the-bastion | Authentication, authorization, traceability and auditability for SSH accesses | Authorization library

 by   ovh Perl Version: v3.11.01 License: Non-SPDX

kandi X-RAY | the-bastion Summary

kandi X-RAY | the-bastion Summary

the-bastion is a Perl library typically used in Security, Authorization applications. the-bastion has no bugs, it has no vulnerabilities and it has medium support. However the-bastion has a Non-SPDX License. You can download it from GitHub.

Authentication, authorization, traceability and auditability for SSH accesses.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              the-bastion has a medium active ecosystem.
              It has 1217 star(s) with 78 fork(s). There are 38 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 28 open issues and 77 have been closed. On average issues are closed in 57 days. There are 2 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of the-bastion is v3.11.01

            kandi-Quality Quality

              the-bastion has 0 bugs and 0 code smells.

            kandi-Security Security

              the-bastion has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              the-bastion code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              the-bastion has a Non-SPDX License.
              Non-SPDX licenses can be open source with a non SPDX compliant license, or non open source licenses, and you need to review them closely before use.

            kandi-Reuse Reuse

              the-bastion releases are available to install and integrate.
              Installation instructions are not available. Examples and code snippets are available.
              It has 47 lines of code, 0 functions and 16 files.
              It has low code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of the-bastion
            Get all kandi verified functions for this library.

            the-bastion Key Features

            No Key Features are available at this moment for the-bastion.

            the-bastion Examples and Code Snippets

            No Code Snippets are available at this moment for the-bastion.

            Community Discussions

            QUESTION

            Why Laravel Policy is not working in View/Blade?
            Asked 2022-Mar-18 at 12:26

            I tried to filter who can edit/delete on my app using policies but it's not working. Trying to use it on blade.

            QuestionPolicy.php

            ...

            ANSWER

            Answered 2022-Mar-18 at 12:26

            You need to pass the actual instance of the question (and you don't need to pass the user class) if the policy is regarding a specific question:

            Source https://stackoverflow.com/questions/71526691

            QUESTION

            laravel passport auth code - asking to grant permissions, is it nessecarry?
            Asked 2022-Mar-15 at 22:38

            I am looking for some clarification as for how exactly to proceed with Oauth auth code PKCE grant when it comes to authorizing my own SPA.

            So I get this when I am redirected from my SPA to backend (after I log in of course):

            Now I get this, makes sense if I want to login into my app with google or twitter for example.

            But If I want to log in to the backend app to get the token with my SPA - is there a way to avoid that every time a user logs in? Does it make sense?

            I would like to have it from user perspective like this:

            • click login
            • redirect to backend pretending to be SPA (visually)
            • login
            • go straight back to SPA without having to confirm that stuff

            I just mainly want to understand the process for SPA. I assume and suspect that what I want is simply not possible?

            ...

            ANSWER

            Answered 2022-Mar-15 at 22:38

            Yes you can :)

            Create your own Passport client.

            Source https://stackoverflow.com/questions/71489077

            QUESTION

            Use sidecar to translate opaque token to JWT in Istio
            Asked 2022-Feb-16 at 10:56

            I consider if there is a way to use Istio to translate opaque token to JWT.

            Use case: There are two services (service 1 which is consumer and service 2 which is producer) Service1 works with opaque token, Service2 can be authenticate & authorize with JWT token. To avoid adding Opaque token authentication in service2 I consider if we can use sidecar pattern (exactly in Istio) to get request (re1) from service1, extract authorization header, pass request (authReq1) to authorization server for exchange opaque token to JWT and then pass request (req1 but with JWT instead of original Opaque Token) to service2.

            Edited answer: I see two option (option1, option2) but I am interested in option 3.

            Option 1: Option 2: Option 3:

            ...

            ANSWER

            Answered 2022-Feb-15 at 14:48

            I consider if there is a way to use Istio to translate opaque token to JWT.

