10 Replies Latest reply on Jul 6, 2017 9:11 PM by Mahmoud_Rabie

    Secure Retrieval of the Client Credentials from ORDS?

    Mahmoud_Rabie

      Hello Everybody,

       

      Given:

      - ORDS 3 with published REETful module  (myordsmodule)

      - Hybrid Mobile Application needs to exchange data securely with myordsmodule using OAuth2: Client-Credentials

      - My Apex Hosting plan supports only OAuth2: Client Credentials and does not support OAuth2: First-Party Authentication.

      - Oracle SQL developer as a ORDS as RESTful modules creation and management.

       

      Goal:

      I am following these articles:

      Oracle REST Data Services (ORDS): Authentication

      The Ultimate Guide to Mobile API Security.

      My goals is to secure the client credentials from being hacked if someone reverse-engineer the mobile application.

       

      Questions:

      Regarding the following flow mentioned in the above article,

      oauth2-flow.png

       

      It turns out that API Server in the above figure is ORDS.

       

      So, using OAuth2:Client-Credentials, I have the following question(s):

      1) How to implement steps: (4), (5) and (6) ?

      2) Are there any specific documents or tutorials.

       

      thatJeffSmith-Oracle

      Carsten Czarski-Oracle

      Kris Rice-Oracle

      Kiran Pawar

      Mike Kutz

       

      I would appreciate any help.

       

      Regards

      Mahmoud

        • 1. Re: Secure Retrieval of the Client Credentials from ORDS?
          Kiran Pawar

          Hi Mahmoud,

          Mahmoud_Rabie wrote:

           

          Given:

          - ORDS 3 with published REETful module (myordsmodule)

          - Hybrid Mobile Application needs to exchange data securely with myordsmodule using OAuth2: Client-Credentials

          - My Apex Hosting plan supports only OAuth2: Client Credentials and does not support OAuth2: First-Party Authentication.

          - Oracle SQL developer as a ORDS as RESTful modules creation and management.

           

          Goal:

          My goals is to secure the client credentials from being hacked if someone reverse-engineer the mobile application.

           

          Questions:

          Regarding the following flow mentioned in the above article,

           

          It turns out that API Server in the above figure is ORDS.

          So, using OAuth2:Client-Credentials, I have the following question(s):

          1) How to implement steps: (4), (5) and (6) ?

          2) Are there any specific documents or tutorials.

          Is your mobile application a native mobile application or apex mobile application?

          Following articles by Carsten describe use of Oauth with ORDS for authentication (please translate):

           

          Following presentation by Richard Martens demonstrate the use of OAuth based authentication for integration of Oracle APEX with Social Sites:

           

          Hope this helps!

           

          Regards,

          Kiran

          • 2. Re: Secure Retrieval of the Client Credentials from ORDS?
            Carsten Czarski-Oracle

            Hi Mahmoud,

             

            note that the "Client Credentials" flow is only appropriate when the client can store its credentials (==> the "client credentials") securely. Typically this is being used in server-to-server scenarios, e.g. the Oracle Database talks to a REST service within the enterprise.

            For a mobile application to be rolled out on external devices, the client credentials flow is not the appropriate methiod - simply because of the root problem you are stating here: somebody could reverse-engineer the application binary and extract the credentials. Exactly for those screnarios, the Oauth spec defines its other authorization flows: Implicit Grant, Authorization Code:

            https://tools.ietf.org/html/rfc6749

             

            So you might want to have another look at the authorization method for your applications. And (of course) this has to work with your hosting provider.

             

            I hope that helps

             

            -Carsten

            • 3. Re: Secure Retrieval of the Client Credentials from ORDS?
              Mahmoud_Rabie

              Kiran and Carsten,

               

              Thanks a lot for your help.

               

              - My mobile application is just hybrid as stated above.

               

              - If I am not wrong, OAuth2: Implicit Flow is two-legged. However, it requires user interaction. Does that mean another login/authorization screen of ORDS appears to user? If YES, How to overcome avoid that as it inappropriate.

               

              - An approach which might be wrong and might not be the best practice:

              (1) Use OAuth2: client-credentials protected ORDS myloginmodule. The client credentials are stored in the App source. The module had a PUT handler to login and audit. In its response, the PUT handler returns: the role of the user and client credentials of the module myrestoperations.

