.
Outside of providers, if you want some simple examples of how auth works in .Net Core, the boilerplate code from Matthew Blott on how auth can be handled with claims was super helpful for me:
https://coderscoffeehouse.com/tech/2017/09/05/simple-aspnet-auth.html
https://github.com/matthewblott/simple_aspnet_auth
Good luck!
Also, when going from protobuf (the format underlying gRPC) to javascript, and assuming you are serving your JSON with gzip compression like a responsible adult, you only get a 10ms speedup with a 10kb size saving over JSON (source). So it definitely feels like a premature optimization.
I'll pile on that train:
https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ (yes they're implementation bugs but if the implementation is this hard to get right, what does that tell you)
If you think that the delay is caused by the JSON serialization, maybe you could try using protobuff instead: https://www.nuget.org/packages/WebApiContrib.Core.Formatter.Protobuf/
In certain scenarios that can give a significant performance boost: https://auth0.com/blog/beating-json-performance-with-protobuf/
PathWell: Password Topology Histogram Wear-Leveling and NIST 800-63 may be helpful.
For Auth0, you can:
- Create an account auth0.com/signup
- By default an app will be created with Google/Facebook and User/Password logins. Choose Node quickstart and download the sample project (it already has the keys embedded in the sample, so you can run it by doing npm install && npm start)
- You can try a signup/login flow with the sample
- You can customize the login page in the dashboard using plain HTML (or you can embed login widget on your app). Lock, the login widget, is rendered on the DOM of the page.
- You can store arbitrary data via the API https://auth0.com/docs/metadata/management-api
You should solve the use case above in a couple of hours.
Let me know if that's not the case.
So you don't get your shizzle outta whizzle when your nizzles ride dirty up at your hizzay.
This will explain it better than I can (with pictures!):
Short expiry periods for UID tokens and revocation/blacklists are generally the way this is handled with JWT. Some posts on ways to handle this:
- https://auth0.com/blog/blacklist-json-web-token-api-keys/
- https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/
Personally, I don't care about being entirely stateless. These questions depend on your individual application's threat model, and what you need to mitigate against.
Is this an SPA or is there a fetch on every page? You should be using JWTs that expire and every api call to the server should include that JWT where the server verifies. If using an SPA you can use an event bus or state engine like vuex or redux or flux to manage and react to a user state change, but still every api call should include a "signed" token and verification.
Auth is also hard to do right - might want to check out something like Auth0. They also have a ton of docs on how to do auth without even using their service https://auth0.com/docs/jwt .
This is about the "none" algorithm again, based off the original post at https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
This is from 2015, and the discussion (on Reddit, Hacker News, etc) already happened. Pick a library that either doesn't implement "none", or verifies the input algorithm against a whitelist.
So I think you're mixing up some terminology. I'm guessing you mean a root level variable and not a global variable.
I don't think that's what you really are after. I'm on mobile, so I'm limited in my response. You can definitely take a look at some of Vue authentication libraries and implement those. Or you can take a look at this tutorial
It seems weird at first to not use variables that are in every component, but it'll make sense. If you definitely do need variables like that, chances are you need to get into using Veux. Also while it's tedious, I would recommend reading through all the Vue docs before you get going. If you're coming from angular, you'll find lots of things are different in Vue. It'll help you get a better understanding and worst case, when you come across an issue you will remember reading something about it and know where to go.
If you're still having issues after the tutorial, let me know and when I'm in front of a computer I'll help out.
Please please please, if you do decide to go the JWT route, read and understand https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Lots of JWT libraries are wrought with security vulnerabilities.
To be clear, I'm not advocating for rolling your own crypto, but be carefully aware of any vulnerabilities that exist in the JWT library you use if you choose to do so.
Sure. So the main idea here is to basically used a trusted means of communication to send a link to authenticate. If you've ever used two-factor authentication in another system where when you login then a temporary code is sent to your phone, passwordless auth is essentially the second step without the first.
So, imagine you're at the login page, and you input your phone number or email address. A temporary code is generated and is sent to your phone or email so you can either input that code back into the website. You can even put the code in the URL and just have the person click/top on it to authenticate.
Here's a great demonstration of passwordless auth with Auth0: https://auth0.com/passwordless
That make sense?
I do a lot of development work so let me ask you this, why should I trust you with my precious user data? And what does your solution bring to the table that is different than Auth0 or Firebase or AWS (All of these solutions provide pretty cheap and robust user auth)?
