Forum Stats

  • 3,815,684 Users
  • 2,259,066 Discussions
  • 7,893,206 Comments

Discussions

Secure Retrieval of the Client Credentials from ORDS?

Mahmoud_Rabie
Mahmoud_Rabie Cloud Solution Architect,Member Posts: 3,216 Bronze Crown

Hello Everybody,

Given:

- ORDS 3 with published REETful module  (myordsmodule)

- Hybrid Mobile Application needs to exchange data securely with myordsmodule using OAuth2: Client-Credentials

- My Apex Hosting plan supports only OAuth2: Client Credentials and does not support OAuth2: First-Party Authentication.

- Oracle SQL developer as a ORDS as RESTful modules creation and management.

Goal:

I am following these articles:

Oracle REST Data Services (ORDS): Authentication

The Ultimate Guide to Mobile API Security.

My goals is to secure the client credentials from being hacked if someone reverse-engineer the mobile application.

Questions:

Regarding the following flow mentioned in the above article,

oauth2-flow.png

It turns out that API Server in the above figure is ORDS.

So, using OAuth2:Client-Credentials, I have the following question(s):

1) How to implement steps: (4), (5) and (6) ?

2) Are there any specific documents or tutorials.

@thatJeffSmith-Oracle

@Carsten Czarski-Oracle

@Kris Rice-Oracle

@Kiran Pawar

@Mike Kutz

I would appreciate any help.

Regards

Mahmoud

Tagged:
Kiran PawarMahmoud_Rabie

Answers

  • Kiran Pawar
    Kiran Pawar Member Posts: 2,951 Bronze Crown
    edited Jul 3, 2017 2:59AM

    Hi Mahmoud,

    Mahmoud_Rabie wrote:Given:- ORDS 3 with published REETful module (myordsmodule)- Hybrid Mobile Application needs to exchange data securely with myordsmodule using OAuth2: Client-Credentials- My Apex Hosting plan supports only OAuth2: Client Credentials and does not support OAuth2: First-Party Authentication.- Oracle SQL developer as a ORDS as RESTful modules creation and management.Goal:
    My goals is to secure the client credentials from being hacked if someone reverse-engineer the mobile application.Questions:Regarding the following flow mentioned in the above article,It turns out that API Server in the above figure is ORDS.So, using OAuth2:Client-Credentials, I have the following question(s):1) How to implement steps: (4), (5) and (6) ?2) Are there any specific documents or tutorials.

    Is your mobile application a native mobile application or apex mobile application?

    Following articles by Carsten describe use of Oauth with ORDS for authentication (please translate):

    Following presentation by Richard Martens demonstrate the use of OAuth based authentication for integration of Oracle APEX with Social Sites:

    Hope this helps!

    Regards,

    Kiran

  • Carsten Czarski-Oracle
    Carsten Czarski-Oracle Consulting Member of technical Staff Munich, GermanyMember Posts: 1,313 Employee
    edited Jul 3, 2017 4:13AM

    Hi Mahmoud,

    note that the "Client Credentials" flow is only appropriate when the client can store its credentials (==> the "client credentials") securely. Typically this is being used in server-to-server scenarios, e.g. the Oracle Database talks to a REST service within the enterprise.

    For a mobile application to be rolled out on external devices, the client credentials flow is not the appropriate methiod - simply because of the root problem you are stating here: somebody could reverse-engineer the application binary and extract the credentials. Exactly for those screnarios, the Oauth spec defines its other authorization flows: Implicit Grant, Authorization Code:

    https://tools.ietf.org/html/rfc6749

    So you might want to have another look at the authorization method for your applications. And (of course) this has to work with your hosting provider.

    I hope that helps

    -Carsten

    Kiran Pawar
  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 3, 2017 7:35AM

    Kiran and Carsten,

    Thanks a lot for your help.

    - My mobile application is just hybrid as stated above.

    - If I am not wrong, OAuth2: Implicit Flow is two-legged. However, it requires user interaction. Does that mean another login/authorization screen of ORDS appears to user? If YES, How to overcome avoid that as it inappropriate.

    - An approach which might be wrong and might not be the best practice:

    (1) Use OAuth2: client-credentials protected ORDS myloginmodule. The client credentials are stored in the App source. The module had a PUT handler to login and audit. In its response, the PUT handler returns: the role of the user and client credentials of the module myrestoperations.

