I've been trying to find out a solution to my problem for a couple of days.
Searching out gave me many options, none of them I could adapt to my scenario.
I have a web application (C# ASP.NET) which have to post some data to another application, in another domain, working as a SSO. (HTTP POST to another domain with SSL with redirection)
The application on the other domain is expecting a post with some data in plain text on JSON format, to then redirect the user to another page.
I can't use form submit, because it send the form itself to the application, not only my data, so it can't read the data I'm sending.
XMLHttpRequest did work, but then, as an ajax call, it doesn't redirect the user, and I can't get back the Location header from the response.
I don't have control over the other application, and I'm allowed to use only our libraries, so JQuery is not an option.
Does anyone knows how can I achieve this? Server side or client side.
Most POST-based cross-domain SSO scenarios work like this:
fresh unauthenticated browser goes to service provider
service provider redirects to SSO url with certain query string (usually containing small request signed by service provider, to identify this service provider to SSO gate)
browser performs a GET to SSO gateway url
SSO gateway responds with some interactive logon UI
browser gets user's name/password input and posts them to SSO gateway
SSO gateway verifies and responds with an HTML page with a small Javascript in it, containing the authentication response data
Javascript in its turn instructs browser to POST authentication response data back to the service provider URL
Read here: http://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding
You will also greatly benefit from reading through SAML2, OAuth and WS-Federation specs.
Related
I am developing an app that is presented with a login screen containing the usual username and password text inputs.
When pressing the Login button the code is supposed to make a HTTP Web Request to the Wordpress website as an attempt to log in.
I have had a look at the WP plugins called JSON API and JSON API USER
but the documentation is very limited.
How would I go about to properly log in to the Wordpress website as well as retrieving user information from databases?
NOTE:
I'm developing in Xamarin but any code examples from any language is fine, as I could easily port the code.
To connect to the Wordpress website's system and interact with it, you need to indeed make a few API calls.
Using the plugins JSON API and JSON API USER is the easiest way to do so.
Install JSON API and JSON API USER plugins from the website control panel
Make a Web Requests, one after another, to get nonce and get authorization cookie using the the following calls:
Nonce: http://www.mywordpresswebsite.com/api/get_nonce/?controller=user&method=generate_auth_cookie&insecure=cool
and
Auth Cookie: http://www.mywordpresswebsite.com/api/user/generate_auth_cookie/?username=USERNAME_HERE&password=PASSWORD_HERE&insecure=cool
NOTE:
At the end of the requests you can see the parameter insecure=cool.
This is used for unsecured communication.
I have been looking at using Open ID Connect as a third party authentication provider for a Web API application. The flow is as follows:
Users log in through UIWebView with iPhone application to the provider URL from https://daehwa.azurewebsites.net/api/Account/ExternalLogins?returnUrl=%2F&generateState=true
This redirects to my third party site which supports Open ID Connect authentication.
User logs in through this site and redirects back to my site with a token in the fragment of the URL in the form of #id_token=xxxxx
Looking at the following SO article: asp.net web api 2: how to login with external authentication services?
I then should be able to call /api/Account/UserInfo however this always returns 401 Unauthorized. Setting the Authorization: Bearer token doesn't seem to help either and always return unauthorized even when trying to call /api/Account/RegisterExternal.
Just to give you some more information about what I am trying to do I would like to either create an account or at least make subsequent OAuth calls to retrieve their email address and their display name ideally avoiding requesting this information from the user again. However for now I just want the authentication to actually work!
I would really appreciate any help anyone can provide. I'm new to third party auth and I feel as though I am missing something key. I think that my return url is the issue and my server needs to process this token and issue me with another one but not too sure.
Thanks,
Gerard
I looked everywhere for an answer about securing my webApi but always i'm pointed to OAuth or openID, but i don't want the user to login or authenticate. This is my problem:
I have a webapi which is called via Javascript to get the data in Json. This data is used in the Html of that page. (deployed on Azure)
Now i don't want someone else to get that data via Javascript or with a simple GET request. Only my html page is allowed to do so.
I'm looking for something to secure my Webapi to be only consumed by the applications i want. If i look to the OAuth and Azure stuff, people always have to login, but i want this page to be public, but only the webapi needs to be secure.
I can't check on IP, because the call is done at client side in the browser.
It is not possible to authenticate and thus secure the API to be used by a specific client (run entirely in the browser - like SPAs) app. You cannot protect the data the app sends to the API. (see for more details Protecting REST API behind SPA against data thiefs)
You could build some modules server side and then use some token based server to server communication if you do not want to introduce users and end user authentication.
Of course it is also a question of how you interpret security.
If it is just that you do not want other web apps to use the data -
CORS policies will do the job. It is unlikely that there will be more
than some isolated cases of users using a browser other than the
popular once which respect CORS.
If it is you do not want data to be mass downloaded you could
implement some client filtering based on IP. This could even be done
on the networking layer so the API do not need to be modified in any
way.
As a suggestion, you can have it secured making sure the request has some headers defined by you. For example, you can set an Authorization header with a token that only you know. You can for example, create a token based on a key that you and the webapi share, encrypt it with the time you are calling the api. The web api receives the request and:
1 - Check if the request has the token it requires;
2 - if it does, it creates a token the same way your page did;
3 - matches its token with the requests token;
If you are calling the webapi via javascript, the method may be exposed. However, it's one idea
Take a look to CORS (Cross Origin Resource Sharing), it may be your solution.