I think you should also think about who you are targeting here. A skilled and educated developer will be able to easily create whatever you want to create and keep all of the data internally. What you probably offer is the time you save them which is a very hard sell because you are competing with these companies that have every bell & whistle I would need.
Jesus, these answers are atrocious /r/javascript. I see "don't use javascript, don't use a framework, what kind of fast, etc.".
Here's a blog that goes over popular framework speed: https://auth0.com/blog/2016/01/07/more-benchmarks-virtual-dom-vs-angular-12-vs-mithril-js-vs-the-rest/
React is probably your best bet for a fast framework which also seems to have a growing community.
Also - stop unzipping your pants and whipping out "Vanilla JS" every opportunity. Vanilla JS is a god awful answer for "fast framework". First off, it's not a framework, and secondly it's going to be horrendously slow compared to something with a Virtual DOM like React. Try it yourself, build a Vanilla JS dynamic table with sorting, custom columns, etc. and compare it to a trivial to write React JS alternative. React would perform an order of magnitude quicker with a fraction of the effort.
Why? Virtual DOM. But wait... that's not fair, React is built on Vanilla JS. Theoretically couldn't we make this "Vanilla JS Table" even faster than React since it includes other garbage? Yep. You just need to create a virtual dom, apply some optimizations here and there, and hundreds of hours later you'll be running a "VanillaJS" table on your new framework.
User management can be challenging, especially if you've never done it before. Encrypting passwords correctly, handling forgotten passwords, user self-service, and user management in general are the challenges you will face. If you don't feel up to it, you could always try a service like Auth0. (https://auth0.com) Other such services exist, but I can think of any right now.
This was posted over in /r/reactjs, so I will share the same thing I shared there for others: https://auth0.com/docs/quickstart/spa/angular2/relay
Nothing prevents you from using Relay and GraphQL with Angular2.
Probably more than that. Angular 1.x is production ready, react at 0.14.0 is "stable enough to use in production" but it's not 1.0, and angular 2 is still in beta. Benchmarks show that angular 1.x isn't as far behind react as is hyped: https://auth0.com/blog/2016/01/11/updated-and-improved-more-benchmarks-virtual-dom-vs-angular-12-vs-mithril-js-vs-the-rest/ and currently edges out Angular 2 in some areas. Any Angular 1 application that's in production now will likely need to be supported for some time.
If you're uncomfortable with boilerplate, angular is not a good choice. Here's an example from a blog talking about angular 2.0's pipes ...
/// <reference path="typings/angular2/angular2.d.ts" />
// app.ts
import {Component, View, bootstrap, Pipe, PipeTransform} from 'angular2/angular2';
...
// We use the @Pipe decorator to register the name of the pipe
@Pipe({
name: 'tempConvert'
})
// The work of the pipe is handled in the tranform method with our pipe's class
class TempConvertPipe implements PipeTransform {
transform(value: number, args: any[]) {
if(value && !isNaN(value) && args[0] === 'celsius') {
var temp = (value - 32) * 5/9;
var places = args[1];
return temp.toFixed(places) + ' C';
}
return; } }
...
@View({ templateUrl: 'pipesTemplate.html',
// We can pass the pipe class name into the pipes key to make it usable in our views pipes: [TempConvertPipe] })
class PipesAppComponent { temperature: number;
constructor() { this.temperature = 85; } }
Owch! All of this code only sets up a binding context for temperature and declares that we can transform it with TempConvertPipe.
Have you looked at Auth0? I've been using them to handle user sessions for my app and it's been great. The best thing so far is being able to connect auth0 to other services like S3 for uploading or firebase for realtime web sockets all without building a server. Their docs are also pretty good and have a ton of samples including usage with react. Happy to answer specific questions.
You are correct. I would look at Auth0 for those use cases. It allows you to use social logins and a managed proprietary auth store side by side. You can integrate it with Cognito or federate to IAM using SAML which gives you some pretty powerful options in terms of defining finer-grained access rules.
They have a tutorial on integrating with API Gateway too: https://auth0.com/docs/integrations/aws-api-gateway
> Proof is based on JWT, or Json Web Tokens. JWT combines the ease of use of JSON with rock-solid encryption technology
"rock-solid" depending on whether your implementation has logic bugs:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
I feel the way the standard is designed, it encourages these sorts of bugs. Unfortunately the "alg" field remains mandatory on messages for now (but oddly, not for keys, where it belongs)
All that said, JOSE/JWT is sadly the best least common denominator option right now.
