I have a HTML5, AngularJS application in which I authenticate user based on windows authentication. This works fine.
I have a connect option in the application which allows user to connect to some other data source. To connect I prompt user for user name & password which is sent to a service for authentication. I am using AngularJS $http to invoke the service and pass the credentials as post parameters.
The problem is I am able to see the credentials in clear text using fiddler. I switched to HTTPS/SSL but still it is visible in fiddler. Following are my observations & queries
HTTPS/SSL only ensures transport level security, I would like to know whether I should bother about message level security in web application if transport level security is already in place (using HTTPS).
How I would ensure message level security in JavaScript/Angular.
Interestingly I used fiddler with gmail and hotmail as well. When I enter credentials on these sites fiddler does not captures it. Any idea how does it happen on these sites? They must be sending credentials for authentication.
Atul Sureka
Related
In an enterprise applications, how to seamless sign in to application without login page by reading the windows AD credentials using Spring boot and React.
Ex: if i login to my desktop using organisation AD credentials, can my spring boot react application read that and auto sign in with out login popup?
Yes that is possible. There are few necessary steps you need to perform.
Whenever user hits the application url, check Authorization header and verify if the kerberos ticket is present.
If the ticket is not present, respond with http header WWW-Authenticate and value Negotiate. Make sure the http status should be SC_UNAUTHORIZED(401). (note: usually spring kerberos filters should do it for you. If you are not using Spring kerberos filters, then you have to do this negotiation manually as stated above.
When browser receives this response, it understands that the application requires kerberos token. To ensure that the browser sends the kerberos token, trust the application url in browser settings. Check this link for exact steps.
Once browser sends the kerberos token, use Spring Secuiryt Kerberos libraries to accept the token and extract user principal out of it.
I am having difficulty understanding Hybrid flow with mobile application. I am using code id_token Hybrid flow provided by Identity Server 4 in .Net.
Here is my scenario.
All mobile request will go to backend server and backend server will forward request to different APIs on user behalf.
When user first time login
He will be redirected to identity server
A mobile web view will be opened
User will sign in using credentials
identity server will send Id Token and Access Code to Back end
Server
Back end Server will swap Access code for Id Token and Access Token
What token will be returned to mobile application to provide that user is valid. And is it responsibility of Back end server to get new access token without prompting user to re login until user sign out?
Is there any step wrong in above scenario ?
For mobile clients its recommended to use Authorisation code flow along with PKCE. Please read through these two answers to grasp some idea why its suggested Link-1 & Link-2.
Also, RFC8252 provide some best practices application for Native Apps (mobile clients are native apps.!). In that, it recommend not to use web-views.
here is a quote from RFC8252-overview
Previously, it was common for native apps to use embedded user-agents
(commonly implemented with web-views) for OAuth authorization
requests. That approach has many drawbacks, including the host app
being able to copy user credentials and cookies as well as the user
needing to authenticate from scratch in each app
By using web-view, you loose the true essence of OAuth 2.0. You client app get the ability to grasp end user credentials. So use the browser instead of web-view. (Please read more about embedded users agents from this link)
In your architecture, you could enable all of these, PKCE, Authorization code flow and usage of browser instead of web-view. But once the backed receives tokens, it should pass them to your client. That will be a challenge if you stick to this architecture.
But if you can make your mobile application to complete whole flow, you avoid that complexity. Once tokens are received, you may create a connection between backed server by validating tokens. Also, when tokens expire, mobile app will use refresh token to obtain new tokens.
New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.
I'm writing an AngularJS SPA application which calls Rest full web service. Back-end is being written on JAX-RS, deployed on Tomcat 7. I'm using HTTPS, SSL for transferring data from SPA to JAX-RS
requirements
I have to make LDAP authentication. (I will send username & password to web service and it should make authentication)
I have to do user's session management (because, when authenticated user sends request to web service, user doesn't have to authenticate again)
problems
I think there are two options for doing LDAP authentication:
Make LDAP authentication using core java http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html
Use Spring security (I'm not familiar with it and not sure if it's possible. I think I should send username & password to rest service. Rest service will have spring security library injected and it'll be possible to use authentication functionality. Am I right?)
Manage user sessions. Once user is authenticated, it should be saved somewhere, so that user can do operations until its logon is not expired.
How can I do it?
Which way should I choose? How should I make LDAP authenticating and session management?
Can anyone give any suggestion or example links?
So,
LDAP Authentication using JNDI works just fine, you could also use the neat UnboundID LDAP Java API. A simple LDAP Bind example can be found here: https://code.google.com/p/ldap-sample-code/source/browse/trunk/src/main/java/samplecode/bind/SimpleBindExample.java .
Note also that you could use a Node.JS module as your backend, the Passport.JS Authentication framework for example, provides lots of features/capabilities relative to authentication and Federation (i.e., do things like 'Login with Google', etc...). See: passportjs.org.
On the Angular/frontend side,your best bet is to use a JWT token. It's all explained in detail with examples here: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543.
In essence:
your backend Authentication REST should return a JWT Token in the response, once the user successfully binds to LDAP. This Token would contain some user data, and should be encrypted (see link above).
Your Angular App should set that token as a cookie on the client Browser ("set-cookie" response header) upon successful login (so in the Controller of your Login view).
The Client will then present that cookie/JWT Token on every request it makes to your app.
Your app will then need to validate the token presented on every request (in the controller of your SPA). You may also want to add the user authentication data to your $scope so you can use it in your view.
Hope it helps...
I'm about to start a project with WPF which uses a web service to get info etc.
A username and password is required to authenticate you and get data which belongs to you.
I would like my WPF application to store the username and password. But I don't want to store it. So I was thinking. It would be cool if after I login for the first time it would generate a certificate at the WCF end and give it to the WPF application which can be used for each and every call.
Is what I'm thinking possible? Another problem I would like to tackle is how do I avoid someone copying and pasting the certificate?
Update
Based on #zamd suggestion. This is what I would like to solve.
Webservice uses WCF Web Api
Site has forms authentication
Site signs in with Username and Password which is validated by a Token Service
Webservice can authenticate the users token provided by the Token Service
I found this very useful blog article http://weblogs.asp.net/cibrax/archive/2011/02/04/authenticating-clients-in-the-new-wcf-http-stack.aspx but I would like to use Forms Authentication to get the SAML Token
You should look into Claims-based-security and SAML Token.
At login, you application should go to your service or a 'security service' also known as 'Security Token Service' and get a SAML token in exchange of a userName/Password pair. SAML tokens are usually secured for the receipient and can be safely stored on the client side until they are expired.
Every time you need to call WCF service, you can use this SAML token for rich authentiction and authorization.
Your understanding of Certificate base authentication is incorrect. Certificates are used for establishing SSL connection, are used to encrypt data using asymmetric encryption and authenticate user but to authenticate user against a certificate the certificate should be installed on the user's system and not provided by the WCF service. This requires one to setup a PKI infrastructure.
The other options you can look at is to use
ASP.Net form authentication with running WCF service in ASP.Net compatibility mode. In this case once authenticated only the auth cookie would pass there after.
Look at this question for some other ways User/Pass Authentication using RESTful WCF & Windows Forms
If you have to use username/password combination then you can get Windows to store it for you under Windows 7, Windows Server 2008 (and perhaps Vista) using the Windows Credential Manager. You need to fall down to p/invoke calls (
http://pinvoke.net/default.aspx/advapi32/CredRead.html and http://pinvoke.net/default.aspx/advapi32/CredWrite.html) for this.
The only issue I had with this is that it didn't work on Windows Server 2003 even though the documentation says that it is a supported OS.