I work on a mobile web app in Javascript(Sencha)/HTML5 with WCF Rest services that needs to use authentication to authenticate users from a custom (MySQL) database in order to customize services responses during the user session.
I search about WCF authentication and founded so many ways that i'am really lost to find the best way to answer my constraints...
Can i really authenticate my user from the WCF web service (with his username and password) and then keep a token or a cookie or whatever that can be used in the following request in order to identify my user and make my response according to that user ?
Thanks in advance for your help !
Authentication as you many know can be done in many ways. Username/password, Certificate etc. It really depends upon your requirement.
For e.g.
If you have a mobile application which is dealing with financial information for a user (such as Bank account) then I would use both user credentials as well as X509Certificates.
If you have an application which is public facing then you can get away with using just certificates (Just client certi).
If you have a B2B application (which I would doubt in this case) then you can use Asymantic certificates (Client and server) in which you will create Both Client and Server certifcates (X509) and give to the client and let the client manually install it on their client devices.
For the simplest senario you can start by try using username and password. So your client app will user username/password to authenticate with a WCF Service at server.
Follwing my give you a good starting point
http://msdn.microsoft.com/en-us/library/ms733131.aspx
http://www.codeproject.com/KB/WCF/CustomUserNamePassAuth2.aspx
Related
I am using Meteor 1.10 + mongodb.
I have multiple mobile chat & information applications.
These mobile application are natively developed using Meteor DDP libraries.
But I have same users base for all the apps.
Now I want to create a separate meteor instance on separate individual server to keep the users base centralized.
I need suggestions that how can I acheive this architecture with meteor.
Keeping reactivity and performance in mind.
For a centralized user-base with full reactive functionality you need an Authorization Server which will be used by your apps (= Resource Servers) in order to allow an authenticated/authorized request. This is basically the OAuth2 3-tier workflow.
See:
https://www.rfc-editor.org/rfc/rfc6749
https://www.oauth.com/
Login Service
You will also have to write your own login handler (Meteor.loginWithMyCustomAuthServer) in order to avoid DDP.connect because you would then have to manage two userbases (one for the app itself and one for the Authorization Server) and this will get really messy.
This login handler is then retrieving the user account data after the Oauth2 authorization request has been successful, which will make the Authorization Server's userbase the single point of truth for any of your app that is registered (read on Oauth2 workflow about clientId and secret).
Subcribing to users
The Auth server is the single point of truth where you create, updat or delete your users there and on a successfull login your local app will always get the latest user data synced from this accounts Auth Server (this is how Meteor does it with loginWith<Service> too)
You then subscribe to your users to the app itself without any ddp remote connection. This of course works only if the user data you want to get is actually for online users.
If you want to subscribe for any user (where the data might have not been synced yet) you still need a remote subscription to a publication on the Authorizazion server.
Note, that in order to authenticate users with this remote subscription you need an authenticated DDP request (which is also backed by the packages below).
Implementation
Warning - the following is an implementation by myself. This is due to I have faced the same issue and found no other implementation before mine.
There is a full working Accounts server (but constantly work in progress)
https://github.com/leaonline/leaonline-accounts
it uses an Oauth2 nodejs implementation, which has been wrapped inside a Meteor package:
https://github.com/leaonline/oauth2-server
and the respective login handler has also been created:
https://github.com/leaonline/meteor-accounts-lea
So finally I got a work around. It might not be the perfect way to handle this, but to my knowledge it worked for me so well. But yes I still open for suggestions.
Currently I have 4 connecting applications which are dependent on same users base.
So I decided to build SSO (Centralized Server for managing Users Database)
All 4 connecting applications ping SSO for User-Authentication and getting users related data.
Now those 4 connecting applications are developed using Meteor.
Main challenge here was to make things Reactive/Realtime.
E.g Chat/Messaging, Group Creations, Showing users list & listeners for newly registered users.
So in this scenario users database was on other remote server (SSO), so on connecting application I couldn't just:
Meteor.publish("getUsers")
So on connecting applications I decided to create a Temporary Collection called:
UserReactiveCollection
With following structure:
UserReactiveCollection.{
_id: 1,
userId: '2',
createdAt: new Date()
}
And I published subscription:
Meteor.publish("subscribeNewUserSso", function () {
return UserReactiveCollection.find({});
});
So for updating UserReactiveCollection I exposed Rest Api's on each connecting application respectively.
