I have pwa blazor .NET 5 app hosted on github. People use this app at work, installed through chrome or firefox or safari on devices. It works offline and updates cache if I change service worker.js and publish it. And all is fine. But how can I manage access for it, since it has to work offline, when some employee resign from work, how can I delete remotely this app on only his devices?
If you're stuck with the pwa offline approach (which, let's be honest, isn't great for security) then the best you can do is encrypt your local storage with a token that's masked only with blazor's built-in obfuscation.
Ideally, you would be able to at least require an externally-hosted identity login when using the app, but if you are truly offline, then obfuscation of an encryption token is the best you can do (if you are stuck with the pwa template).
If you know your users are using windows, you could augment the Pwa with a windows service that provides rotating encryption tokens via encrypted assembles, but that would assume you would be willing/able to do installs of windows services on each user machine, and it wouldn't keep the user out of the app.
Hopefully, you didn't locally store any health/financial info or social security numbers, and you encrypted the local store with an obfuscated token.
Another thing you could do is require logins with an idp server at regular intervals. This would at least keep the window of exposure smaller. You would still be able to work offline most of the time.
I would try the following
On load of app check connection to server.
Validate employee status, if active then store active status check date and next mandatory validation datetime in local storage.
If Not active, Delete data.
If not connected, check local storage for mandatory validation, if expired then force to connect to server.
PWA without local cache is useless, you can delete local cache if validation fails.
Uninstall PWA is not possible from app.
Related
I have an ASP Core web app that connects to an Azure SQL database.
The users (a handfull of people) can log into the web app using Microsoft, Google or Facebook logins.
Since I've lost my appetite for developing web apps, I want to turn this app into a desktop app.
This presents a number of problems, obviously, with regards to keeping the database credentials safe on the local machine where the app will be running.
I know the advice is to use a web service as data layer between the app and the database, but since I want to scale down my web development activities, not scale them up, this is not a preferred scenario.
I've looked at using DPAPI to encrypt the credentials, but that would mean the credentials need to be encrypted on the local machines. Ideally I'd encrypt them on my machine in a way they can't decrypt them.
Since that's impossible, I don't think this scenario can work.
Ideally I'd have them connect to the database directly with unique credentials, without me having to manage all these accounts manually.
So, is there a way to have users login to Azure SQL using the same 'socials' they use to log in at the moment?
Cheers,
CJ
For instance, how will you prohibit users from removing data from other users. To keep people from updating data from other users and from inputting enormous volumes of data.
As suggests in comment by MaaretenDev building API seems to be best suited. Create an API that will allow you to get greater sophistication and control over the database. Consider utilizing an API instead than direct database access since it causes more difficulties than it solves.
Else you can leverage Azure Active directory users to login so as to have the control.
Note: The new admin name (user or group) cannot already be existing in the virtual master database as a server authentication
user when setting up the Azure AD admin. If such an admin (name)
already exists, the Azure AD admin setup will fail, rolling back its
creation and notifying that such an admin (name) already exists.
Because such a server authentication user is not a member of Azure AD,
any attempt to connect to the server using Azure AD authentication
fails.
I've tried to use GCPs Secret Manager in a Winforms C# app I'm creating but I need credentials.json to access the Secret Manager in the first place. This is fine for development but not in production. Perhaps I shouldn't be using a secret manager at all.
Currently I have a local C# winforms app, the user (a customer not admin) using the app locally can select files from the Windows filesystem and upload these files to Google Cloud Storage bucket. I don't have a server at all but if I should I'm not sure what sort of logic should be inside it.
From the comments I think the server should be the middle man that the user logs into, user gets a token and then the user can upload files to gcloud storage bucket via the server using the token. That way I never really give the user a credentials.json file in the first place.
For this architecture I thought I should use a Service Account because the server would be making the gcloud storage bucket upload calls on behalf of an authenticated user but then i see from John Hanley that User Credentials are assumed to start in an insecure environment and I'd want to have the info of "what user did what" in the audit logs.
In my development build I'm storing credentials.json outside of my project directory and pointing to it using environment variables. This works but this answer suggests I encrypt it using Google KMS and decrypt in the application.
In the comments I see that this is not really secure because the Service Account credentials could be exposed.
As per this answer dlls can be decompiled to equivalent C# code, so anybody would be able to see what I've used to decrypt the key.
So now I want to know what architecture should I be using in production and how to make it secure?
I'm thinking of making a GAE instance that stores user information in a database, gives authenticated users a token and uses this token when making calls to upload to gcloud storage bucket. Is this sufficient for a production app?
So I think I'm mainly supposed to use Secret Manager with Service accounts and one of GCPs engines (GAE or GCE) by using the Application Default Credentials instead (please correct me if I'm wrong).
No, you should use a custom service account with the permissions you need when running your workload. You should not store service account credentials in Secret Manager.
While developing an on-premise, intranet-only REST API server for my company, I managed to completely confuse myself regarding authentication issues.
