Should I create a User model for my Mongodb database even though I am using Okta for authorization? [on hold]

It seems like okta can be treated as a database for users. Should I use it to store all the information for each user, or should I just store the username, password, etc there and still create a user model in my mongo database?

How to prevent querying each user each time when having per microservice authorization? [on hold]

I am trying to find a good approach for authentication and authorization of a user in a microservice-application.

Currently I have the following idea:

authentication and authorization using JWT

In regards to the sequence diagram I have the following questions:

  1. [step 12] and [step 16] check for a permission, which is necessary on the server-side. Where are those permissions supposed to be stored?
  2. What about the note (after [step 20])? Possibilities:
    1. Issue an additional signed Token, that contains permissions / roles for the message service. This token can be acquired during [step 13].
    2. Re-issue existing JWT, include permissions / roles for the message service. This token can be acquired during [step 13].
    3. Issue a server-side request, that returns information about whether a certain GUI-area should be displayed.

If in 2.1 or 2.2 the client-token is modified, the user is able to access GUI-areas, which should not be available to him. However: any subsequent service calls will not succeed, because the modified (nor the original) token permits access to corresponding server-calls to the user.

In 2.3 the microservice is queried each time the GUI has to decide whether to display a GUI-area or not.

How to keep authorization model maintainable on calls between different microservices?

In our environment (as in many others), it is often the case that one microservice must call another in order to accomplish a task.

In our environment, authentication is clear enough – we have a signed JWT containing a list of permissions and roles, as well as a user ID, client ID, and so on.

What we’re less clear on is authorization – ensuring that the authenticated client can (or can’t) do the right stuff, but that the underlying services have all the access they need to do their jobs (even if the client wouldn’t be able to do the same things directly).

We’ve examined a few different options:

  1. Each service does all of its own authorization, and if a privilege escalation is needed, it generates a “God mode” token with an otherwise unchanged payload and a different keypair and makes the call using that. The main concern here is copy/pasted authorization code, and the fact that there’ll be a strong incentive to just always enable God mode when making cross-service calls (which makes it somewhat redundant).
  2. Each service does all of its own authorization, and just forwards the user’s token if it needs to make a call. The concern here is code duplication like in option 1, and also the fact that this is likely to cause a complex interdependent web of permissions that imply other permissions that imply other permissions that… (ad nauseam), creating a maintenance headache as the number of services grows.
  3. A lightweight API gateway service that does “simple” authorization (nothing more advanced than “is this client allowed to use this endpoint at all?”), attaches a user object to the payload, and leaves more specific behaviours to the underlying services, which accept any call as being authorized out of the gate. The major concern with this option is performance and stability – the API gateway service creates a single point of failure that can make the entire system inaccessible if it malfunctions, plus creating a frequently-changing dependency for every service.

The question here is twofold:

  1. Are there any additional pitfalls to the three patterns described above that we haven’t considered?
  2. Which of these is the most common in the wild?

Note that this question is not about service mesh offerings like Istio, as we consider them to be somewhat orthogonal to this issue.

SharePoint windows Authentication with Custom Authorization

Is there any way to configure windows Authentication with Custom Authorization in SharePoint 2013/2016. We want user to be authenticated with window credentials and SharePoint objects should be accessible based on access mapping rule configured in another external data source (Oracle/SQL). SharePoint search should also display the result based on external access mapping.

Thanks in advance.

Regards, Ravi

What’s the standard way to show downloading notification to user for file downloads that require authorization in web applications?

Our web application needs to enable secured file download by requiring HTTP requests to have authorization token.

Due to this, when user clicks download the file will be retrieved using AJAX GET request with the access token. Once the file is in memory, it will be saved to user’s hard drive using temporary link pointing to file’s data in memory.

Because of this approach, browser doesn’t show download progress immediately like in normal file download (in the bottom bar in Chrome). We need a way to tell user that something is going on as it may take some time to retrieve the file data.

We are thinking of showing a toast message and dismiss it when done. I haven’t seen many examples of this on the net in many websites.

What is the standard way (if there is any) to do this?

