My imagined problem. My c# .net wpf app needs to validate user credentials against azure-ad. Im not using asp.net. I cant ask for the credentials and verify myself so this needs passed off, which in this case requiring oauth to do the work is fine.
All I need from this login is was it successful, and what is the username/email.
My solution to this for wpf is popup a browser window to my websites azure-outh endpoint.
This works great and i can get what i need, however the broswer conveniently saves the password, so next time 'anyone' trys to log in the user name and password autofill.
Looking at the oauth docs, i didnt see anything regarding this (maybe i missed it).
Googling doesnt seem to turn up anything either.
Im not saying this is the only way to do it. All i need is for a employee or customer to use a .net c# wpf exe to verify their credentials against our client/tenant and return back, yes this is indeed a real login.
Also yes this is an answer, but i dont control the oauth page, so thats not valid.
Another answer is using ropc which requires my exe getting the username/password, which only really want to do that as last resort. i dont know what the more valid solutions are. The other problem, is 2-step auth can be enabled which oauth handles nicely.
Any help / thoughts / suggestions / or complete freaking reworks to get that information would be appreciated. Also if im completely off my rocker, tell me (and give a reason why and what i should do ;) )!
Related
i wanna write a c# wpf application for end user, where the user can post messages including a picture to HIS facebook wall, like 'hi, is use a funny program for writing to my wall'.
of course, several different user on several different computers should use my program and i think the on and only setup should be the users 'facebook username' and 'facebook password', BUT i can not find the way to do that. :(
yes i found the way to get a access token
https://graph.facebook.com/v2.11/oauth/access_token?client_id=[foo]&client_secret=[bar]&grant_type=client_credentials
and how i can get the permissions for a user account
https://graph.facebook.com/v2.11/[client id]/permissions?access_token=[bar foo]
but i can not believe that the user must give my application over a complicated way access to his account via a facebook website! is there not way via 'facebook username' and 'facebook password'???
i am searching since hours, but i can not find a solution, so maybe someone has a link our tip for me? thx
So this is my first question on SO and this is my issue...
I have made a widows form app in visual studio for the Client of an organisation application(Like JIRA but not..). I am using a SQL server DB to save data and signal-r to communicate. A user must open the application and be hailed by a msgbox asking for name and pw. Using these creds I need to verify that the user is in the database and that the creds are correct. At the moment I send the data to the server and then check that the creds are valid and then return a bool indicating if it was successful or not, but I'm sure that's not the best way to do it... I've done near to no security(i just started as a junior dev) and have no idea where to start from a security stand point. i would like to save the users names and pw's in the Database as well as the connection id, but I'm not sure what to use. there are lots of examples out there (OAuth,certificate, etc.. (those might be the same thing for all I know right now)) Maybe a few examples would help, I've googled most everything I could think of and have come up with very few examples that are relevant to what i need. Maybe I'm just asking the wrong questions, but some/any help would be nice.
Thanks
LegenBerry
As you have mentioned that your are using SignlR I assume you are using OWIN to host the application.
You should be relying on ASP.NET Identity to perform authentication and authorization.
You may follow the steps documented at https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/ to write a simple cookie based authentication.
Introduction
Okay so I've got a website (PHP) with a database (MySQL). You can create an account on this website and edit your details and so on (let's say date of birth, real name, address, and so on).
Now, what I wanna do is to create a desktop application (most likely c# with WPF) that interacts with a REST api (in PHP) from the website, which will allow to :
Create accounts directly from the application
Log in to your account
Be able to edit your details directly from the application
As of now I only want to do a desktop application, but it might evolve into a mobile app. I don't think that is relevant though.
Creating accounts and logging in
I'm struggling with the create account / log in part. I want it to be as secure as possible. On the website, I'm using password_hash(PASSWORD_BCRYPT) with a cost of 10 to store passwords in the database, and password-verify to check log ins.
Regarding the application, I imagine the way to go is to pass the username and password to the REST api and do the encryption directly on the server side. But sending the password itself sounds terrible so I thought about encrypting it with a secret key that only the application and the website know, so the website can figure out the password and encode it correctly in the database.
If I'm right, what encryption algorithm should I use? If not, how should I do that?
