I have inherited an application that has fairly well obfuscated, but still hard coded database password inside. The connection with that database is made using a certain database user and this password. The application users are authenticated against a user table in this database. Changing this behavior is outside the scope of my responsibility. Now the customer wants to regain the power over this database user password. He wants to change it himself. How do I go about it? I have few ideas but I would like to know whats is the best way to provide that password securely to my application?
Related
I'm creating the user authentication in a web application, and I want to use Identity Server for resource protection.
The sample code and documentation shows how the user logs into Identity Server after creating an account for it. That is to say, they log in with their own Identity Server account. The quickstart even provides a UI.
But I don't want users of my application to have to log in to Identity Server, an external website. I want them to only have to log in to the web application.
So how to proceed? It just doesn't seem at all clear from the documentation how you're supposed to handle this scenario, which I would have thought would be the most common.
Do I just use a pre-defined API scope and user for token validation, holding for all the website's users? That doesn't seem to be very secure given that any user of the website or anyone with the client name and secret would have a valid token. Not sure what the point is in having the security if it's that easily worked around.
Or do I interact with my Identity Server instance somehow after the user is registered in the web application, and store the new user in a database? I can't find any mention of this in the documentation . It all seems to be very muddled to be honest.
Please could anybody shed light on some of this? What is the "standard" approach here? To have the user sign in to the external Identity Server website? That seems a great way to annoy your users.
If you only have one application and you don't intend to add more applications that needs to share users, then you should look at ASP.NET Core Identity
The whole point with OpenID-Connect/IdentityServer is to delegate the managing and handling of users/passwords (authentication) to a central entity. So individual applications don't need to deal with that complexity. IdentityServer is useful when you have multiple applications or if you have more complex integration needs. It is also perfect if you need to customize it to your own needs. If you don't need the customization part you can also outsource it to someone else like Auth0 that give you an IdentityServer like experience as a service.
Need some help trying to figure out my authentication options for using the embedded service in an app owns data scenario.
Is the only way to authenticate and generate tokens by using your Azure AD credentials? I have went through the examples and got everything running just fine but....
Here at the university that I work at our credentials change every quarter. This means all 10 or so apps where I need embedded reports will have down time as I update this information every quarter. This is going to create a lot of work. Not only that but I really don't like the idea of the rest of the developers on the team managing the code having access to my personal AD account which is tied to lots of other personal university resources..payroll.. etc..
Am I missing something is there not another way to go about setting this up?
Is there anyway to setup a separate membership provider to authenticate against?
Thanks for your help.
Perhaps a service principal is a better approach for you. Instead of using a service account with a username and password you use a secure API KEY instead.
See below link, there are some limitations using a service principal as apposed to a master account:
https://learn.microsoft.com/en-us/power-bi/developer/embed-service-principal#service-principal-vs-master-account
But no, your not missing anything you if you want to use app owns the data model with a master account you'll have to know the username and password and ideally that should be a limited account that only has the access it needs, is not on the same password policy as normal user accounts where its password can expire etc.
I have a Xamarin app that uses Easy Table and uses "Allow anonymous access", this means anybody can access my Easy Table as long as they have the URL. So to increase the security of my app, I would like to allow only my Xamarin app to access the Easy Table I created.
Can this be done by changing the Easy Table option from "Allow anonymous access" to "Authenticated"? And if this is the case should I create an account in Active Directory/Facebook/Google and have the username/password embedded in my Xamarin app such that it can authenticate first before accessing the Easy Table?
Note, I have my own user authentication based on user email address and password and it is working okay, but this is on an application level authentication only(i.e., if users provides correct email address and password, they are able to order, view history, etc.). This obviously will not prevent other apps in accessing my Easy Tables as this authentication uses the Easy Tables in the first place.
Thanks everyone!
I'd like to know what the best way to keep the different users' database accesses under control is. Since I'm implementing the common scenario of making users login to the app before accessing certain pages, I thought that it would be also nice to restrict the database access to only the data each user needs to see by creating views and new users at database-level granted just certain permissions. Those database users will have the same usernames that those users have for accessing the app, and so, when users are loging in, I could access the database with the username they are providing on the application form... Is this the correct way to proceed?
Thanks!
Speaking of a web application, the common practice is rather to have a pool of connections with a unique user.
Each request uses an already open connection from this pool. This way you'll get much better performances. (connections already open, cache of the prepared statements, ...)
As for which data the users should have access to or not, this should be coded in the service layer of the application, not in the database (in the web-application culture, I would say).
Moreover, the system you describe will be a pain to maintain proper synchro between application users and database users.
I'm just wondering if there's any way for WPF application integrated with windows live ID?
and it's actually for windows health vault [www.healthvault.com]
so health vault is using windows live id or open id to login into their system.
and what i gonna do is, creating wpf application (instead of web application) for health vault, so all of the login form username pass and everything is handled inside the wpf application without showing/using any internet browser.
so since this's quite new for me, i hope if there's somebody ever did this before especially for health vault system that run on standalone wpf app.
alright, so that's it,
thank you in advance!
You need to use "offline" authentication, instead of "online" authentication.
Online authentication requires the user to login every time through a web browser. This is good for web applications, but not good for applications like your's.
Offline authentication lets your application access the user's HealthVault record any time it wants to. The user never has to login. To use this, the user must go through a one time connection process. This is done using a connect-request. After the user goes through this process, your application is given two authentication tokens: a person-id and a record-id. These are what your application uses to connect to the user's HealthVault record, so they should be saved to a database or somewhere similar.
This MSDN page should help: http://msdn.microsoft.com/en-us/healthvault/cc507205.aspx