            Unfortunately, Istio won't be able to translate the tokens. In your case, it seems to me that the easiest way is to get services in such a way that they work on one type of token.

            Translation is possible, but not by Istio. Look at this question. You can also read more about Istio Authentication:

            Istio provides two types of authentication:

            • Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:

            • Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.

            • Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:

            • ORY Hydra

            • Keycloak

            • Auth0

            • Firebase Auth

            • Google Auth

            In all cases, Istio stores the authentication policies in the Istio config store via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.

            Source https://stackoverflow.com/questions/71124983

            QUESTION

            Add authorization header to Snapchat login callback using passport js strategy
            Asked 2022-Jan-09 at 12:53

            I'm trying to integrate login using Snapchat to my application. In order to do that I need to add an authorization bearer to the callback request to my application so I can verify the client. According to Snapchat guide I need to use _qs or Axios to create the request:

            ...

            ANSWER

            Answered 2022-Jan-09 at 12:53

            To pass the Authorization header, you have to set up the headers in the request library:

            Source https://stackoverflow.com/questions/70468968

            QUESTION

            Server side Blazor gets authorization error (401) when debugging in firefox
            Asked 2021-Dec-01 at 14:15

            I'm just starting into blazor (coming from mvc). I created my first server side test project in Visual Studio 2022, following two tutorials, and I didn't create or change any content so far. I've choosen windows authentification, as this will be the required authentification type for most of my projects. When I try to run (i. e. debug) this project in firefox, there's nothing shown but an empty page. When I check the console output, there's only one error message:

            The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature.

            When I try to reload the page I'm getting a http error 401 (unauthorized) on top.

            Project options:

            • .net 6.0
            • windows authentification
            • Configure for HTTPS: true

            I had visual studio create a test certificate when I first tried to run the application.

            I'm used to be asked for login data when debugging a mvc project using firefox, but I don't get a prompt when I try to debug my blazor project. Cross check: I can run the application in Edge; as far as I know Edge fetches the windows login on its own out of the box, while firefox needs to be configured to do it. But making firefox fetch the windows login on its own is not a solution to my issue.

            ...

            ANSWER

            Answered 2021-Dec-01 at 14:15

            A co-worker of mine found the solution: I had to check the "IIS Express" option in the menu under the debug button. So it was an issue of compatibility between the way of authentication used by visual studio and firefox.

            Source https://stackoverflow.com/questions/70180078

            QUESTION

            What's the whole point of a JWT refresh token?
            Asked 2021-Nov-02 at 19:38

            I've been reading about this for a while, and nothing makes sense, and the explanations are conflicting, and the comments are proving that.

            So far what I understood is that JWTs are storing information encoded by the server, can have expiry times, and the server with its secret key can decode the information in it if it's valid. Makes sense.

            It is useful for scalability, so independent APIs can decode, and validate the information in the token, as long as they have the secret key. Also, there's no need for the information to be stored in any database, not like in sessions. Makes sense.

            If the token gets stolen, the API has no way to tell if the token is used by the right person, or not. It is the downside of the above.

            By reducing the expiry time of a token, the security vulnerability can be reduced, so thieves have less time to use the tokens without permission. (side question, but if they were able to steal it once, they will probably do it second time as well)

            But reducing the time of how long the token is valid means that the user will need to log in every time the token expires, and as from above, it's quite frequent, so wouldn't provide too good UX. Makes sense.

            From now, nothing makes sense:

            Introducing a refresh token would solve this problem, because it has a longer expiry time. With the refresh token access tokens can be generated, so the user can be logged in as long as they have the refresh token - which is for a longer period of time -, while a stolen access token is still only valid for a short time.

            For me the above seems like an extra layer of complexity without any improvement in security. I.e. for me it seems like the above equals to a long-living access token.

            Why? Because for me it seems the refresh token is basically an access token (because that's what it generates). So having the refresh token means unlimited access tokens, so unlimited access to the API.