Edit your details directly from the application
I'm thinking about doing the following : Let's say the user has logged in through the application. If the authentication is successful, the server randomly generates a token (I'll probably use ircmaxell's Random-Lib) and send it as a reply to the application. From then onward, when the application wants to make a request to the api, it adds the username to the datas string, and generates a hash (sha256 for example) with the data string plus the token; then the server can repeat the exact process using the token stored in database to make sure the user actually has the right to access/modify his details, and nobody is trying to pretend to be an user he isn't.
I feel like the problem is, if someone listens to the first api reply after the authentication, he gets the token and can use it to act as if he was the user. Would encrypting it with the same process used for the password be enough to make sure this can't happen?
Last but not least, if I want the user to be able to be directly logged in the next time he starts the application, I guess I have to give the token a permanent durability and store it in a file or something on the computer. But that doesn't sound really safe because anyone could just read the file content and figure out the token.
Final questions
So. What do you think ? Does it sound good or am I completely off the tracks?
The website hosting is in http://* so I guess using HTTPS communications is not an option here. I know that's a big problem to create something really secured, but I'd still like to make something as safe as possible with what I have.
Thanks a lot for your advices. :)
Btw I tried to make this as clear as possible, hope it worked. I have close to pretty little knowledge of security, encryption, ... so you'll have to speak like to a 3 years old to me.
I think the first, most important piece of advice I could give is to never try to roll your own security code, unless you are an absolute expert. You'll want to put together a solution based on the frameworks that .net provides for you.
First things first - your REST API. I'd suggest building on top of ASP.NET Web API. HTTPS is mandatory here - if your hosting provider can't give it to you, you need a new hosting provider. It also conveniently takes care of encryption for you.
There are various security options available for ASP, I'd read this for a detailed overview: https://docs.asp.net/en/latest/security/. Using the existing ASP options will also take care of your requirements around user account creation and self-service.
What are some ways to go about signing into a website that you did not build yourself using C# code. All I can really tell about the site is that it is ASP.net. Using Google Chrome, I can poke around the structure of the site. Under the Resources tab in Chrome, in the Cookies section, I see things such as: ASP.Net_SessionId, SiteAuthCookie, user_IsCultureSet, user_RptParams. Wasn't sure if those could be utilized. I know with certain URL's, you can append the username & password to the end of the string, but I figured that is not always plausible with every site. I've never attempted anything like this, so I had no idea where to start. Any ideas?
It depends on whether the site uses forms based authentication (manages its own username/password database) or an external authentication server.
The easiest way to find out what goes on when a user logs in is to start Fiddler or the debugging tools in your browser and look at the requests being made.
Objective
Restrict direct URL access to all pages but Logon.aspx ensuring that a user must be referred to every other page.
Driver
The driver behind this requirement is our internal security department. They feel that this is the only acceptable solution to ensure the application is always secure.
Problem
The problem is two-fold, so let's deal with the first one. If a user is logged in and on a page they can copy the URL, open up a new tab, close the previous tab, paste the URL, and the session is still alive. I understand why this is happening but they are saying we need to keep that from happening. And please don't ask me why, if I could answer that I probably would be convincing them otherwise.
The second part of the problem is that the way the application was originally written (insert really angry face here) two of the web forms are reused for enrollment. This specifically means that those pages are accessible even if the user isn't logged in. However, we have to make it so that they were specifically referred to those pages through the process flow and thus not directly accessible.
As an example for the aforementioned paragraph, consider the following. The user copies the URL to one of the shared forms, opens up a new browser, and pastes in the URL. The session is dead but the form displays for the purposes of enrollment. However, this is problematic because they haven't accepted the terms and they have broken the already fragile flow.
What have I tried?
Honestly, nothing. I'm up here panning for ideas because the best I've seen thus far Googling is stuff surrounding ensure the user is logged in first. Some use cookies and others use the membership provider, but the fact that the user is logged in already doesn't address either of my problems.
I look forward to hearing from you all!
Once user has been logged into the system , what the point of hiding anything which you have given access. but anyways here might be few ways to do this:-
For the first the My suggestion is to wrap your page inside an IFrame and disable the right click, so that you cannot access the view source or link information.
Once above is achievable . you can also attach a token to every URL. then you can check the if token is available or not. If available , request is valid, else invalid request.
I will give you more solution if crossed my mind.