search

kawansoft / aceql-http

AceQL HTTP is a framework of REST like http APIs that allow to access to remote SQL databases over http from any device that supports http.
https://www.aceql.com
Other
97 stars 20 forks source link

Can I validate JWT Token (from client) against Azure AD on server side for each request? #12

Closed GalTzemach closed 3 years ago

GalTzemach commented 3 years ago

The clienct will send some JWT Token to the AceQL server side for each request. Then I need validate the JWT Token against Azure AD on server side. Can I do it?

ndepomereu commented 3 years ago

Hi Gal, Yes, this could be done by coding an extended class of JwtSessionConfigurator that will be injected at AceQL Server startup.

Please give me more details and the precise flow, so that I'm sure if it's possible; and then I will guide you on how to implement it.

GalTzemach commented 3 years ago

I have security requirement to pass from client the access Token of Azure AD and validate the Token on AceQL server side for each request.

I talking aboute addional Token and not on the sessions manage Token. Which means, passing one more Token regardless the one of the sessions manage.

GalTzemach commented 3 years ago

Assume that i will pass this Token as header from the client to the server. There is build in way to validate this token on server side?

ndepomereu commented 3 years ago

No, there is no built-in way. But a user asked us recently to allows to pass headers in C#, for security and tokens concerns, he wanted to be allowed to do this: request.Headers.Add("api_key", "1234"); We implemented it. Maybe you could check with him in this thread/issue: https://github.com/kawansoft/AceQL.Client/issues/12 ?

Otherwise, please precise the exact flow (more precisely, it's still not clear enough for my understanding) and I will be glad to help.

ndepomereu commented 3 years ago

(The header syntax is: AddRequestHeader(string name, string value), non static method of AceQLConnection)

GalTzemach commented 3 years ago

I already saw the thread of "Api key/ Authorization Headers in Aceql", i am a watcher on GitHub :) and I intend to use this functionality.

The flow: Due to security aspect, on our client App, the user should be authorize against Azure AD and get acess_token. Then we want to pass the acess_token to the server and validate the Token on server side also.

The question is whether there is exist built-in functionality to validate this acess_token against Azure AD on the server side or I should to implement this code myself? If I need to implement this myself, do you have suggestions where and how to do this correct?

ndepomereu commented 3 years ago

It's now clear for me, thanks. I will write an howto asap.

GalTzemach commented 3 years ago

Thanks a lot Nicolas!

בתאריך יום ב׳, 23 בנוב׳ 2020, 21:52, מאת Nicolas de Pomereu ‏< notifications@github.com>:

It's now clear for me, thanks. I will write an howto asap.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kawansoft/aceql-http/issues/12#issuecomment-732389152, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQUY6KLLUENMDBDTCDRKPLSRK4N7ANCNFSM4T6P6A3A .

ndepomereu commented 3 years ago

Hi Gal, With the current architecture, there is no way to validate an Azur Token passed from AceQL client slide to AceQL server side.

The only thing you can do is put the Azur Token in a Header with the C# AceQL call AceQLConnection.AddHeader(), then you can either:

  1. Have to put in front of AceQL server an HTTP server that will intercept the HTTP flow, get the Azur Token from the Headers, do what you want with it in a program, then route the HTTP flow to the AceQL Server.
  2. Develop a Java Servlet that will be declared and embedded in the AceQL server. This Servlet will do the Azur Token verification, the call must be done explicitelty from the C# code passing to the Servlet the Azur Token in the Headers, or as a request parameter.

Regards, N.

ndepomereu commented 3 years ago

P.S: what could be done in the next AceQL server version is pass the request headers to the SessionConfigurator.verifySessionId method, by adding the request headers as a new parameter:

Present 6.2 version: public boolean verifySessionId(String sessionId) Future version: public boolean verifySessionId(String sessionId, String [] requestHeaders)

Then in verifySessionId, you would be able to extract from the Headers the Azur Token and verify it against Azur servers.

GalTzemach commented 3 years ago

For now, which point/method getting the requestHeaders from the client on the server side? There is no other point/method on the server that I can to do it than in verifySessionId() in the future?

ndepomereu commented 3 years ago

For now, there are no point /method getting the request headers on the server side. What I suggest: to implement one in SessionConfigurator.verifySessionId by adding String [] requestHeaders parameter. This should be the most coherent way to this, but I'm open to suggestions if you have an idea that is better for you?