            Then I have a read an answer that there's a one-to-one mapping of refresh token, and access token, so stealing the access token still means unauthorised access to the API, but only for a short time, and stealing the refresh token would generate a different access token, so the API could detect the anomaly (different access tokens are used for the same account), invalidating the access tokens.

            It seems like I'm not the only one who's confused about the question.

            If the above is not true, how refresh tokens really help?

            If the above is true, and there really is one-to-one mapping of refresh tokens, and access tokens:

            • it completely loses it's benefit of being "stateless"
            • the user cannot be logged in from multiple devices (it would have been an "anomaly")
            • I can't understand how an access token could be invalidated - is there a session ID stored in the token data, or the user is "blocked"?

            It would have been really great if someone could clear the question, because from 5 explanations, 5 conflicting statements are (sometimes the same explanation contains conflicting information), and many developers want to understand this method.

            ...

            ANSWER

            Answered 2021-Nov-02 at 19:38

            There is this general confusion around token-based auth, so let's try to clear some of it up.

            First, JWTs are not just "encoded" by the server, they are "signed" (which more precisely is message authentication usually). The purpose is that such a token can not be altered or changed by the client, any field (claim) in the token can be trusted to be as the issuer created it, otherwise validation will fail.

            This yields two important takeaways:

            • validating tokens is important (obviously) in any implementation
            • the contents (claims) of a JWT are not encrypted, ie. it's not a secret and can be viewed by the client

            Such a token can be used to maintain a session without server-side state, if it contains some kind of an identity for the subject (user, like a user id or email address), and an expiry.

            Another important takeaway though:

            • Logout (immediate session invalidation) is not possible in a stateless way, which is a drawback. To be able to log out as in invalidate an existing session, the server must store and check revoked tokens, which is necessarily a stateful operation.

            Also a JWT token is typically stored in a way that it's accessible for client-side code (javascript), so things like who the user is and when the token will expire can be read by the client app. It need not be so, yet most implementations do this, eg. store it in localstorage. This makes these tokens susceptible to XSS attacks, meaning that any successful XSS will be able to get the token.

            For the reasons discussed so far, JWT authentication is inherently less secure than a plain old session, and should only be used if there is a need. Many times when token auth is used, it is not actually necessary, just fancy.

            Sometimes such a token is stored in a httpOnly cookie, but in that case the token cannot be sent to multiple origins (one benefit of localStorage) and a plain old session id could also have been used, and would actually be more secure.

            Ok, so what are refresh tokens. As you correctly stated, limiting the lifetime of an access token is useful to limit the validity of a compromised token. So a refresh token can be used to get a new access token when the old one expired. The key is where these are stored.

            A key takeaway:

            • If a refresh token is stored the same way as the access token, it usually doesn't make any sense. This is a common mistake in implementations.

            In a better architecture, the following can happen:

            • There are (both logically and "physically" as much as it makes sense in today's cloud world) at least two separate components: the identity provider (IdP, or "login service"), and the resource server (eg. an API).
            • When a user logs in, they actually create a session with the IdP. In this case either a plain old session id (acting as refresh token) or an actual JWT refresh token is set up for the IdP origin (domain name).
            • An access token is then created when needed for the resource server origin, using the existing session with the identity provider.
            • Now even if there is a total compromise of the resource server, like in case of successful XSS, the refresh token belongs to a completely separate origin, so cannot be accessed by the attacker. Even if it's the same origin, but the refresh token is in a httpOnly cookie, that helps, because the attacker then needs to be able to perform repeated XSS against a victim user to receive new access tokens.

            There can be implementation variants of this, but the point is the above, separation of access to the two tokens.

            A one-to-one mapping of refresh tokens to access tokens as you described would I think be unusual and also unnecessary, but one session per user is in fact sometimes a requirement (especially in financial applications where you want to have a very clear audit trail of what a user did). But this is not much related to the things discussed above.