Laravel is perfect for all the backend part. Especially given the chargebee ( https://www.chargebee.com/open-source-laravel/ ) and auth0 integrations https://auth0.com/docs/quickstart/webapp/laravel/01-login .
Then you have the freedom to see what you do with storyblok CMS, either integrate it, have it exist separately, your call.
Having some help from a nearby webdev agency seems necessary.
I would strongly recommend oidc-client (or redux-oidc if using redux) for the frontend.
Keycloak as backend if you want to self-host, otherwise e.g. Auth0.
Code flow for certain things, Backend for Frontend for public things.
You're missing the important part of password storage which is "salting".
When you hash the password you should use a unique "salt" per account to change the input.
e.g. User 1 and 2 have "princess" as a password, user 1 has a salt of "abcdef" and user 2 has "tuvxyz".
For User 1 the algorithm hashes "princessabcde" while for user 2 it hashes "princesstuvxyz"
So 2 accounts that use the same password should give completely different hashes.
This is massively simplified, there's a reason why all computer science courses drill into students heads to never create their own encryption / security hashing function.
>We don’t save anything in text. Can you please share what you mean ?
>Our password are stored encrypted in MD5 system
MD5 is not secure for passwords!
Use an actual secure and salted hash like Bcrypt instead of whatever weak ass hash your ecommerce platform had turned on by default.
Don't let this worry about security get in the way of learning something. You can set up just about any database or backend language locally with very low risk.
Even if you used a live server to learn how to deploy backend code that interacts with a database, you probably wouldn't store any sensitive user data from real people there anyway and you could tear it all down when you're done.
I searched "api mock data" and several options came up. You could also try a headless CMS ( like Prismic for example ) to control your mock data.
You could also learn how to use an authentication provider like Auth0 by doing mostly frontend coding.
Learn the HTTP protocol:
- Understand that browsers send requests and servers send responses.
- Learn the different kinds of response codes can be expected (404, 200, etc.)
- Learn about REST endpoints
- Learn about headers, cookies, jwt
- Learn about CORS
- Open up F12 on the browser and see what's getting sent/received in a sample program. And dive into the unexpected things or things you don't quite understand.
- Use Swagger and/or Postman to replicate the actions to get a deeper understanding about what's going on.
- Write an app that uses OAuth with a third party (e.g. Auth0.com) to authenticate on your server side. They supply sample code, but again look at network traffic in F12 and see if you understand how its all tied together.
Sounds like you want a place to store those images, Amazon S3 or Google cloud storage (comparison) or any number of other cloud storage providers would fit the bill. You'll also need a place to store user data (credentials, auth, etc.) Look into auth0.com or Amazon Cognito, etc.
Auth0 is multi-region. They discuss their architecture here. AWS even features them in one of their architecture videos, as a bonus, in that video they discuss what went wrong when they had their big outage.
Like some of the other posters have said, you should never distribute a "secret" of any kind to a client application. That means don't bake it into the source code (obfuscated or not), and don't have your application fetch the secret from your server either. Once the secret exists on the user's machine it is no longer a secret.
You could have your application make all requests through a server you own, and your server would then make server-to-server calls to the 3rd party API. But then you might want to make sure your application authenticates users, or else your API becomes free for anyone to make unlimited requests to.
Or like another user said - this seems like a good place for users to use their own credentials, in an OAuth flow. For this type of application you would call this a "public client" if you are looking for keywords to search. This is as opposed to a "confidential client" like a web app with a front and back end. Confidential clients use a clientid/secret, and keep the secret safe on the backend, and typically use the "authorization code flow".
For this "public client" there is no good way for you to use a client secret since your application cannot safely store this secret. Instead you should look into the "PKCE flow" info
You still use a single client ID, that can be hard coded in the application. But users will use their own credentials to authenticate and generate their own access tokens. When presented the google/youtube login page, they will see "XYZ app wants to use your info" where they can look up XYZ based on your client id provided in the oauth authorize request.
> Do you store usernames and the corresponding password in databases?
You store usernames and a one-way hashed password in the database. In addition, it's quite common to also one-way encrypt sensitive user data (like e-mails) in a database. However the latter is only a slight security improvement that won't deter a malicious hacker from stealing emails.
> Am I meant to just slap the username along with the hashed password into my database and then that's it?
Well pretty much, yeah.
