I use IdentityServer4 and Xamarin.Forms. All work fine. But there is a question. When i log in and then exit the mobile application or re-build then, when I log in again, I automatically log in! Without asking for a username and password!
I want to note, I did not log out in IdentityServer, just closed app.
It seems that the server remembers the ip address of the application, and if a request for authorization repeatedly arrives from it, without prior log out, then it automatically log in.
This is my guess. I did not find it in the documentation. And did not find the corresponding records in the database
It's because of the cookie based authentication scheme that is set up on your Identity Server 4. You are logging in through your device browser client so after the user logs in the cookie is left and thus the skip of login screen next time there is an attempt to log in.
Related
I am creating an electron application that connects to an Database and do POST and GET requests to retrieve and insert data into it, the problem is that in the code i have defined my database uri ( im using mongodb)
const uri = "mongodb+srv://<myusesrname>:<mypassword>#cluster0.wqbiu.mongodb.net/query?retryWrites=true&w=majority"
like in the example above, but if i pack my electron app the connection to the database as well as the credentials its visible if someone unpacks the app.asar file and look in the server.js file how i can solve this problem? i dont want any security breaches neither for me or the people that will be using my application, thanks in advance for any answer :)
An application that requires a secure connection to something cannot afford to have any username's or password's hardcoded into its code.
Instead, a procedure of authentication and authorisation is utilised.
Authentication is used to verify the user. IE: They are who they say they are, often achieved via the use of some type of login form.
Authorisation is used to verify the logged-in user is allowed to access the requested resource. EG: Is this user allowed to retrieve a list of all users email addresses from the database.
As a rough guide, a user will login with their username and password. You could use OpenID as well here if you wanted. Once the user is 'logged-in' you could set a cookie or session and save the session id in the DB against the user. Of course, all of this is done over HTTPS.
There are various ways to control the validity of the session such as but not limited to refreshing the expiration date / time every time the user hits the server, auto timeout if the user has not interacted with the server for more than X minutes, etc.
In your app, the user could try and interact with the database at any time, but if the user is not logged in, the server could return the appropriate response and prompt the user to login. Some form of API here is really the way to go.
If the user is logged in then then next step is to authorise the users request, ensuring they are allowed to perform what they are asking before sending a response back. If they are not authorised to access the resource (EG: Edit another user’s post) then an appropriate response is returned indicating so.
As you can see, securing your app will take some work but the result of not doing so could be devastating to you and your users.
What I'd like to do is end all sessions for a user when a user changes/resets their password (using ASP.NET Core Identity). I'm using the oidc-client-js library inside of a SPA. I've figured out how to end the current session for a user and cause any tabs that're in that same session (say, other tabs in the same browser windows) to recognize the session is over via the check session iFrame, but any other sessions (say in an incognito window) still seem to have the session functioning, even if their refresh tokens/all persisted grants for that subject ID have been revoked.
Is there some way to make that iFrame return to the client that the session is over for all sessions, like maybe have the iFrame page be checking the persisted grants for that session or something? I'm okay if a currently issued access_token continues working (they're short-lived), but just want the refresh tokens to be invalidated and the session to end.
Option 1
There is an OpenID Connect Session draft specification which would do what you want - it allows front end clients to check the current session state via an iframe. This is a draft and may not be implemented by ASP.NET Core Identity though.
https://openid.net/specs/openid-connect-session-1_0.html
Option 2
An alternative mechanism for resolving your problem programatically is by putting a check in your token exchange code. Your access tokens will presumably be relatively short lived, and so the front end has to regularly acquire new access tokens (either via refresh token, or by id token on the implicit flow for instance.
In your token exchange you could check for timestamp when the password was last updated.
If it is more recent than the timestamp when the token was issued, then instead of issuing the fresh access token you could return a 401 and manage a redirect to your authentication endpoint by a mechanism of your choice.
This doesn't instantly log the user out of alternative browser windows, because it depends upon the expiry window of your access tokens. If does have the advantage of working cross browser though, because it doesn't depend upon browser specific session information. It can also check for customers who are blacklisted, or who have changed their email address and other checks which might be relevant to a desire to force re-authentication.
For belt and braces you can use both these techniques.
I’m trying to access active directory in our server using Kerberos(GSSAPI).
Firstly try current windows user, if refused, user can input new one.
Most of the documents mentioned Kerberos can authorize without password (current user),but little about login with a new user.
In other soft (e.g. IE) When current user is not accepted, they request me to input a new user/pass. But I got few information about how to imply that.
In Kerberos ,What is the difference between “new user login with password” and “share authority between two links” ?
My goal is to let user input username/password and login AD with Kerberos, if current user is not accepted.(in c++)
The linkage between SSPI and GSSAPI seems to be a huge problem , I searched stackoverflow/google and got about 5-8 quistions/docs ,but none of them seems to help.(I will put links later)
here:ldap_sasl_bind_s(GSSAPI) - What should be provided in the credentials BERVAL structure
What I have tried:
About logging with new user/pass, I got no directions.
About logging with current user (through SSPI), I blocked in the last step - return the 4 byte auth-Id. No idea what to return.
Trying to write 0 or other random number, encrypted and send to server, it just refused.
I have identity server 4 setup and my asp net core app working with it. If you hit a secure endpoint it redirects to Identity Server and you can login. Once you login it then redirects back to the url you were originally trying to access. What I would like to do is check that you have registered in my database before you get redirected. I thought that I could change 'RedirectUris' to a url of my choice but when I do that it has no effect. A breakpoint on that end point is never hit. What do I need to do in order to setup a post identity server login registration screen?
Is this the right way of doing it?
Thanks
Michael
If I understand your problem correctly, you want to get the user details in your application.
IdentityToken contains user name if you include Name scope.
If it is a web application then you may find the name on ((System.Security.Claims.ClaimsIdentity)User.Identity)
You can also add claims as you need, like userid, role etc
Comment
should each client have to 'register' a user with my api specifically?
What's the norm?
Depends on your requirements and what you are requesting for. On my case user must have allowed scope to access the api
I'm implementing a Service Provider proof-of-concept for SAML/SSO authentication using Kentor.AuthServices. The use case is a kiosk style application on which numerous different users may be authenticating one after another as they sign up for our service.
The problem I'm having is as follows: after logging out the user is unauthenticated as expected (User.Identity.IsAuthenticated == false). But when the next user goes to log in, the previously logged out user is re-authenticated without having to enter credentials. Is that expected behavior? If so, is there a way to prevent the behavior (other than manually dumping cookies)?
What is most likely happening is that you are indeed terminating the local session on the SP. But when you try to log in again, the Idp still has an active session and automatically reauthenticates with that one.
To work around that you need to use Single Logout. AuthServices has support for that as of 0.17.0. To enable it, you need to have a service certificate configured (logout messages need to be signed). And of course your Idp must support it. Check for Logout endpoints in the Idp metadata.