    (2) myrestoperation could be reached by the returned role and client credentials (over https ). It contains all database operations. By the way, I have three roles and three dedicated client credentials for each one.

    I would appreciate any help.

    Regards

    Mahmoud

  • handat
    handat Member Posts: 4,688 Gold Crown
    edited Jul 5, 2017 1:41AM

    Step 5:

    API server validates username or email and password against DB by hashing the password and comparing the hashed value to the hashed value stored in the DB.

    The password is never stored in the DB at all, only its hashed value.

    Kiran PawarMahmoud_RabieMahmoud_Rabie
  • Kiran Pawar
    Kiran Pawar Member Posts: 2,951 Bronze Crown
    edited Jul 5, 2017 2:20AM

    Hi Mahmoud_Rabie,

    Recently i found the documentation for the following OAUTH functions introduced in APEX_WEB_SERVICE API for Oracle APEX 5.1:

    These functions might help you with designing the solution for this issue.

    Regards,

    Kiran

  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 5, 2017 7:29PM

    How could these function help me if I have ORDS web services modules not Apex web services modules?

  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 5, 2017 7:31PM

    Handat,

    Thanks a lot.

    I think you are talking about something like what I am searching for in the following thread

    What do you think.

    I appreciate your help and ideas.

    Regards

    Mahmoud

  • handat
    handat Member Posts: 4,688 Gold Crown
    edited Jul 5, 2017 9:58PM

    Basically, everyone on that thread is advising you to hash the password in the database and shown you samples on how to do it using the Oracle DBMS_CRYPTO package which is all good advise. Some hashing algorithms are harder to crack than others so with time the DBMS_CRYPTO package has been updated by Oracle to use the newer methods so it would be sufficient to use what is available with DBMS_CRYPTO unless you have a high security requirements that mandates specific algorithms or ciphers.

  • Kiran Pawar
    Kiran Pawar Member Posts: 2,951 Bronze Crown
    edited Jul 6, 2017 1:51AM

    Hi Mahmoud_Rabie,

    Mahmoud_Rabie wrote:How could these function help me if I have ORDS web services modules not Apex web services modules?
    • APEX_WEB_SERVICE API is not only for Oracle APEX Web Services.
    • APEX_WEB_SERVICE API is for consuming the web services and not for hosting the web services.
    • APEX_WEB_SERVICE API is for consuming all types of web services SOAP/REST.
    • APEX_WEB_SERVICE.OAUTH_AUTHENTICATE function can be used for OAUTH based authentication function you are building for your Mobile application. (See the REST Client Assistant packaged application about the usage).

    Regards,

    Kiran

    Mahmoud_RabieMahmoud_Rabie
  • Mahmoud_Rabie
    Mahmoud_Rabie Cloud Solution Architect, Member Posts: 3,216 Bronze Crown
    edited Jul 6, 2017 5:11PM

    Kiran,

    I appreciate your help

    APEX_WEB_SERVICE API is for consuming the web services and not for hosting the web services.APEX_WEB_SERVICE.OAUTH_AUTHENTICATE function can be used for OAUTH based authentication function you are building for your Mobile application. (See the REST Client Assistant packaged application about the usage).

    The Hybrid Mobile App (which is not built by Apex). It is built by IONIC. This mobile App (not Apex) would consume the RESTful web services that are created on ORDS and secured by OAuth2:Client Credentials.

    I think we are talking about steps (5) and (6). Therefore, I have the following questions:

    (1) How could APEX_WEB_SERVICE.OAUTH_AUTHENTICATE, used to authenticate the OAuth2:Client-Credentials protected ORDS web service?

    (2) Assume I have a PUT handler to AUTHENTICATE and AUDIT. Could I use APEX_WEB_SERVICE.OAUTH_AUTHENTICATE in that PUT handler. Could you provide an example for PL/SQL used.

    (3) APEX_WEB_SERVICE.OAUTH_AUTHENTICATE has client credentials as input parameters. So, the question still stands: How to secure the client-credentials from being stored plain in the mobile app. Another question, how to send the client-credentials as encrypted or hashed over the internet?

    Regards

    Mahmoud

This discussion has been closed.