I have created Web Tab in salesforce with url of my application. When someone opens that tab and my application gets call, How can I make sure where user who opened it is authorized?
I know I can pass {!User.Email} and other variables to my app to identify user. I guess some sites also send {!Api.SessionId} but I can not find any information about how to authorize using Api.SessionId or any other variables that can be passed.
Update
I found https://developer.salesforce.com/page/Single_Sign_On_for_Composite_Apps which is guide to the question I asked. But not able to find jar for given java classes.
You can use the API SessionID and ServerURL to make a request back to Salesforce via the API. Say with the PartnerAPI. This will confirm that the user did indeed come from a valid Salesforce session. You can confirm other details, such as their email address from the active session as well.
Alternatively, you could create a newer connected app using signed requests. Here the request posted to you app will be signed with using a secret that you can decrypt. This ensures the details haven't been faked or tampered with.
Rather than creating a Composite App you can create a Canvas App. This is a type of Connected App. You can find instructions for setting this up at Creating a Connected App. The Signed Request is POSTed to your web app. See Signed Request Authentication
Related
I'm trying to use one AAD App-Registration for both, a Web-API and a WPF Client APP. I've managed to configure the App-Registration correctly for my Web-API, but now I want to add a Native-Client APP to the same Registration, where a WEB-Registration is allready set up.
It works for me if I'm using only one of them, so if i register only the Web App it works. The same is true for the Native-Client App.
So I'm wondering if it is possible to combine those two and only use one App-Registration.
This is the error I get when trying to acquire a token with both registrations:
MSAL.NetCore.4.25.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.
You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.
Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Thank you in advance.
Use one AAD App Registration for both is not recommended although it seems to be able to meet your identity authentication needs. But generally we will need to use app roles or some other configurations, it will be very confusing in this case. It's recommended to use 2 app registrations.
The AADSTS7000218 error means you didn't put client_secret.
I am creating an Angular application, and I am having trouble wrapping my head around the proper way to ensure my application and its users is secure.
I've been reading around many stack discussions, but I believe I am missing some core understanding of what is happening, please correct any errors you see written below.
So far I have a Sinatra server with many (currently mostly hypothetical) resource routes. A user can create an account using an email address and password that is stored in a database after being hashed with BCrypt. When a user logs in, the record is retrieved from the database by email and the password checked for authentication. It is from this point I am not sure how to proceed.
Prior to this I have simply set a session variable and had the server check that the variable exists in order to correctly route logged in users. Now my application is (currently) a single HTML page that uses Angular and ui-router to display different content, so most of the requests are simply returning JSON content.
It is my understanding that Restful applications should generally not use sessions, or rather that the server should respond identically to identical requests and not have its own data that shapes a response. But if I do not store something in a session variable, how could the server know that the client making the request has the correct permissions? And are sessions not stored in the browser anyway, thus not part of the server?
I believe from what I have read, it is possible to create a token which is essentially a large random string, return that string to the client and also store it in a database with a timestamp. The client then provides this token when making requests and the server hits the database to verify it exists and valid. But would the client not also have to store that string in a cookie? I suppose the angular application could store the token in a variable, which would persist while using the ui-router but not if the users navigates using the address bar.
I also do not understand how Basic Auth may or may not fit into this picture. Any help would be greatly appreciated, as well as a pointer to some good resources where I may find a better understanding of these concepts in general.
You want to read up on JWT. There are JWT libraries for Ruby and Angular.
I know you aren't using Node for your backend but a very easy way to see all the pieces working together is to run the angular-fullstack Yeoman generator. It uses JWT and the code is easy to follow.
As far as I can see, whatever you are doing with your sessions can work just fine.
This can be a sample JSON response from the server in case the user is not loged in :
{
"errorCode": 1,
"error": "User not logged in",
"data": {}
}
You can set your own error codes and handle what you want to do. You will send any data only if the user is logged in. For all the pages which don't require authentication, you can set data to whatever you want.
On the angularJS side, you can handle based on error codes, you can redirect the user to the login page and so forth.
The alternate way to support the same on multiple platforms is to use token based approach. The token based approach in simple words work this way.
The user logs in for the first time with his / her credentials.
The server verifies these information and creates a token from which the server is able to decode the user id.
Whenever the client makes the requests, it passes its token with every request.
As the server can decode the user information from the token, it sends or doesn't send the data based on whether that's a right token or not.
The token depends on a secret value. It can be same for all the users or differnet for each based on how you want to implement.
This is all done and you can look at
http://jwt.io/
As #andy-gaskell mentioned, you can look at
http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/
I'm very bad at explaining. Please let me know if any of this doesn't make sense.
you are missing the point of the REST concept. One of the main concepts in the REST apis is that the server should be stateless - this means that you should not store sessions or other "state" in your web server. Every HTTP request happens in complete isolation. Every request should include all data needed by the server to fulfill the request.
But if I do not store something in a session variable, how could the
server know that the client making the request has the correct
permissions?