In synthesis you can allow requests to the Api only from some specific websites. Most, nearly all browsers, support it.
This is how you enable and configure it in Web Api 2.
I have an ASP MVC4 web site. Originally, most of the content was served via controllers as one would expect. I have moved the data storage from SQL Server to MongoDB. I have also added a lot of ajax to update data client side, without a full refresh. This is working fine, but my controllers now have lots of methods that take json and return json. I was able to build a Node.js server that hits the database and exposes exactly the same functionality, without lots of going to and from C#.
My javascript client-side is now calling a Node.js REST API, this works great. My 'secure' code (like adding a new user) hits the same REST API from the server side.
My question is this: How can I handle security properly with this? I have three scenarios:
GET api/messages: No need for security, I want to expose my site's messages to anyone who is interested via a Json REST API.
GET api/my/messages: I need to allow access to this only if the user is logged in (it gets the user's messages).
POST api/users: This is a function that should only be called from the server, and nothing else should be able to use it.
As the user is already logging in to my ASP website, how can I use their logged in credentials to authenticate them with my REST service? While the user is logged in, the pages client side will hit it regularly for updates.
Is there any sensible/standard way to do this? The core idea is that the client side code uses a REST API that is at least partially open to the public, and that in fact that API offers all of my business logic - only parts of it (like creating a user) are locked down to super-admins only.
Thanks in advance!
Create two authentication middleware handlers. One you add to all your "my" routes and another which you add to your POST routes.
The "my" authenticator takes the asp.net auth cookie that is present in the request and makes a http call to your asp.net mvc site with it.
You'll need an action which either returns a 401 if the cookie is invalid otherwise it returns some info about that user's permissions perhaps.
If the request into node doesn't have a cookie, return a 401 again.
In addition, to prevent excessive calls to your mvc site to check the cookie, you could use the cookiesession middleware to set a cookie on the client with a flag of authenticated. That will result in 2 cookies for your client, but that shouldn't be an issue. Just make the node one expire before the aspx one.
The POST authenticator middleware can use any shared secret you like between your node and mvc server. e.g. a special header in the request.
If the user is required to login you can use [Authorize] on your controller actions. Autorization will be handled like any other webrequest.
Furthermore you might consider to add a key to your api requests which you can provide in the initial page load. A autorized user will have a GUID which he will sent with the api call. You can check if this key was issued by your app to a valid user.
As you said all the secure calls already go through your MVC server code which in turn calls the Node.js code, am I right? Basically you need a way to block calls to this Node.js from other clients that are not your MVC code.
Thinking out loud, these are the ideas that pop into my mind:
Use SSL only between MVC and Node. You can set up client and server certificates so that the Node code will only respond after authentication (I don't know how Node handles SSL so you will need some documentation here
If you want, the Node server could also check the call origin and so you can filter based on IP and only allow IPs where your MVC code is sitting
Use an encrypted authentication token on the secure methods on the Node code. Again I'm not really a Node expert but I can imagine it has ways of decrypting a token, or you can simply base it on a random number with a common seed... If noone has access to your server code ideally noone should be able to guess this token. Again, SSL will help against traffic sniffing
I am quite sure that people will come up with other ideas. For me, the most basic thing is anyway ensure that the secure methods are only accessible through an SSL connection and on this connection you can exchange all the info (token, passwords, etc.) you desire.
first of all, sorry if my English doesn't sounds very well, I'll try to be as clear as possible.
I'm planning to develop a web site with the following architecture:
Static pages served to the clients that uses javascript templates and ajax to load content, the content will be provided via a ASP.NET MVC application that sends json results to the client pages.
My question is fairly simple: what methods can i use to provide private areas to my site's users?
The only thing that came up in my mind is to provide a login page that sends login info (crypted) to the server (via ajax). Then the server returns a token to be stored as cookie. For every following call to the server via ajax (speaking of private areas now) the token shuold be sent as well, and checked, and proper content result should be provided.
How can i implement this thingy? What are the security and privacy issues?
By the way, i'm using C# in the server, JQuery for simple ajax management and Jquery.LoadJSON for content loading. Mustache for javascript to provide things such partials and so on. I'm looking for something that lets me manage cookie in a simple and clear way as well, suggestions are appreciated.
Many thanks in advance!
You can actually use in-built ASP.NET Authentication mechanism:
Allow anonymous access to all your pages (assuming that is the requirement).
Maintain a variable in java-script (client side) to tell if user has been authenticated or not.
For accessing any secure content/area, call a common js function that will see if current user is authenticated or not and if not then do appropriate action for authenticating the user.
If its a forms based authentication then your function should prompt user for credentials using a modal dialog and then pass these credentials to server via ajax call. On server side, you should validate credentials and use FormsAuthentication.SetAuthCookie to indicate successful authentication to ASP.NET run-time. The run-time will maintain the auth cookie (so that you don't have to manage the token by yourself)
For any ajax call servicing the secure content, on server side, the call must check if the current user is authenticated or not (using HttpContext.Current.User.Identity.IsAuthenticated). If not then you can redirect to error page or issue 401 response code (recommended for windows authentication schemes). You can add any authorization scheme in your AJAX call for the authenticated users.