This section provides comprehensive information about the security measures implemented within search API.
SearchAPI leverages the power of JSON Web Tokens (JWT) to secure all communication between clients and the API. JWT is an open standard for securely transmitting information between parties as a JSON object. It consists of a header, a payload, and a signature, which are digitally signed and encoded to form a compact and self-contained token.
The use of JWT provides several advantages in terms of security for our API. It ensures the integrity of data by digitally signing each token, making it tamper-evident. Additionally, JWT allows for stateless authentication, meaning the server does not need to store any session information. This improves scalability and reduces the
We highly recommend that you familiarize yourself with the security guidelines presented here to ensure the proper implementation and usage of SearchAPI. By following these guidelines, you can maximize the security of your API interactions and protect the confidentiality and integrity of your data.
Authentication
Methods
Local
This authentication method uses a CSV file, which involves storing user credentials in a structured format for authentication purposes. In this case, we have a CSV file with the following headers: id, account, password, email, roles, and disabled.
- ID: Unique ID for the user
- Account: User credential necessary for the login
- Password: User password
- Email: User Email
- Roles: List of different role names assigned to each user
- Disabled: Boolean indicating whether the user account is disabled
| Note |
|---|
It's important to note that using a CSV file for authentication has limitations and may not be suitable for production systems with large user bases. However, it can serve as a simple example or proof of concept. In practice, more robust and secure methods, such as using databases, user directories, or authentication services, are typically employed for user authentication. |
Configuration
| Code Block |
|---|
|
'local': {
'file': join(SERVER_PATH, 'config', 'auth', 'users.csv')
} |
LDAP
Configuration
| Code Block |
|---|
|
'ldap': {
'authentication': 'SIMPLE',
'url': 'ldap://localhost:10389',
'bindDN': 'uid=admin,ou=system', # Bind DN or User
'bindCredentials': 'secret', # password
'searchBase': 'ou=users,ou=system',
'searchFilter': '(uid=%s)',
'searchAttributes': ['uid', 'cn', 'sn', 'displayName'],
'attributesMapping': {
# key is the property name stored in the SEIA user profile,
# the value is the user attribute in LDAP
'id': 'uid', # _id is required
'account': 'uid', # account is for roles and group expansion
'email': 'uid',
'firstName': 'cn',
'lastName': 'sn',
'name': 'cn',
'displayName': 'alias',
# if the alias is not given, one is created from the first and last name or roles
'groups': 'ou',
'photo': 'photo'
}
}, |
SAML
Configuration
| Code Block |
|---|
|
'saml': {
'debug': True,
'clientID': 'f6d3696a-1780-4614-9792-7744b67ab462',
'serviceUrl': 'https://login.microsoftonline.com/cc4e4bb7-5cce-4b65-80e1-f282b630ca4b/saml2',
'logoutUrl': 'https://login.microsoftonline.com/cc4e4bb7-5cce-4b65-80e1-f282b630ca4b/saml2',
'callbackUrl': 'http://localhost:8085/es/auth/saml/callback',
'certPath': 'MIIDBTCCAe2gAwIBAgIQH4FlYNA+UJlF0G3vy9ZrhTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMDUyMjIwMDI0OVoXDTI3MDUyMjIwMDI0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBDDCbY/cjEHfEEulZ5ud/CuRjdT6/yN9fy1JffjgmLvvfw6w7zxo1YkCvZDogowX8qqAC/qQXnJ/fl12kvguMWU59WUcPvhhC2m7qNLvlOq90yo+NsRQxD/v0eUaThrIaAveZayolObXroZ+HwTN130dhgdHVTHKczd4ePtDjLwSv/2a/bZEAlPys102zQo8gO8m7W6/NzRfZNyo6U8jsmNkvqrxW2PgKKjIS/UafK9hwY/767K+kV+hnokscY2xMwxQNlSHEim0h72zQRHltioy15M+kBti4ys+V7GC6epL//pPZT0Acv1ewouGZIQDfuo9UtSnKufGi26dMAzSkCAwEAAaMhMB8wHQYDVR0OBBYEFLFr+sjUQ+IdzGh3eaDkzue2qkTZMA0GCSqGSIb3DQEBCwUAA4IBAQCiVN2A6ErzBinGYafC7vFv5u1QD6nbvY32A8KycJwKWy1sa83CbLFbFi92SGkKyPZqMzVyQcF5aaRZpkPGqjhzM+iEfsR2RIf+/noZBlR/esINfBhk4oBruj7SY+kPjYzV03NeY0cfO4JEf6kXpCqRCgp9VDRM44GD8mUV/ooN+XZVFIWs5Gai8FGZX9H8ZSgkIKbxMbVOhisMqNhhp5U3fT7VPsl94rilJ8gKXP/KBbpldrfmOAdVDgUC+MHw3sSXSt+VnorB4DU4mUQLcMriQmbXdQc8d1HUZYZEkcKaSgbygHLtByOJF44XUsBotsTfZ4i/zVjnYcjgUQmwmAWD',
'attributesMapping': {
'id': 'http://schemas.microsoft.com/identity/claims/objectidentifier',
'account': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
'displayName': 'http://schemas.microsoft.com/identity/claims/displayname'
},
'cookie': {
'path': '/',
'samesite': 'lax',
'httponly': False,
'secure': False
}
} |
OIDC
Configuration
| Code Block |
|---|
|
'oidc': {
"client_id": "d55227c4-8b8d-4801-9dd3-22ad25ebc31e",
# Audience can be omitted in which case the aud value defaults to client_id
"discovery_uri": "https://login.microsoftonline.com/cc4e4bb7-5cce-4b65-80e1-f282b630ca4b/v2.0/.well-known/openid-configuration",
'callback_url': f'http://{os.getenv("DOMAIN_NAME")}:{os.getenv("PORT")}/es/auth/oidc/callback',
'attributesMapping': {
'id': 'oid',
'account': 'email'
}
}, |
Delegated
Configuration
| Code Block |
|---|
|
'delegated': {
'jwks_url': 'https://login.microsoftonline.com/cc4e4bb7-5cce-4b65-80e1-f282b630ca4b/discovery/v2.0/keys',
'audience': 'd55227c4-8b8d-4801-9dd3-22ad25ebc31e',
'attributesMapping': {
# key is the property name stored in the SEIA user profile,
# the value is the user attribute in LDAP
'id': 'email', # _id is required
'account': 'email', # account is for roles and group expansion
}
}, |
Encryption
Role Validation