You can store request scoped variables. This means that they should be only active during the same request. You can store the current logged in user in the request scoped variable. In that way you can get the current user in your invocation of the business method. I'm not familiar with Sinatra but here is the doc: http://www.sinatrarb.com/intro.html#Request/Instance%20Scope
But would the client not also have to store that string in a cookie?
of course you should store your access token in the client side
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/
as #Andy Gaskell suggest take a look at JWT and fullstack application code generators and forget about the basic auth because it's really "basic".
more useful links:
If REST applications are supposed to be stateless, how do you manage sessions?
http://www.sitepoint.com/php-authorization-jwt-json-web-tokens/
Here's the problem I am trying to solve (I'm 100% sure I'm asking the "right" question) in my node.js / angularJS web application:
Authenticated members of the app can "invite" anyone with an email address.
Invitees can register using google (OAth 2.0) or with their email address and password.
In either scenario, it's possible that the invitee chooses to register with an email address (either a google one or one they type in) that differs from the email to which the invitation was sent.
I want to associate the two emails, and am having trouble figuring out how to do so.
My current approach:
The URL in the invitation email includes a unique parameter which references the email of the recipient. When that link is followed, I store that parameter using an angular service - the same that I use for storing the user once they are authenticated.
The problem (or at least one of them):
When I call the google authentication and it, subsequently returns the user to my site via the callbackUrl, my angular service instance no longer has a reference to the initial invitee's email, which I assume is expected since I the user left the angular application and then returned. Thus, I can't compare it to the email returned by the google authentication and, if they are different, prompt the user, join them, whatever.
What is the best way to toss that reference I take from the link that first took the user to the site to the other side of the OAuth process?
Or, is there a different approach entirely I should consider?
You would be able to pass a state parameter in your oath request. Google then returns the same parameter back with the oath response:
https://developers.google.com/accounts/docs/OAuth2UserAgent -> paramater: state
I am writing an travel itinerary app engine application which will interact with the calendars of my users. In order to manage access to my user's calendar I intend to use OAuth 2.0. I looked online for various code examples and the closest to what I am trying to acheive is (http://code.google.com/p/google-api-java-client/source/browse/calendar-appengine-sample/src/main/java/com/google/api/services/samples/calendar/appengine/server/?repo=samples). I have the following questions
1) I find that the server needs access to the application's client id and client secrets. Most of the sample code I have seen so far loads this from a local file. Does AppEngine give some API which will enable me to retrieve the client id and client secret without me having to worry about storing it ?
2) If I have to store the client secret in a secure fashion what are my options ?
3) What is the best way to store a user's access token and refresh token ?
It almost never changes, so hardcode it. It's only really loaded from a file in the sample programs so that you can get the samples running without touching the code.
See 1.
You can use the Google provided Credential class which uses a dedicated kind. Or, given that they are simply strings, you can store them as part of the User kind which your app almost certainly has to track your registered users.
As a tip, separate writing your oauth code from writing your calendar code. I would start by writing an app that only authorises, stores the refresh token, and refreshes the access token. You can test your access token using curl. Once you have that all working, then add your Calendar functionality as phase 2.
I'm trying to figure out CakePHP cookies and meet my slightly unusual authentication requirements.
I have a CakePHP-based data collection system that is now being integrated with a reporting system built with COTS software. The reporting system needs to be access controlled and unless I want to duplicate all user accounts in both systems I need the reporting system to be able to find out if the user is authenticated in my CakePHP system.
The reporting system permits me to load a Java class and execute a function when the client's report request first arrives. So my idea was to
Inspect the incoming report request and extract the cookie used by my CakePHP site for authentication / session identification
Send a request from the Java function to a 'reportauth' action within the CakePHP site with this cookie attached
The reportauth action within CakePHP then checks if the user is logged in to the CakePHP site and returns an encrypted response to the Java function identifying the user's role
I can get the cookie, send it in a request, and separately I can share encrypted information between PHP and Java.
However, when I use a 'fresh' cookie (the cookie that my browser repeatedly sends with requests to the CakePHP site after a new login) in my Java request the response says the user is not logged-in. If I then reload the site in my browser I have been logged-out. I suspect that there may be some extra information in the cookie about user-agent (?) that causes the Java-sourced request to be thrown out and that session destroyed for safety, but I don't know the system well enough. I think I might be seeing CakePHP protecting against session hijacking (which, ordinarily, would make me happy).
Can anyone tell me if there is a way around this issue? Preferably one that doesn't involve custom auth components in CakePHP as the data collection site is already live and my reporting deadline is not far away.
Any help much appreciated.
One workaround:
Get CakePHP to store a random token in a separate cookie, and as a field in the user table.
Then get the Java application to grab the token, and send it to the cakephp application to get the user's details.
Alternatively, have it authenticate with the CakePHP app itself, and pass in the session id to have cake use the right session. Note, setting with that function needs to be done before session_start() is called.