            Also as stated above, proper logout (session invalidation) is not possible in a stateless way. Fortunately, very few applications actually need to be truly stateless on the server-side.

            Source https://stackoverflow.com/questions/69800098

            QUESTION

            Google Sign In - Difference between Access Token, Authentication Token and JWT ID Token
            Asked 2021-Oct-24 at 09:46

            I am using OAuth Flow in my web app. My web app interacts with Google Calendar API, and users authenticate by Signing In with Google (using their Gmail account).

            I just wanted to make sure that my understanding and usage of Authentication Tokens and Access Tokens is correct:

            1. The JWT ID Token is only needed during Sign-in. We just need to validate it once during Sign-in like so: client.verifyIdToken({idToken: token, audience: CLIENT_ID}). The ID Token is not used to Authenticate a user to My Web App. Reference: https://developers.google.com/identity/sign-in/web/backend-auth

            2. This JWT ID Token is completely different from the Authentication Token I pass along to My Web App's secured(authenticated) endpoints. The Authentication Token represents a user's session, and it can be generated using any library (ie.crypto.generateRandomNumber()).

            3. On the other hand, I will have many Access Tokens, which I use to access third-party APIs (ie. Slack API, Google Calendar API). These Access Tokens are different from the JWT ID Token and Authentication Token mentioned above.

            Is my understanding/implementation correct ? At one point, I was actually using my Google Calendar API Access Token as my Web App's Authentication Token, but realized this may be wrong. The Access Token would Authorize a user to use Google/Third-Party APIs, but I need a separate Authentication Token to Authenticate users into My Web App.

            ...

            ANSWER

            Answered 2021-Oct-24 at 09:46

            The JWT ID Token is only needed during Sign-in

            Correct this is called Open Id connect, the id token is used to verify that the user behind the computer is the owner of the account as they know the login and password. Think of it as your birth certificate it proves you are you.

            This JWT ID Token is completely different from the Authentication Token

            Correct Id token or open id connect is built on top of Oauth2 which is used for authorization.

            The Authentication Token represents a user's session, and it can be generated using any library.

            Incorrect Oauth2 allows your application to request consent of the user who has been authenticated via Open id connect in some cases to grant the application access to their data. It has nothing to do with a session. With an access token your application has access to data for an amount of time. with a refresh token your app would be able to request a new access token when ever it expires. Consider authencation is more like your drivers license you are authorized to drive a car.

            I will have many Access Tokens, which I use to access third-party APIs

            Correct each third party api has their own authorization server. Your app will need to be registered by them they give you a client id and secret which you can use to generate access tokens to access your users data via their api.

            Client id + client secret + user consent = access token & refresh token to the api that the scope granted

            At one point, I was actually using my Google Calendar API Access Token as my Web App's Authentication Token, but realized this may be wrong.

            Pre open id connect this probably happened a lot and still does.

            The Access Token would Authorize a user to use Google/Third-Party APIs, but I need a separate Authentication Token to Authenticate users into My Web App.

            Technically yes you do. But if you have an internal login system where your users create accounts in your system that that is your authentication there, your just requesting additional authorization to the users google account and you can store their refresh token as part of your internal authentication.

            You can use multiple authentication providers (Facebook, twitter, google) but its best to have an internal one that maps them all together otherwise the user may end up with three accounts in your system.

            Source https://stackoverflow.com/questions/69694313

            QUESTION

            How to authorize correctly with Trello via OAuth?
            Asked 2021-Sep-19 at 02:25

            I am trying to Authorize via OAuth with Trello and I can't seem to get it right, even in postman.

            I have followed their API docs and have got myself a developer key and I have used a little link they have in this article to get a valid auth token.

            I tried including the API key and Auth token in the header and (in a separate test) in the body, as per their documentation.

            Everything I try results in "unauthorized permission requested". What am I doing wrong?

            ...

            ANSWER

            Answered 2021-Sep-08 at 14:11

            Ok so I had obviously made a mistake when trying the Header route.

