[web2py] Re: Questions about authentication and authorization
each app (provider and consumer) has its own session cookies. An
authentication gets passed between the two at login, similarly to oauth.
On Sunday, 20 September 2015 18:54:44 UTC-5, Luis Valladares wrote:
>
> After some discussion with my team we come with this architecture:
>
> We will have a service to manage authentication and authorization, all our
> services will query him in order to get permission and credential, for
> authentication we will use CAS and for authorization RBAC over sended over
> JSON.
>
> I've another question, exactly how CAS works? i mean, i know the theory
> that you log in the CAS provider and you will be logged in the CAS
> consumer, but how this works? with session cookies and a token? or how CAS
> communicate with the consumers
>
> El lunes, 14 de septiembre de 2015, 21:54:30 (UTC-4:30), Luis Valladares
> escribió:
>>
>> Thanks for your answer!
>>
>> I've been reading about JWT too, and i consider it for application
>> authorization, the thing is i dont feel comfortable sending the parameters
>> through JSON, i prefer to send it via POST parameters and so, but after
>> reading the link you posted sounds like a good solution for app
>> authentication, and i will consider this along with Amazon approach and
>> OAuth2. The thing that is really bottering me is the authorization of
>> users. Any sugestion on this field?
>>
>> Thank you very much!
>>
>> El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió:
>>>
>>>
>>>
>>> On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote:
Since i do the post i found some interesting articles, and now i have a
better implementation idea, but i'm still looking for the solution on a
subject. Here is what i have now:
I will handle the authentication of my applications using the amazon
approach (
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
and the user authentication using CAS in order to centralize al the
services auth providers, but i'm still searching for a way to handle the
authorization for user, i read about Spring security but i didnt see any
implementation in python or web2py
Again, thanks for any help!
>>>
>>> Perhaps Niphlod's JWT implementation would work for you, too.
>>>
>>> Quoting his example again:
>>>
>>>
As per "original" demand of covering one-time-issued tokens, the "jti"
claim is the standard, and can be easily implemented, imagining to store
valid tokens in a database table:
db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field(
'inserted_on', 'datetime', default=request.now))
def myadditional_payload(payload):
res = db(db.jwt_tokens.user_id == payload['user']['id']).select(
orderby=~db.jwt_tokens.inserted_on).first()
payload['jti'] = res.token
return payload
def mybefore_authorization(tokend):
res = db(
(db.jwt_tokens.user_id == tokend['user']['id']) &
(db.jwt_tokens.token == tokend['jti'])
).select().first()
if not res:
raise HTTP(400, u'Invalid JWT jti claim')
myjwt = Web2pyJwt('secret', auth,
additional_payload=additional_payload,
before_authorization=mybefore_authorization)
>>>
>>>
>>> The list of features is in his post in the developer's forum.
>>> >> https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ
>>> >
>>>
>>> If you need some background on JWT, my reading list recently included
>>>
>>> (that's the standard as of May; it's actually readable by users of
>>> standards as well the writers, I think)
>>>
>>> /dps
>>>
>>>
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Questions about authentication and authorization
After some discussion with my team we come with this architecture:
We will have a service to manage authentication and authorization, all our
services will query him in order to get permission and credential, for
authentication we will use CAS and for authorization RBAC over sended over
JSON.
I've another question, exactly how CAS works? i mean, i know the theory
that you log in the CAS provider and you will be logged in the CAS
consumer, but how this works? with session cookies and a token? or how CAS
communicate with the consumers
El lunes, 14 de septiembre de 2015, 21:54:30 (UTC-4:30), Luis Valladares
escribió:
>
> Thanks for your answer!
>
> I've been reading about JWT too, and i consider it for application
> authorization, the thing is i dont feel comfortable sending the parameters
> through JSON, i prefer to send it via POST parameters and so, but after
> reading the link you posted sounds like a good solution for app
> authentication, and i will consider this along with Amazon approach and
> OAuth2. The thing that is really bottering me is the authorization of
> users. Any sugestion on this field?
>
> Thank you very much!
>
> El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió:
>>
>>
>>
>> On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote:
>>>
>>> Since i do the post i found some interesting articles, and now i have a
>>> better implementation idea, but i'm still looking for the solution on a
>>> subject. Here is what i have now:
>>>
>>> I will handle the authentication of my applications using the amazon
>>> approach (
>>> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
>>>
>>> and the user authentication using CAS in order to centralize al the
>>> services auth providers, but i'm still searching for a way to handle the
>>> authorization for user, i read about Spring security but i didnt see any
>>> implementation in python or web2py
>>>
>>> Again, thanks for any help!
>>>
>>
>> Perhaps Niphlod's JWT implementation would work for you, too.
>>
>> Quoting his example again:
>>
>>
>>> As per "original" demand of covering one-time-issued tokens, the "jti"
>>> claim is the standard, and can be easily implemented, imagining to store
>>> valid tokens in a database table:
>>>
>>> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field(
>>> 'inserted_on', 'datetime', default=request.now))
>>>
>>> def myadditional_payload(payload):
>>> res = db(db.jwt_tokens.user_id == payload['user']['id']).select(
>>> orderby=~db.jwt_tokens.inserted_on).first()
>>> payload['jti'] = res.token
>>> return payload
>>>
>>> def mybefore_authorization(tokend):
>>> res = db(
>>> (db.jwt_tokens.user_id == tokend['user']['id']) &
>>> (db.jwt_tokens.token == tokend['jti'])
>>> ).select().first()
>>> if not res:
>>> raise HTTP(400, u'Invalid JWT jti claim')
>>>
>>> myjwt = Web2pyJwt('secret', auth,
>>> additional_payload=additional_payload,
>>> before_authorization=mybefore_authorization)
>>>
>>
>>
>> The list of features is in his post in the developer's forum.