> but just slapping my user's credentials into my database like that seems awfully insecure, even if the credentials are hashed and encrypted!
Why? What are you trying to guard against?
Entry level sales positions in tech could be in scope. Search on Indeed for SDR or BDR positions. This stands for sales development rep and business development rep. You probably won't get a call with your current resume so you need to show some initiative. Take a class or two at your community college. Get some AWS or Azure or Google Cloud certifications. Talk with people about how to get a chance at one of these positions.
Here are a few that I am talking about.
https://www.ally.io/careers/seattle?gh_jid=5005967002
https://www.zscaler.com/careers?p=job%2FoZXPcfwH
https://auth0.com/careers/job/account-development-representative-federal-accounts:11c8192a-c2a6-49e3-af7e-0c7ed5654f10
There are hundreds of roles like these. Figure out how to get one and you could have a lucrative career in tech.
We use auth0 for our current SPA— their front end library is really easy and their tutorials are pretty great. I’ve been quite impressed how well they’ve been able to serve us as our auth needs have grown.
It’s nice because there are a lot of considerations for auth you need to make for a SPA since so much is handled on the client.
Auth0 has some great articles on using OAuth flows (which identity server supports). Here's a good starter:
https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use
​
I'd recommend looking at 'Auth Code with PKCE' first. This would require you to open a browser from the WPF app to login. Then you can keep all the login behaviors contained to the authorization server. If you want to change the rules, UI, etc. - you just change them there and don't have to worry about the WPF client. It can be a little more jarring for the user - they'll have to click some "login" button, which will launch a browser window in the app.
However, that's going to be a more complicated approach. If you're 100% confident in the security of the client machines running the WPF app, you could use 'Resource Owner Password Credentials Grant' flow. This is an older flow and most recommend against it. I believe the Identity server guys have hinted that support for this may be dropped in a future version as well.
On Auth0 I used Code Flow authentication. It's not the most practical documentation, but this How it Works section describes the process very well.
If you Need to upgrade an existing app it’s pretty straightforward. If you set up a mew project the main differences might be:
- the basic auth scaffolding. There still is the good ol laravel/ui package if you want to use bootstrap, there is laravel/Jetstream (which actually is more than just the basics) and brand new, just released today there’s now laravel/breeze.
- the models now life in a models directory
- the default route namespacing is no longer active by default, so your now look something like: `use App\Http\Controllers\PostController;
Route::get(‚/posts‘, [PostController::class, ‚index‘]);`
And more....
Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.
Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.
Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?
See account linking here: https://auth0.com/docs/users/user-account-linking
It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.
Great site overall! Love the overall look and feel of it.
Some advice:
When you eventually implement a login system, use a system that authenticates via OAuth with existing providers, like the "Login with Google" button. That way, you don't have to deal with password management. I recommend a service like Auth0 to handle that for you.
I like that the Ascension Planner stores in local storage. One recommendation I have is that ascension materials should have the background of their icons colored by rarity (for easy evaluation at a glance).
Additionally, the Summary pane should be sorted into categories: Mob Drops (for things like Masks), Boss Drops (for things like Lightning Prisms), and Domain Drops (split into days, so one row for each of Monday/Thursday, Tuesday/Friday, and Wednesday/Saturday). The goal being that I can quickly visualize what domains I can use my stamina on today, what Bosses I still need to fight, and whether there are drops I still need to go hunting for in the world.
Overall, nice start to a great site. Keep it up!
Technically, yeah. I don't know if it's the best option for you, though.
Is Django the piece that actually authenticates users? You can use asymmetric signing (public/private key). Sign the JWT with the private key on Django, and share the public key however you want (JWKS / well-known endpoint, or just copy the public key over manually). The public key can be used to verify those JWTs but not sign new ones.
Passive/silent authentication across domains will be broken and there isn’t a way to fix that. This refers specifically to client side JS initiating an authentication request on page load where IDP and SP are on different domains. Cookies indicating session status cannot be transported in context across domains like that when Google kills 3rd party cookies in 2022.
Here is Auth0 article that can explain it a little bit more: https://auth0.com/docs/authorization/configure-silent-authentication
Oidc and saml authentication will work fine when the user is doing a top level navigation between domains.
> JavaScript is the only client side scripting language available on all browsers
...which is exactly the only reason anybody uses it in the first place.