I have:
A REST web server implemented in C#, using self-hosted Nancy, running as a Windows Service
A C# client that can query the server, run by a user in our company
I do not have:
Any form of access to our Active Directory and/or domain controller, apart from what any application running under Windows normally has
Any way to influence AD settings or configuration
Active Directory Federation Services (ADFS) (I think. We use Windows 7 and Office 2010, just to give some perspective on the state of the software landscape)
Azure Active Directory (AAD)
I want:
A way for the server to authenticate that a request is made by a user of our company
It is perfectly fine if the client has to sent some additional authentication data with each request, as long as it does not contain the user's password in any form
I do not want to:
Have to set up any additional software (my server must be minimum configuration and maintenance, so the average user can install and run it)
Install / configure / maintain an IIS server (see above)
Use ASP.net (way too big for my needs, plus see above point(s))
Handle user passwords in any way (company policy and common sense)
Impersonate the user (I only need to validate the authenticity of the request)
Implement my own user account database. We already have half a dozen services that need their own username/password combinations, I do not want to add yet another one
I have read articles that show how to use Windows authentication with IIS, or how to use Azure Active Directory (AAD) with Nancy. Other questions here have already informed me how to authenticate username / password combinations against the Active Directory. However, none of these satisfy all of my requirements or have requirements of their own (like AAD/ADFS) that I cannot meet.
It seems that Kerberos/SSPI might be what I want, but it seems very involved and quite complicated to get working with C#. It is possible I will have to go this route, but I could really benefit from some minimal working example (the accepted answer provides a C# implementation/wrapper, including an example project, but I can't seem to be able to make heads or tails of it).
Maybe I am naive, but what I image the solution to be is something along the following lines:
The client queries a service (AD, Domain controller, ...?) for some form of authentication token, using the credentials of the currently logged in user
The token is then sent to the server together with the username, as part of the request that needs to be authenticated
The server extracts the token, and queries the same service (AD, Domain controller, ...) whether the token is authentic, valid and belongs to the user in question
Is this possible at all? Ideally, with some sort of ready made library that I can plug in to my projects (I'm reaching, I know)?
You can do this with stateless authentication and Jwt. Send a username and password to "/ auth" (example) and "/ auth" will search the AD (example) and validate if the user exists, then create a Jwt token with the name of the user on load. When you make a request, you will only send a Jwt token and Nancy validates the token.
For the past 2 years we have created 3 desktop application and 2 admin section(web) for one of my client.
Every application uses its own authentication process.
I have merged the authentication process for web in single unit.
But the client wants to have one screen for getting authenticated on desktop application as well as on website.
he also want to use different browser and the username /password should be asked only once irrespective of browser opend.
I tried to use cookies for web. but every browser has got its own cookies.
Can any one suggest how can i authenticate a user for the whole computer so that authentication information is available to desktop application as well as to website irrespective of the browser being used?
Edit: As suggested by joe using windows authentication is not possible in my case.
So i created one more table with following column
ip,userid,authenticatedat
when ever a user is authenticated i insert its ip,userid, and time in table.
when ever a non authenticate user comes first i look in the table if the ip is present and authenticatedat is within 30 min i assume user is authenticated and set the session/variable with data required.
This i have checked and found it is working .
I have found this is not secure.
Windows authentication is the only way I know of doing this. Assuming your users are on a domain you control, then their Windows credentials would validate them, and they wouldn't ever need to enter a username and password.
Outside of that, I can only think of hacky dirty methods of making this happen. You could install a single authentication service on their machine which is available to connect to remotely from other applications - those apps would call your service, and that service would authenticate the user and pass an authentication token back. Easy enough for Windows apps, but making that work on a web app wouldn't be fun. Your web server wouldn't be able to talk to this service, so you'd have to rely on the client javascript talking to the service and retrieving a token or hash, and then the javascript passing this on to the web server.
Anything you put on a local machine, you have to assume the user can reverse engineer and manipulate, so if you need real security, I doubt you'll find a solution. Best bet is just to make the user log in every time you need to, and have your authentication/authorization code on your web service layer.
I am trying to add Windows authentication to an existing website that I have created. All information that I have read regarding using Windows authentication in silverlight requires that you start with the Silverlight Business Applicaion template instead of the Silverliight application template. I already have a website that I started writing using the Silverlight Application template. How can I add windows authentication to this existing website?
If your application is hosted in IIS and this is a intranet site, you just need to set the application in IIS authentication method to Windows Authentication, then when the client tries to load the SL App a 401 challenge will trigger asking the user to enter in his/hers credentials. You can also set IE to pass with windows credentials to the server when the site is loaded.
I have had spent quite a bit of time tweaking various properties to get the right functionality that i am looking for (especially with machine names being fully qualifies or not) but basically that's one thing to keep in mind when debugging this is that machines names play a role in how the server interprets a client trying to access the server.