Those apis receive data from SSO and updates in UserReactiveCollection.
So on SSO side when ever a new user is registered. I ping those Apis (on connecting applications) and send the inserted userId in the payload.
So now those connecting applications receives onDataChanged ping from the subscription and gets userId.
Using that userId the connecting applications pings back to SSO and get user details of that specific userId and prepends to the users list.
Thats how I got it all working so for now I am just marking my answer accepted but as I mentioned above that: "It might not be the perfect way to handle this, but to my knowledge it worked for me so well. But yes I still open for suggestions."
And special thanks to #Jankapunkt for helping me out.
Using angularjs in the client , and c# in the server side.
I want to learn how can i create a website with users.
I know how to store the data in the db.
My real question is how the site remember the user session
After refreshing.
So the user dont need to login again.
Thanks guys.
Microsoft created a JWT (JSON Web Token) package for .NET Web API projects specifically for this purpose. And since you're using Angular.js, working with JSON is perfect.
There are plenty of tutorials for understanding how JWT works and securely saves a user's session like this one: https://scotch.io/tutorials/the-anatomy-of-a-json-web-token.
The idea is that your server sends your client/user a long encrypted string. The client saves it in their cookies and sends it to your server whenever you want to verify the user.
Most of the complicated details regarding encryption you don't need to worry about. Just follow the tutorials for setting up the exchange of the JWT tokens.
Back in the days, we use cookies to do this.
In the Restful html5 world of today, we can use several other options.
Websql, Localstorage, IndexedDB.
Probably you are using something like JWT to store an authentication token you use to make authenticated api calls.
The way to go, or as i do is store that token in localStorage and then, inject in every call to the api.
Then in the angular run section i check if the user is authenticated checking if i have the token stored, and if is not, send to the login page.
angular.module('Scope', ['ui.router', 'ngStorage'])
.run(function($localStorage, $state){
if (!$localStorage.authenticationToken) {
$state.go('login');
}
}
});
In this example, every time the app reloads, angular execute the run function, and checking if we have stored the token, if is not, send the user to the login webpage.
My current project constists of 2 components:
a WCF server application
a purely client-sided (javascript, jQuery, TypeScript etc) website which consumes the service.
When the client saves data to my database via the WCF service, I need to log who made the last modification to that data.
To do this I need the username of the account the client website's browser is running under.
Browser support needs to be:
Chrome
Firefox
IE 10/11.
I don't want to create a login form for my website, I want the user to be able to open the website and be logged on using their Windows/Citrix account.
Javascript can't get to the account username because of security concerns obviously.
Any suggestions?
I have a experimental answer for you. Not sure but posible to work correctly. I think, you can activate impersonation and basic authentication on iis. Then client(browsers) ask credentials to client. In service layer, you can enable impersonation too. but only iis impersonation may enough.
I'm building a payment plugin for a website, where users can buy some website intern currency with real money. the backend i use, which handles the payment process, is this.
It provides (beside others) a JavaScript library to communicate with their API, so you don't have to let your system touch sensitive payment data like credit card numbers etc.
The problem is:
For now the api-key, secret hash and other vulnerable data are hardcoded just into my script which initiates the communication with the server. so in theory every half-descent user could just copy them out of the browser and could do nasty sh*t with it, especially if they have access to the api documentation.
So, this isn't secure and it definitely cannot go live this way.
im working with cakephp and i thought of collecting those sensitive keys with some ajax calls to my controllers/models, after pressing on the submit button.
There's the problem, that this connection isn't secured and can easily be 'man-in-the-middled'.
Are there other, better ways to secure my API Keys in javascript?
Use token based auth, https and csrf tokens and never, ever, but a secret on the client.
Use oauth so users don't even need to send you a password. Use someone else's authentication system.
I want to rewrite business application using asp.net web api as service layer and use javascript to call the web api and get data, display etc.
I understand all the scenrios work fine, but main bottleneck is security. We have database for the user name and password. We want that user enter user name and password, validate it using web api. Then for each request pass the user name and password to check rights etc. What is the best way to secure this communication if any.
You're best bet is going to be implementing HTTPS with SSL. You would consider using an encryption algorithm, but everything will be expose anyone if you're using JavaScript which would make encrypting and decrypting on the client quiet pointless.
Here's is a good blog post reference you can review on the matter http://goo.gl/QkZOf