What kind of authentication should I use for my API?

I’m building a SaaS-type REST API (B2B) and naturally I need to use some kind of authentication. The requirements/background are as follows:

  • Needs to support both browser and mobile clients.
  • Some time in the future we’re expecting external companies to use the API.
  • This is not some huge application; we’re expecting it to run fine on a single server for quite a while.
  • Must support 2FA.
  • Authorization will likely be done with user roles.
  • The application is monolithic.

Initially, I figured this was a perfect fit for JWT: tamper proof, stateless, etc. However, I’m left with a couple of questions:

  1. If a token is lost/stolen and we know this, how do we stop it from being used?
  2. How could a user invalidate an existing session (e.g. “I’ve lost access to my phone, please invalidate the token(s) with my phone”.

For problem 1 I usually see three solutions:

  • Use a short expiration time on the token
  • Keep a blacklist of tokens.
  • Refresh the secret key on the authorization server.

Keeping a short expiration time would mean that users would have to regularly log in again, unless we’re using a refresh token. However, we’re back to step 1 if the refresh token is lost. Keeping a blacklist of invalidated tokens seems fine, but it also means we’re keeping state again, which makes the whole reason to use JWT pointless again. Refreshing the secret key also invalidates all other sessions. This seems like an odd choice to me: why should all sessions be invalidated due to a single compromised token?

Problem 2 seems to usually be solved by keeping a list of tokens. This seems very similar to a blacklist and is therefore subject to the same criticism.

Given the requirements and the pretty small size of the application, is there any reason why I shouldn’t just use a normal session token and keeping the state of my sessions in the DB? Performance might be an issue, but I could easily cache sessions in a separate process (Elixir).

What would be the most fitting type of authentication here?

Bitlocker, does additional authentication at startup with TPM device provide any extra security?

Will enabling additional authentication on startup provide any extra security with Bitlocker? At the moment, my laptop boots straight into a Windows login where I use a pin. If I chose to not use pin, and a complex password, would that provide the same level of security as authentication at startup?

Thanks,

Proper implementation of JWT authentication in mobile app

I’m building a mobile app that connects to a Python Flask API and backend.

Currently, I am using JWTs for authentication. The expiration of the token is set to be 6 months in advance.

The thing that worries me is that that is a long time that the token is valid.

I’ve heard of people using short-lived tokens combined with a “refresh token”.

I’m not sure how this works though.

So my question is:

  1. What should I do to make this more secure? Should I use refresh tokens?

  2. If refresh tokens are the best option, could someone either try to explain them to me so I have enough of an understanding to code my own implementation, or point me to some good resources where I could find such information?

Authentication, bussiness logic and several entities in asp.net core

I’m working on an asp.net core application, using Identity as authentication/authorization management. Depending on the role the user can do “some thing”, this is the normal way of authorization. But when the user is an entity related to other entity the business logic get ambiguous. This is a pseudo code example:

    class User: IdentityUser{Roles {}}     class Roles {"Bartender", "Admin"}     class Bartender: User {}     class Bar{ Bartender Worker {get;set;}} 

The business logic say that in a bar can only work the Bartender associated as Worker, so the user authenticated must fulfill this restriction. The problem is that the User must have the role “Bartender” and be a Bartender, two requirements not only one. We can work with this double restriction but if there are a better or an alternative solution I want to know.

Sharepoint foundation 2013 FBA (Claim based authentication issue)

I’m trying to configure FBA on sharepoint 2013 foundation. Followed each steps described in technet. Still getting error “

An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs..

May be in past i have seen some comments regarding this from your side but now not able to get it. Kindly help.

Apache 2.4 mutual authentication – AH01797: client denied by server configuration

So I’m trying to set up Apache 2.4 mutual authentication on a virtual host configuration.

Given the below environment, what am I missing?

Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r

Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)

So far I have:

  • Generated a self-signed root certificate (CA).
  • Generated a server key pair, signed by CA.
  • Generated a client key pair, signed by CA.
  • Generated a client .p12 certificate from client key pair and CA.
  • Added CA to /usr/local/share/ca-certificates/, and ran # update-ca-certificates -v
  • In Firefox, imported CA under Certificate Manager, Authorities.
  • In Firefox, imported .p12 certificate under Certificate Manager, Your Certificates.
  • Configure Apache to use server certificates. Yay, that’s working.

To test certificates I ran:

# openssl s_client -connect www.example.com:443 \   -cert ./client.crt \   -key ./client.key \   -CAfile ./CA/ca.crt \   -state -debug 

Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.