            It works now if I provide a header key called Authorization and the API key and Auth Token in the following format OAuth oauth_consumer_key="{{apiKey}}", oauth_token="{{apiToken}}".

            Source https://stackoverflow.com/questions/69098019

            QUESTION

            How to register mobile numbers with One-Time-Password (OTP) in ASP.NET core MVC, not using 2FA
            Asked 2021-Sep-08 at 17:02

            I'm creating an application in ASP.Net core MVC that requires user registration and verifying with an OTP by only entering their mobile phones.

            I'm currently using Twilio to send SMS (do not want to use Twilio Verify only Twilio SMS) and I'm creating my own OTP by randomly generating 4 digits.

            So to my question: How do I use this 4 digit OTP that I get on my phone and register the mobile phone and make sure the user is logged in?

            I do not want to implement 2FA at the moment because it requires username and password.

            This question is similar to: 'https://stackoverflow.com/questions/43862276/register-with-phone-number-instead-of-email-using-mvc-identity' But it has gone 4 years with no answer...

            I appreciate any help, tips or/and further resources, thanks in advance!

            ...

            ANSWER

            Answered 2021-Sep-08 at 17:02

            OTP and User Login/Registration are two separate process. It is the developers who decide how OTP and Login/Registration will be connected. I have implemented this requirement couple of months ago. Here is how you can do this:

            • 1st step: User inputs a valid phone number. Then redirect the user to a screen where he can input an OTP (Optional - the phone number from the previous step can be in a hidden field)
            • 2nd step: Generate the 4 digit OTP and store the phone number and the OTP in a database lets call it 'OTP' table. Send the OTP to the user
            • 3rd Step: On the OTP input screen user inputs the OTP
            • 4th Step: Check the OTP in the 'OTP' table. If the OTP is Valid then:
              • If the phone number exists in the 'User' table then this is a returning user. Login this user in step 5. You already have this User ID in the 'User' table
              • If the phone number does not exists in the 'User' table then create the user profile with the phone number only (You can get the other information like Name later). After that login the user in step 5
            • 5th Step: Login the user. To do this you just need an user entity which you already have from the previous step. To login you can implement any login provider. I would suggest use JWT (JSON Web Token) to authentication.

            When you have the user who has successfully verified an OTP, use the User ID to authenticate the user. Here is how you can implement JWT:

            Source https://stackoverflow.com/questions/69086056

            QUESTION

            How do you test out Hasura authorization?
            Asked 2021-Aug-11 at 15:32

            If I disable x-hasura-admin-secret in the Dashboard, and add Authorization: Bearer a_jwt_encoded_with_a_HASURA_GRAPHQL_JWT_SECRET_and_the_hasura_custom_claims

            Then I keep getting these toast notifications:

            ...

            ANSWER

            Answered 2021-Aug-11 at 15:32

            In my experience the easiest way to test permissions is to leave the admin secret in place and then just set the relevant headers.

            Generally you just add additional headers for x-hasura-role and x-hasura-user-id and any other session variables that are relevant for your app.

            In the screenshot below you can see that I've explicitly set these values. Any query that you run will be evaluated based on the permissions associated with the role (in my case its organization-admin)

            This is especially useful if you want to be able to use the Analyze functionality to do query profiles that take permissions into account.

            Source https://stackoverflow.com/questions/68742943

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install the-bastion

            You can download it from GitHub.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/ovh/the-bastion.git

          • CLI

            gh repo clone ovh/the-bastion

          • sshUrl

            git@github.com:ovh/the-bastion.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Authorization Libraries

            casbin

            by casbin

            RxPermissions

            by tbruyelle

            opa

            by open-policy-agent

            cancan

            by ryanb

            Try Top Libraries by ovh

            cds

            by ovhGo

            utask

            by ovhGo

            venom

            by ovhGo

            debian-cis

            by ovhShell

            celery-director

            by ovhPython