GalTzemach commented 3 years ago

When this solution can be avialble for me?

ndepomereu commented 3 years ago

I check and come back to you for eval.

ndepomereu commented 3 years ago

Hi Gal, I will prepare a patch, it will be ready from now on to tomorrow at the latest. Regards, N.

GalTzemach commented 3 years ago

Many thanks.

In general, what will be the next step, how and where i gonna to implement my validation?

ndepomereu commented 3 years ago

I will update the aceql-http-6.2.jar to aceql-http-6.2-PATCH-1.jar and give a download link. I will add a small HOWTO and an implementation sample in Java that show how to parse the passed request headers to get their (name, value).

GalTzemach commented 3 years ago

Any news?

ndepomereu commented 3 years ago

Hi Gal, I wrote the text Friday, but forgot to post it...

Patch is here: https://www.aceql.com/rest/soft/patch/aceql-http-6.2-PATCH-1.0.jar

org.kawanfw.sql.api.server.auth.UserAuthenticator contains a new method that allows for implementation to retrieve request headers and grant or refuse access to current session:

/**
 * Allows to check the request headers. If method returns false, user will not be allowed access.
 * @param headers   the requestheaders
 * @return  {@code true} if headers are OK and used is granted access, {@code false} if not.
 */
public boolean checkRequestHeaders(Map<String, String> headers);

Source of new interface is here: https://www.aceql.com/rest/soft/patch/UserAuthenticator.java

You have to code the name of your implementation in the aceql-server.properties file with the userAuthenticatorClassName property:

For example, I have my own MyUserAuthenticator.java implementation that just prints the headers names and values on stdout: https://www.aceql.com/rest/soft/patch/MyUserAuthenticator.java

So I add the class name in aceql-server.properties: userAuthenticatorClassName= org.kawanfw.test.api.server.config.MyUserAuthenticator

Please let me know if these explanations are OK, otherwise I will be glad clarify...

Regards, N.

GalTzemach commented 3 years ago

Hi Nicolas, I will be happy to more detailed explanation, it's not clarify enough for me.

How/where can I implement your interface / my class? Where should I need to locate the new class? it should be part of your .jar file?

Many thanks!

ndepomereu commented 3 years ago

Hi Gal,

The class you will develop must just implement the org.kawanfw.sql.api.server.auth.UserAuthenticator interface and you overload the public boolean checkRequestHeaders(Map<String, String> headers); In your checkRequestHeaders, you check the headers sent by client side and grant access or not by returning true or false.

The class can be a solo .class or in a .jar, as you want.

ndepomereu commented 3 years ago

Hi Gal, AceQL Server Version 6.3 has been released and includes now the support of request headers validation. The Maven version is already available for ease of coding:

<groupId>com.aceql</groupId>
<artifactId>aceql-http</artifactId>
<version>6.3</version>

But the implementation is slightly different from the 6.2 patched version, the method has been renamed and put in it's own interface:

1) For the purpose of clarity, the method has been renamed from public boolean checkRequestHeaders(Map<String, String> headers) throws IOException; to public boolean validate(Map<String, String> headers) throws IOException;

2) For the respect of the single responsibility principle, a dedicated Interface has been created that contains the validate method: org.kawanfw.sql.api.server.auth.headers.RequestHeadersAuthenticator.

See Javadoc of RequestHeadersAuthenticator

Regards, N.

GalTzemach commented 3 years ago

Thank you Nicolas.

בתאריך יום ב׳, 7 בדצמ׳ 2020, 15:04, מאת Nicolas de Pomereu ‏< notifications@github.com>:

Hi Gal, AceQL Server Version 6.3 has been released and includes now the support of request headers validation. The Maven version is already available for ease of coding:

com.aceql aceql-http 6.3

But the implementation is slightly different from the 6.2 patched version, the method has been renamed and put in it's own interface:

1.

For the purpose of clarity, the method has been renamed from public boolean checkRequestHeaders(Map<String, String> headers) throws IOException; to public boolean validate(Map<String, String> headers) throws IOException; 2.

For the respect of the single responsibility principle, a dedicated Interface has been created that contains the validate method: org.kawanfw.sql.api.server.auth.headers.RequestHeadersAuthenticator.

See Javadoc of RequestHeadersAuthenticator https://www.aceql.com/rest/soft/6.3/javadoc/org/kawanfw/sql/api/server/auth/headers/RequestHeadersAuthenticator.html

Regards, N.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kawansoft/aceql-http/issues/12#issuecomment-739905763, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQUY6MQVKHHXN5KNZYMQNDSTTHHNANCNFSM4T6P6A3A .