All this resulted in an error: AH01797: client denied by server configuration

Apache VirtualHost Configuration:

<VirtualHost www.example.com:443>      ServerName www.example.com     ServerAdmin webmaster@example.com      DocumentRoot "/home/username/local/www/php-dev"      ErrorLog /home/username/local/www/log/example.com-username.error.log     TransferLog /home/username/local/www/log/example.com-username.access.log      SSLEngine on     #SSLVerifyClient none     SSLCertificateFile      "/etc/httpd/certs/www.example.com.crt"     SSLCertificateKeyFile   "/etc/httpd/certs/www.example.com.key"     #SSLCACertificatePath   "/etc/httpd/certs"     SSLCertificateChainFile "/etc/httpd/certs/ca.crt"     SSLCACertificateFile    "/etc/httpd/certs/ca.crt"      <Directory "/home/username/local/www/php-dev">         Options +Indexes +FollowSymLinks +MultiViews -Includes          #RewriteEngine on         #RewriteBase /          AllowOverride None         #AllowOverride AuthConfig          Order allow,deny         Require all granted          # require a client certificate which has to be directly         # signed by our CA certificate in ca.crt         SSLVerifyClient         optional         SSLVerifyDepth          1         SSLOptions              +FakeBasicAuth         #SSLRequire             (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")          # Use this option to match on DNS (This is working)         #Require                    forward-dns client.example.com         #Require                    valid-user      </Directory>  </VirtualHost> 

OpenSSL test output:

# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131)) 0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54   ....,...(.....MT ( **CUT** ) 0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................ 0130 - 01                                                . SSL_connect:SSLv2/v3 write client hello A read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7)) 0000 - 16 03 03 00 42 02 00                              ....B.. read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40)) 0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1   .>..>(b.2.M..... ( **CUT** ) 0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01   ........#....... SSL_connect:SSLv3 read server hello A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 07 23                                    ....# read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723)) 0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82   ..........0...0. 0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86   .?........0...*. ( **CUT** ) 0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36   .eb....TZ.#..5.6 0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9   ..5.T"v.....L... 0720 - 43 2a 58                                          C*X depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com verify return:1 depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com verify return:1 SSL_connect:SSLv3 read server certificate A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 01 4d                                    ....M read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D)) 0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52   ...I...A..5....R 0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a   z....o.#.m..;..: ( **CUT** ) 0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6   .g.P.O..H.....8. 0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47            l......k?...G SSL_connect:SSLv3 read server key exchange A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 04                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4)) 0000 - 0e 00 00 00                                       .... SSL_connect:SSLv3 read server done A write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B)) 0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6   ....F...BA.7.S6. ( **CUT** ) 0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71                  4...m..@..q SSL_connect:SSLv3 write client key exchange A write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6)) 0000 - 14 03 03 00 01 01                                 ...... SSL_connect:SSLv3 write change cipher spec A write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D)) 0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74   ....(.wE.OkMl..t 0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d   F.......g.~d',@. 0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b            .. ........<+ SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 ca                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA)) 0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e   .......,........ 0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f   .Y*fF.......x... ( **CUT** ) 00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25   ..7Xw.W..> C..%% 00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59                     .:.......Y SSL_connect:SSLv3 read server session ticket A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 14 03 03 00 01                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1)) 0000 - 01                                                . read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 28                                    ....( read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28)) 0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37   w..i|....Gm..!.7 0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84   ^...+.@....S.N.. 0020 - 2b ad dc 68 07 b7 cc 28-                          +..h...( SSL_connect:SSLv3 read finished A --- Certificate chain  0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com    i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com  1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com    i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT ( **CUT** ) h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF 7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU= -----END CERTIFICATE----- subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2508 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:     Protocol  : TLSv1.2     Cipher    : ECDHE-RSA-AES256-GCM-SHA384     Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C     Session-ID-ctx:      Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203     Key-Arg   : None     PSK identity: None     PSK identity hint: None     SRP username: None     TLS session ticket lifetime hint: 300 (seconds)     TLS session ticket:     0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de   .......Y*fF.....     0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18   ..x...=.ck..6su.     ( **CUT )     00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e   ........7Xw.W..>     00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59    C..%%.:.......Y      Start Time: 1555651633     Timeout   : 300 (sec)     Verify return code: 0 (ok) --- read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 15 03 03 00 1a                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A)) 0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69   w..i|...0[.....i 0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c                     .^.H..X..| SSL3 alert read:warning:close notify closed write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a   ......wE.OkMm..Z 0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30      .=....?....+..0 SSL3 alert write:warning:close notify 

Does the Apple Music User Token change for every authentication?

I’m trying to identify a user by storing the Apple Music User Token on a database. Is this token the same for an Apple Music user over multiple authentications? I seem to have run into a hiccup here – over the course of the development (me being the only developer), I noticed four different user tokens registered on the database, despite only using one login. I want to double check if the User Token is in fact not the same over multiple authentications before I move to a different method of identification. Also, is there any other way of identifying a user similar to using the User Token, as I’m trying to avoid using a login.

Authentication Broker framework compatible with most IAM service

I am looking for a generic Authentication Broker framework in java using spring framework that can integrate my application with any IAM authentication/authorization service like LDAP, RADIUS, SAML etc? My objective is to create an adapter for software that enrolls organization that brings in their own Single Sign-On Implementation.