We are adding modern authentication (OAuth/OIDC) to an application that currently uses Windows integrated authentation for single sign on. The user signs into Windows workstation and those credentials can be used by many applications with authentication happening transparently over Kerberos.
Our app is a dot net web services based application and we have a client for users with browsers and a desktop client in WinForms. The browser scenario is no issue as the identity provider stores information in the browser that can be reused across applications in a similar way to WIA (IWA), but we are unsure the best way to handle the WinForms desktop application case. Currently the WinForms application opens a browser window to authenticate using the typical browser based method. The details from the identity provider are passed through the browser back to the WinForms app using a redirect and a custom protocol based URL.
This all works fine, but the user experience is not super tight and, for the case where the user is already logged in, requires them to press a button in the browser window as current Chromium based browsers seem unwilling to do a redirect without a recent user interaction.
Is there a better way?
The standard options according to RFC8252 are as you describe:
Log in via the system browser
Use either a loopback or private scheme based URL
I have a few blog posts about this and it is a tricky flow. The posts link to code examples you can run that explore the UX a little. You may find that a loopback URL avoids the need for a button click, though personally I think private scheme based URLs are cleaner.
There are UX things you can do, such as an interstitial web page to better control what happens in the disconnected browser. I have seen companies redirect to their own website after desktop logins, to make the UX better.
In the longer term I expect this to be replaced with API Driven OAuth Flows so that you never need to leave the app. For now you may have to live with some UX linitations, but it is the right flow from a security viewpoint.
Related
Is it possible to build a React Native App with a log-In screen that simulate/mirror a popup window of web-App having in mind that we don't have access neither to the server nor to the database of this web-app?
Thanks
I think the answer will be no, while this might technically possible.
You can of course mirror everything an already implemented login does, from the client side, including the HTTP requests to the server but usually that is very uncommon.
What someone usually does is
either use an existing pattern to talk to a backend service
or implement one (also on the backend side)
In general, you do not want to have any security features implemented in the frontend as it can be manipulated.
I was wondering what would be a better way to let my jQuery Mobile app "know" the user of the app after completing a registration process.Since the handlers in my Python Google App Engine app expect a username, i decided to store the username in localstorage and then use this as part of any request made to the server.But i don't think this is a good design idea (?).After a lot of search, i have found that jQuery Mobile does not support Google login (Please correct me if am wrong) So i have decided to use the Users Service from the server end.I am confused on how to implement this, since the users service from Google has it's own sign-in form.
Is it possible to use this same service with jQuery? If so, can i change the design of the sign-in form to blend in with the design of my jQuery app?
jQuery Mobile is just a template designer created directly for mobile web applications using a mobile web browser. It does not possess any connections with server side scripting automatically.
You need to create a connection using server side scripting.
Once you login in using the Google Login, your app associates it with the Google account.
jQuery is just a browser scripting. It does not have an automatic connection with the server unless you connect using AJAX to request to a server, but still need to code the server using HTTP protocol (as a tunnel) and server side scripting language like Java, Python, or PHP.
If you just want to get the "username" using a javascript, you may use REST to get the user information after login. You may look for how JSON or XML REST is created (but putting the username on local storage is not a bad option, without the password, however it may get deleted if you clear the root), but knowing that you are already connected with Google Sign in, just as long as you are already logged in with Google, your app should be able to retrieve the Google username.
Udacity also contains a complete course about web development focused on Google App Engine using Python, and how you may use cookies, password encryption, as well as user login. A detailed information about HTTP protocol is also discussed.
https://www.udacity.com/course/cs253
Note that the course I took existed 2 years ago. It may be different now.
I have a silverlight application backed by RIA services & EntityFramework. Users log in directly in the silverlight application. We have the [RequiresAuthentication] attribute on the DomainService and have implemented custom MembershipProvider/AuthenticationBase<UserBase> for custom authentication utilizing "forms authentication". All of this is working well to authenticate users.