>> > https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ
>> >
>>
>> If you need some background on JWT, my reading list recently included
>>
>> (that's the standard as of May; it's actually readable by users of
>> standards as well the writers, I think)
>>
>> /dps
>>
>>
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Questions about authentication and authorization
Since i do the post i found some interesting articles, and now i have a better implementation idea, but i'm still looking for the solution on a subject. Here is what i have now: I will handle the authentication of my applications using the amazon approach (http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/) and the user authentication using CAS in order to centralize al the services auth providers, but i'm still searching for a way to handle the authorization for user, i read about Spring security but i didnt see any implementation in python or web2py Again, thanks for any help! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Questions about authentication and authorization
On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote:
>
> Since i do the post i found some interesting articles, and now i have a
> better implementation idea, but i'm still looking for the solution on a
> subject. Here is what i have now:
>
> I will handle the authentication of my applications using the amazon
> approach (
> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
>
> and the user authentication using CAS in order to centralize al the
> services auth providers, but i'm still searching for a way to handle the
> authorization for user, i read about Spring security but i didnt see any
> implementation in python or web2py
>
> Again, thanks for any help!
>
Perhaps Niphlod's JWT implementation would work for you, too.
Quoting his example again:
> As per "original" demand of covering one-time-issued tokens, the "jti"
> claim is the standard, and can be easily implemented, imagining to store
> valid tokens in a database table:
>
> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field(
> 'inserted_on', 'datetime', default=request.now))
>
> def myadditional_payload(payload):
> res = db(db.jwt_tokens.user_id == payload['user']['id']).select(
> orderby=~db.jwt_tokens.inserted_on).first()
> payload['jti'] = res.token
> return payload
>
> def mybefore_authorization(tokend):
> res = db(
> (db.jwt_tokens.user_id == tokend['user']['id']) &
> (db.jwt_tokens.token == tokend['jti'])
> ).select().first()
> if not res:
> raise HTTP(400, u'Invalid JWT jti claim')
>
> myjwt = Web2pyJwt('secret', auth,
> additional_payload=additional_payload,
> before_authorization=mybefore_authorization)
>
The list of features is in his post in the developer's forum.
If you need some background on JWT, my reading list recently included
(that's the standard as of May; it's actually readable by users of
standards as well the writers, I think)
/dps
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Questions about authentication and authorization
Thanks for your answer!
I've been reading about JWT too, and i consider it for application
authorization, the thing is i dont feel comfortable sending the parameters
through JSON, i prefer to send it via POST parameters and so, but after
reading the link you posted sounds like a good solution for app
authentication, and i will consider this along with Amazon approach and
OAuth2. The thing that is really bottering me is the authorization of
users. Any sugestion on this field?
Thank you very much!
El lunes, 14 de septiembre de 2015, 18:19:12 (UTC-4:30), Dave S escribió:
>
>
>
> On Monday, September 14, 2015 at 3:35:20 PM UTC-7, Luis Valladares wrote:
>>
>> Since i do the post i found some interesting articles, and now i have a
>> better implementation idea, but i'm still looking for the solution on a
>> subject. Here is what i have now:
>>
>> I will handle the authentication of my applications using the amazon
>> approach (
>> http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
>>
>> and the user authentication using CAS in order to centralize al the
>> services auth providers, but i'm still searching for a way to handle the
>> authorization for user, i read about Spring security but i didnt see any
>> implementation in python or web2py
>>
>> Again, thanks for any help!
>>
>
> Perhaps Niphlod's JWT implementation would work for you, too.
>
> Quoting his example again:
>
>
>> As per "original" demand of covering one-time-issued tokens, the "jti"
>> claim is the standard, and can be easily implemented, imagining to store
>> valid tokens in a database table:
>>
>> db.define_table('jwt_tokens', Field('token'), Field('user_id'), Field(
>> 'inserted_on', 'datetime', default=request.now))
>>
>> def myadditional_payload(payload):
>> res = db(db.jwt_tokens.user_id == payload['user']['id']).select(
>> orderby=~db.jwt_tokens.inserted_on).first()
>> payload['jti'] = res.token
>> return payload
>>
>> def mybefore_authorization(tokend):
>> res = db(
>> (db.jwt_tokens.user_id == tokend['user']['id']) &
>> (db.jwt_tokens.token == tokend['jti'])
>> ).select().first()
>> if not res:
>> raise HTTP(400, u'Invalid JWT jti claim')
>>
>> myjwt = Web2pyJwt('secret', auth,
>> additional_payload=additional_payload,
>> before_authorization=mybefore_authorization)
>>
>
>
> The list of features is in his post in the developer's forum.
> https://groups.google.com/d/msg/web2py-developers/dXfUrHNI5Sg/gqNa3kXsCQAJ
> >
>
> If you need some background on JWT, my reading list recently included
>
> (that's the standard as of May; it's actually readable by users of
> standards as well the writers, I think)
>
> /dps
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
