API / System Design [Flexible Authentication / Authorization]?

Background:

We’re a smaller shop that puts out a number of products that require
authentication and authorization. We’re currently using a 3rd party
service to “spin up new auth APIs” for each application. However, I
would like to investigate potential designs for doing this ourselves
in-house due to additional security requirements that may be needed in
the future. I’ve included information below and would appreciate any
design or support as I’m relatively fresh with designs of this scale.

Summary of goals:

An interface that allows a developer to create and manage
authentication APIs for multiple applications via a webpage. This
includes the mostly automated process of spinning up new auth APIs,
and ideally the ability to do some form of RBAC / ABAC changes via
this page.

Acceptable ‘Limitations’:

  1. All APIs can expose the same common-auth endpoints, so they’re basically just “Images” of one another. (I.e. Login / Register / etc.)

  2. While this would ideally be entirely automated, some parts I’ve thought of being manual are:
    * Domain configuration (pointing subdomains to new endpoints)
    * Spinning up additional VMs (needed?)
    * Spinning up additional DBs or tables?
    * Minor configuration changes
    * others I haven’t thought of?

User Stories:

  • As a Developer, I want to login to a web portal so that I can manage auth APIs.
  • As a Developer, I want to create a new API in the web UI, so that I can then integrate it to new applications.
  • As a Developer, I want to manage users in the web UI, so I can oversee access to our applications.
  • As a Developer, I want to **…

Future Considerations:

Each new API for the applications should likely have the user stores
(table containing user information) segregated into different
databases stored on separate hardware to minimize attack vectors and
improve security/scaling. For now, I’m thinking of different
subdomains or maybe request parameters to separate the APIs?

Thoughts:

I feel like there may be some solution that involves building a
template/image of an Auth API on Azure and just duplicating the VM or
image, but I’m not too sure of this route either. Obviously
management, maintenance, updates, etc. to these would be more
hands-on, but feel free to provide feedback on this as well.

Thanks in advance!

Go to Source
Author: ClicheCoffeeMug

Active Directory Name Change

Our Active directory will change the accounts name for example John Doe Jdoe@abcd.com to John.Doe@abcd.com.

My question is do I need to change all the SQL Logins individually or the person can login to SQL server management studio with their old names. What also happens if the login is an owner of a database or job.

Go to Source
Author: SQL_NoExpert

How to authenticate an Add-In on interprocess communication

We are considerung to build an Windows application that is split in 2 parts:
One part running as a Windows service and the other part as Add-Ins.
There could be different kinds of Add-Ins:
For Microsoft Office, for Microsoft Management Console (MMC) and for the PowerShell.

The service as well as the Add-Ins are digitally signed with a companies certificate and are all running on the same machine.
The service runs in a different user account than the Add-Ins.
The Add-Ins may run in various interactive user accounts.
The Add-Ins need to communicate with the Windows service to exchange a secret that is known to the service only, but is needed at the Add-Ins to get access to some sensitive data.
Therefor the Add-In would connect to the service (via e.g. named pipe) and requests that secret on demand.
But we need to avoid that another application/process does the same and gets the secret.
Only those Add-Ins that belong to our application (that are digitally signed with our certificate) may get the secret. In other words, the Add-Ins need some way to authenticate themself to the service.

So my question is:
How can the Add-Ins authenticate themself to the service while requesting the secret? Is it possible to use the digital signature (or someting else that is unique to them and to the service) for this?

It might get more difficult when considering, that the Add-Ins are hosted by processes that might be signed with different certificates (e.g. Word.exe, mmc.exe, …).

We are implementing on the .NET Framework.

Thanks for any kind of help.

Go to Source
Author: MartinM

Understanding TS 133 501 (5G) Step 2 of EAP-AKA’

I got a question dealing with the EAP-AKA’ used in 5G to authenticate clients coming from a 3GPP-Network.

I read the latest specification on ETSI. The problem which I have is based on Step 2 on Page 37/38, where it says (at least I understood it like that), that when the UDM/ARPF got the SUCI it shall continue as shown in RFC 5448 (a description of a EAP-AKA’), otherwise it shall follows the EAP-AKA’ shown in the specification (TS 133 501).

That’s what confuses me. Are there really two different implementations of the EAP-AKA’? I tried to layer those two, but ntl for me those two are different, due to the message flow.
Is that correct?

Go to Source
Author: Sheena

What is a recommended authentication architecture for a front GUI app that I want to control but that will be used by others to control their servers?

I have a front end (WEB GUI) app that I designed (Python for now + JavaScript in the future) that I use to access a controller, it uses REST APIs.

I want to publish this app in the cloud so that others could use it.

The biggest issue I am seeing is the security side as the app needs to authenticate with the remote server (a controller itself) and start sending tasks to the controller that will translate that in internal REST APIs to control for processes on downstream servers

Is there an authentication flow that will guarantee the owners of the controllers that I (the publisher of the front end) do not intercept the authentication flow and I gain unwanted access to their servers ?

My idea is to use a two steps authentication/authorization process like below. Is there a better way?
Please edit this diagram if you have suggestions
enter image description here

Go to Source
Author: MiniMe

How to create a user and copy corresponding pub file to authorized_key using AWS CloudFormation?

I am having trouble to create a user and copy the corresponding pub file called authorized_keys into the .ssh folder on the instance using AWS Cloud Formation. I do this, because I want to connect with this user using SSH. When I check the SystemLog of the created instance, it does not seem like the user is created or any file is copied as authorized_keys in the .ssh directory, this is my code:

LinuxEC2Instance:
Type: AWS::EC2::Instance
Metadata:
  AWS::CloudFormation::Init:
    config:
      users:
        ansible:
          groups:
            - "exampleuser"
          uid: 1
          homeDir: "/home/exampleuser"
      files:
        /home/exampleuser/.ssh/authorized_keys:
          content: !Sub |
            '{{ resolve:secretsmanager:
              arn:aws:secretsmanager:availability-zone:account-id:secret:keyname:
                SecretString:
                  keystring }}'
          mode: "000600"
          owner: "exampleuser"
          group: "exampleuser"

Am I missing something so that the user is created and the file is also being copied?

Go to Source
Author: Benny

Is it ok to share relevant login information on an API’s public endpoint?

I have an (https-only) API that uses OAuth2 for authentication and authorization via access tokens.

Any request to the API needs an access token to the Authorization header. The API validates that this access token is signed by a specific tenant (e.g. google), is targeted to a specific audience, and has some specific scopes.

As a user/service, it would be really helpful if the API would expose, on a public endpoint, such information, so that I know from where I should fetch an access token from (e.g. through PKCE), and which scopes I need to request the token from.

A natural mechanism for this is for the API to have a public endpoint with something like

{
    "provider_uri": "https://accounts.google.com/.well-known/openid-configuration",
    "client_id":"...apps.googleusercontent.com",
    "scope":"openid ..."
}

Is this a valid approach? What other relevant idioms exist to address such problem?

Go to Source
Author: Jorge Leitao