Netscape <em>almost</em> put Scheme, Python or Tcl in the browser instead, but unfortunately for the world, Brandon Eich was just good enough to cowboy-code some barely-working, poorly-designed shit to beat the deadline Netscape imposed. If only he were slightly more incompetent, he would have failed and we would have ended up with a good browser scripting language instead.
This site has a few tools. I do not vouch for any of them as it is 3 years old. https://auth0.com/blog/migrating-a-php5-app-to-7-part-three/
I strongly recommend that you make sure the code is in a git repository, create a new branch, and use docker or another virtualization technique to test the code.
This is a pretty good article by Auth0 that covers authentication strataegies at a high level. You can replace Auth0 with lots of other solutions.
I'm actively trying to learn this stuff too, best of luck finding resources and applying it.
Auth0 gave a writeup:
https://auth0.com/blog/why-sms-multi-factor-still-matters/
it's mostly used for spear phishing, you already know the phone and do some social engineering to clone the sim card. It's much, much better than no MFA, don't get me wrong, of course.
Pretty sure it's true, but I'm willing to be enlightened? Here's another discussion on this very issue half a year ago: https://www.reddit.com/r/duckduckgo/comments/bsmg5x/comment/eotnvv6 And an article discussing Google's plans to ban Webview Oauth requests: https://auth0.com/blog/google-blocks-oauth-requests-from-embedded-browsers/
> Considering that this website did generate a new password for me, would you think that they stored my old one or stored it in plain text?
It's entirely possible.
​
> I heard someone say they store passwords in unsalated sha1. Whatever that means.
Salting a password just means that when you enter your password during registration, the server or website either prepend or append additional characters onto the password you enter to make sure it's unique in the database. Even in the event that it isn't unique, it's still more complex, so it takes more work to crack it. If someone gains access to a user/pass table they shouldn't be able to tell what anyone's passwords are.
​
Additional info:https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
> I need user accounts and user management, as the database content is user-driven
Entirely possible with Gatsby. You set up auth guards the same as you would with any other app. Auth0 blog is a pretty good starting point.
>I would like to have a comment system as well, and maybe even a rating system (eventually)
Also entirely doable, you'll just need to write the same backend as you would for any other app to CRUD these. (I'm a fan of Nest personally, but it's more Angular than React...). Long story short: user gets token, maybe from Auth0, user token is sent to your backend and associated records are returned.
Not offhand; this Auth0 article seems decent. You can use Redis or something if you really want to keep it out of your database.
Is database bloat really a problem, though? Revoking a token should be a rare event, and you can delete the revocation after the token expires. But is it even that much overhead to just store the tokens in the database (i.e. a whitelist, or sessions) in the first place? How many people are logging into your app?
I Just finished using this. It's really good and clearly written.
https://auth0.com/blog/real-time-charts-using-angular-d3-and-socket-io/
>Fai considerare seriamente al tuo committente la questione GDPR, considerato che, anche se clienti, il regolamento europeo richiede esplicito consenso registrato per qualsiasi tipo di informazione.
Si, già fatto presente tutto questo contesto (la mia vecchia azienda gestiva dati di qualsiasi tipo e riservatezza) , sto aspettando che mi rispondano su questo.
Comunque pensavo di utilizzare Auth0 per permettere l'accesso alla web app "passwordless" fornendo un link con token jwt direttamente nella mail di rischiesta alla prenotazione spedita da parte dell'azienda al cliente. La webapp pensavo di usare Angular e Material così da non pensare nè a tutte quelle menate che richiede il responsive e nemmeno ad altre integrazioni con altre librerie
Python/Flask is brilliant. I use it all the time for work applications.
If you're using an SQL database like MySQL, you can use a wrapper for Python called SQLAlchemy. Instead of having to write ugly SQL queries, SQLAlchemy can let you write Python style code instead while it handles converting it to an SQL query in the background. The positive of this is if you stat off using a local DB for testing like SQLite, you won't have to do any massive code editing if you decide to transitions to an online database
>Can we get a flask project/database hosted or will be need to transition into some other framework for hosting?
You can use Google Cloud Platform to host it for free(ish), it took me about 30 minutes to get my project up and running on it. There's others like Heroku, PythonAnywhere, AWS
>Can we adequately secure database information through flask and host providers?
Yes, remember to hash/salt passwords, BUT! I would however, recommend handing over user authentication to a third party like Auth0 (https://auth0.com/) You get like 7,000 free users and unlimited logins. They handle all the user login/logout, and you can just worry about storing whatever data you're storing.