Integrating Web Chat using React getting 403 Authorization error

Hi Below is the code I have adapted from https://github.com/microsoft/BotFramework-WebChat/tree/master/samples/03.a.host-with-react

<!DOCTYPE html> <html lang="en-US">   <head>     <title>Web Chat: Integrate with React</title>     <meta name="viewport" content="width=device-width, initial-scale=1.0">     <!--       For simplicity and code clarity, we are using Babel and React from unpkg.com.     -->     <script src="https://unpkg.com/babel-standalone@6/babel.min.js"></script>     <script src="https://unpkg.com/react@16.5.0/umd/react.development.js"></script>     <script src="https://unpkg.com/react-dom@16.5.0/umd/react-dom.development.js"></script>     <!--       For demonstration purposes, we are using the development branch of Web Chat at "/master/webchat.js".       When you are using Web Chat for production, you should use the latest stable release at "/latest/webchat.js",       or lock down on a specific version with the following format: "/4.1.0/webchat.js".     -->     <script src="https://cdn.botframework.com/botframework-webchat/master/webchat.js"></script>     <style>       html, body { height: 100% }       body { margin: 0 }        #webchat {         height: 100%;         width: 100%;       }     </style>   </head>   <body>     <div id="webchat" role="main"></div>     <script type="text/babel">         (async function () {         // In this demo, we are using Direct Line token from MockBot.         // To talk to your bot, you should use the token exchanged using your Direct Line secret.         // You should never put the Direct Line secret in the browser or client app.          const headers = {"Authorization", "Bearer <'secret key'>"}         const res = await fetch('https://directline.botframework.com/v3/directline/tokens/generate', { method: 'POST' }, {Headers:headers} );          const { token } = await res.json();         const { ReactWebChat } = window.WebChat;          window.ReactDOM.render(         <ReactWebChat directLine={ window.WebChat.createDirectLine({ token }) } />,         document.getElementById('webchat')         );          document.querySelector('#webchat > *').focus();         })().catch(err => console.error(err));     </script>   </body> </html> 

Below is the Error I am getting enter image description here

Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization

I’m looking at the following setup. A web application uses a REST API to communicate with the server. All API responses include Origin: *. For authorization Authorization: Bearer <token> is used. Access-Control-Allow-Headers: Authorization is also included for appropriate preflight requests.

As Origin: * is configured, modern browsers will not send authorization data, such as the bearer token.

This makes it impossible to use API requests across domains, which require authorization (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials).

I’m struggling to justify, why this should be considered a vulnerability. It is bad practice to allow any origin. It could lead to data leakage, but not in this scenario.

Could this be exploited in another way, I’m not seeing right now, or is this in fact just bad practice and does not pose an actual threat?

¿Como resolver la cabecera de solicitud: Access-Control-Request-Headers: authorization de Angular 6 o de Laravel?

El backend devuelve el siguiente error: Código de estado: 403

El frontend (Hecho con Angular) solicita este recurso a backend (Hecho con Laravel APIREST) se trata de una una peticion/respuesta entre subdominios:

frontend.empresa.com solicita a backend.empresa.com/api/v1/schedule/mychapters

Por cuestiones de seguridad no anotaré las urls respectivas

Tengo entendido el asunto de CORS; pues el Frontend antes de solicitar un recurso 1ero envia una solicitud con el metodo OPTIONS con las Cabeceras:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: es-BO Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization Referer: frontend.empresa.com/ Origin: frontend.empresa.com DNT: 1 Connection: keep-alive Cache-Control: max-age=0 

Pues la cabecera de Respuesta del backend es la siguiente:

HTTP/1.1 403 Forbidden Date: Fri, 31 May 2019 04:49:49 GMT Server: Apache Cache-Control: no-cache, private Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Content-Length: 18 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8 

Sobre CORS ya lo solucionamos mediante un middleware. El archivo route/api.php ya contiene el framento para resolver el CORS con el metodo OPTIONS

Lo que me parece raro es la cabecera de solicitud del frontend Access-Control-Request-Headers: authorization, cuando en realidad creo que debe contener Content-Type o X-Requested-With incluido el Authorization: Bearer [token]

He colocado en el CORS del Backend todos los Access-Control-Allow-Headers con Accept, Authorization, Content-Type, Origin, X-Auth-Token, X-Requested-With

Pero aun asi no nos retorna el recurso correspondiente