              (2) myrestoperation could be reached by the returned role and client credentials (over https ). It contains all database operations. By the way, I have three roles and three dedicated client credentials for each one.

               

              I would appreciate any help.

               

              Regards

              Mahmoud

              • 4. Re: Secure Retrieval of the Client Credentials from ORDS?
                handat

                Step 5:

                 

                API server validates username or email and password against DB by hashing the password and comparing the hashed value to the hashed value stored in the DB.

                The password is never stored in the DB at all, only its hashed value.

                1 person found this helpful
                • 5. Re: Secure Retrieval of the Client Credentials from ORDS?
                  Kiran Pawar

                  Hi Mahmoud_Rabie,

                   

                  Recently i found the documentation for the following OAUTH functions introduced in APEX_WEB_SERVICE API for Oracle APEX 5.1:

                   

                  These functions might help you with designing the solution for this issue.

                   

                  Regards,

                  Kiran

                  • 6. Re: Secure Retrieval of the Client Credentials from ORDS?
                    Mahmoud_Rabie

                    How could these function help me if I have ORDS web services modules not Apex web services modules?

                    • 7. Re: Secure Retrieval of the Client Credentials from ORDS?
                      Mahmoud_Rabie

                      Handat,

                       

                      Thanks a lot.

                       

                      I think you are talking about something like what I am searching for in the following thread

                      Re: Best practices of storing passwords in DB

                       

                      What do you think.

                       

                      I appreciate your help and ideas.

                       

                      Regards

                      Mahmoud

                      • 8. Re: Secure Retrieval of the Client Credentials from ORDS?
                        handat

                        Basically, everyone on that thread is advising you to hash the password in the database and shown you samples on how to do it using the Oracle DBMS_CRYPTO package which is all good advise. Some hashing algorithms are harder to crack than others so with time the DBMS_CRYPTO package has been updated by Oracle to use the newer methods so it would be sufficient to use what is available with DBMS_CRYPTO unless you have a high security requirements that mandates specific algorithms or ciphers.

                        • 9. Re: Secure Retrieval of the Client Credentials from ORDS?
                          Kiran Pawar

                          Hi Mahmoud_Rabie,

                          Mahmoud_Rabie wrote:

                           

                          How could these function help me if I have ORDS web services modules not Apex web services modules?

                          • APEX_WEB_SERVICE API is not only for Oracle APEX Web Services.
                          • APEX_WEB_SERVICE API is for consuming the web services and not for hosting the web services.
                          • APEX_WEB_SERVICE API is for consuming all types of web services SOAP/REST.
                          • APEX_WEB_SERVICE.OAUTH_AUTHENTICATE function can be used for OAUTH based authentication function you are building for your Mobile application. (See the REST Client Assistant packaged application about the usage).

                           

                          Regards,

                          Kiran

                          1 person found this helpful
                          • 10. Re: Secure Retrieval of the Client Credentials from ORDS?
                            Mahmoud_Rabie

                            Kiran,

                             

                            I appreciate your help

                            • APEX_WEB_SERVICE API is for consuming the web services and not for hosting the web services.

                             

                             

                            • APEX_WEB_SERVICE.OAUTH_AUTHENTICATE function can be used for OAUTH based authentication function you are building for your Mobile application. (See the REST Client Assistant packaged application about the usage).

                            The Hybrid Mobile App (which is not built by Apex). It is built by IONIC. This mobile App (not Apex) would consume the RESTful web services that are created on ORDS and secured by OAuth2:Client Credentials.

                             

                            I think we are talking about steps (5) and (6). Therefore, I have the following questions:

                            (1) How could APEX_WEB_SERVICE.OAUTH_AUTHENTICATE, used to authenticate the OAuth2:Client-Credentials protected ORDS web service?

                            (2) Assume I have a PUT handler to AUTHENTICATE and AUDIT. Could I use APEX_WEB_SERVICE.OAUTH_AUTHENTICATE in that PUT handler. Could you provide an example for PL/SQL used.

                            (3) APEX_WEB_SERVICE.OAUTH_AUTHENTICATE has client credentials as input parameters. So, the question still stands: How to secure the client-credentials from being stored plain in the mobile app. Another question, how to send the client-credentials as encrypted or hashed over the internet?

                             

                            Regards

                            Mahmoud