Collaborate Disseminate
I have seen a few samples of SRP protocol used for web applications and I wonder why nobody ever uses it for RESTful authentication. I have done some research and I couldn’t find any single example, not even one. SRP together… Continue reading Why isn’t Secure Remote Password protocol being used in REST APIs?
Let’s set up the environment before coming to my question.
We have an web application which will be accessible by browsers/clients over HTTPS.
Monstly only accessible in the intranet ( rarely over the internet )
Frontend using Angular
Ba… Continue reading Do I need additional encryption on top of HTTPS for a REST API?
I’m trying to get my head around how PKCE works in a mobile app and there’s something I don’t quite understand.
So from what I can gather the client app creates a random cryptographically secure string known as the code-veri… Continue reading What is PKCE actually protecting?
JWE is often used in REST APIs to send encrypted messages. However, I need to send a file that could be GBs in size. I have tried to find any information about the maximum length limit of the plaintext that can/should be the … Continue reading Large encrypted files to be sent in REST API response
The scenario is that the same code library is used by both client and server to encrypt/decrypt messages. The server application uses the library’s encryption function to encrypt some content (that needs to be protected) and … Continue reading Content-Type for a JWE Compact Serialization payload
The scenario is that the same code library is used by both client and server to encrypt/decrypt messages. The server application uses the library’s encryption function to encrypt some content (that needs to be protected) and sends the seri… Continue reading Content-Type for a JWE Compact Serialization payload
I have two API’s used in auth:
api/auth/newtoken: Successfully validates user (i.e. username and password check in DB) and return token (expirers in 3 days) and refreshToken.
api/auth/updatetoken: When the token is expired … Continue reading How to secure refresh token API’s?
I started working on an app that connects to a RESTful service for authentication and data. User POSTs the user name and password to /token endpoint.
Once they log in successfully, they get a bearer token that they then appe… Continue reading Spoofing POST/GET requests in a RESTful service
To be RESTful, an API should respect the 5.1.3 article:
5.1.3 Stateless
[…] each request from client to server must contain all of the
information necessary to understand the request, and cannot take
advantage of any stored context on the server. Session state is
therefore kept entirely on the client. […]
We want to use SRP challenge for authentication and we also want to sign each request (method + URL + arguments + headers) from the browser with ECDSA P-256 keys, the server already known the public key of each authorized device.
We have 2 ideas, after the user successfully sign in:
1) Returning an « authorizationToken » (256 bits) to add in request header « Authorization: lakano (authorizationToken) ». On the server side, we save in Redis this authorization token with all user details (userID, ACL, timestamp, deviceECDSAPublicKey). Then for next received requests, we extract the authorization token, look in the Redis DB, verify the request signature, and get all the user details. When a request ask for updating the connected user’s profile, we also need to give in the request’s parameters the userID (even if we already known who is it, to respect the 5.1.3 article).
Do you think this fully respect the 5.1.3 article please?
2) Returning all users details (userID, ACL, timestamp, devicePublicKey…) but encrypted by the server with a strong AES-GCM password. For each request, the browser need to put this encrypted information in « Autorization: lakano base64(encryptedUserDetails) ». So, there is nothing stored in the Redis/DB, this should respect the RESTful 5.1.3 article, but this also need more power/time to decrypt each time the user details.
For each idea, there is also a « X-Signature: (signature) » header with the client signature.
Could you tell me if the 1st idea is really RESTful, and which one is the best choice from a security point of view please?
PS: we know we could also use JWT, but we would like to see if these alternative are RESTful and secure enough.
Continue reading Do we need an Authorization header encrypted to keep an API RESTful?
I manage an open-source software project that relies on data that I am happy to share with the public. The software is hosted on github.com, but the dataset is too large to host there. It is easiest to keep the dataset in the… Continue reading Public guest user for PostgreSQL?