The problem is that users with laptops using wifi will travel through the building and hand off between wifi access points. As soon as that handoff occurs, the users session is immediately terminated - with no notice to the user. I would like some way to make the session more resilient. Asp.Net's out-of-the-box forms authentication seems to do this well - as long as you are inside the session timeout and you haven't deleted your cookies, you are good to go regardless of any temporary connectivity issues. What can I do to get my Silverlight app to be at least as resilient as a standard asp.net app?
One thing that might be the issue, is that I haven't implemented many of the functions in the MembershipProvider - really only ApplicatinName and ValidateUser(). Could that be the source of my problem?
We have a requirement to start a WPF application with specific parameters from a link in a browser.
We are wondering if this is possible?
As an alternative could we embed the web application in a WPF browser control, and read the values out of the html web page?
Several possibilities :
if you control the browser (i.e. if you are in an intranet scenario, and have the opportunity to deploy applications), you can :
create an activex or plugin that runs the application
register a new uri scheme to interpret the url of kind "yourapplication://yourarguments"
(complex): deploy a listening app ran under the user session, and from the webapplication, ask this listening app to run the target application
reduce the security of the browser (not recommended)
if you don't control the browser:
create a clickonce application... this involves a setup, but which does not require admin privilege
Moving to Silverlight also might be an option, depending on your needs. SilverLigth V5 (still in beta) notably adds the ability for an admin to control the rights of the application via a GPO
Note: My feelings is the later option (Silverlight) is far more preferable because it's a lot more cleaner and less security hole factor. However, it can only be done if your requirements fits into the SL features
It is not possible to call client app from a browser, previously it was possible from activex controls but for that you need to have a signed library, in wpf you can make browser based application but you cant embed your web app in it.
So partially you are correct if you used wpf app you will be able to launch application on client side but with browser it seems difficult until unless you make activex control
but still i am not 100% sure that with activex control you will be able to launch the app or not
I am going to be developing an application for work, and I am trying to decide whether to use Silverlight Business App or Asp.Net Web App. My manager is concerned about the performance and download time it would take if I created the entire application as a Silverlight app, with authentication. I have been playing around with some tutorials over the last week trying to get a perspective on my situation and have come up with a design question I need to ask those that are more experienced than me.
Is it possible to use a Asp.Net application and just embed a silverlight application in one of the pages that will be used inside a folder that is configured with the roles authorization? And if so, would it be possible to get user credentials from the client silverlight app without passing them through the initParams.
I understand that I can set the authentication to "useCookies", so I was thinking I would be able to get the cookie on the client and hopefully get a property verifying if the user is authenticated.
Also, would this be a risky practice? Thanks for any advice and direction.
There are a few approaches you could take. While I know you don't want to expose the credential in init params, you could generate a "ticket" (claims-based authentication) for the credential, and include the ticket (for example, a GUID) in the init params. When the Silverlight application launches, it would consume the ticket, possibly validating it via a secured web service call, and the ticket would no longer be valid so even if someone spoofed it or viewed the source, it couldn't be used.
Quite a bit depends on your architecture. For example, if you are using the roles-based authentication, and most of the business logic and/or decision making is based on web service calls, the web services can use HttpContext.Current.Identity to validate the user. Even if someone opens the Silverlight application, any service calls would fail unless they were appropriately authenticated. Otherwise, I would either go with passing a ticket so Silverlight trustst the user is valid (you can create a service that accepts the Guid and returns the role information) or have the user log in from Silverlight (you have a service facing in front of the authentication mechanism and then return a ticket and/or role information).
It gets even more interesting if you decide to use WCF RIA, check out these examples for baked-in authentication:
http://code.msdn.microsoft.com/RiaServices/Release/ProjectReleases.aspx?ReleaseId=2661
1.) It's absolutely possible to embed a Silverlight xap on an ASP.NET page.
2.) As far as credentials, using cookies could work, or you could pass in a token over initparams and validate that token via a web service to see if the user is valid
It's always a risk passing credentials around, especially when it's running on a clients computer. That said, Silverlight buys you a lot, so don't let the challenge of authentication hold you back.