I'm working on an Electron app connected to a backend on AWS that handles the verification and creation of the user. If it matters I'm building the app with React.
Basically the backend flow is:
Navigates to backend.com/oauth/login
Backend prepares OAuth config, redirects to the Discord.com authentication url
User authenticates, redirects to backend.com/oauth/callback with the neccessary information to validate the authentication and create a user
I've got this part working. But if I would open backend.com/oauth/login in a separate browser window, how would I know the authentication was successful?
Are there some events I could listen to in the authentication window I've opened? Maybe let the callback redirect to backend.com/login/successful if the authentication was completed or otherwise backend.com/login/failed. This feels like such a hack but I'm way out of my expertise here.
Three ways to do it:
Once the authentication is successful, you redirect the user's browser to your backend where you load the authentication data in the user state. Your React/Electron app is also connected to this backend. You must be able to match those two connections
Once the authentication is successful, you redirect the user's browser to a custom URL protocol which is registered in the OS to open your Electron app
Once the authentication is successful, you redirect the user's browser to a port on your running Electron app
Most good Electron applications use number 2 - but it requires that your application knows how to register an URL handler on every OS it can potentially run. Number 1 is good if you can safely match the two connections. It requires passing some form of identification. Number 3 is a hack.
Related
I have an interesting case where user onboarding is designed the following way:
Users download the mobile app
Once they click "Sign up" they are be redirected first to a website to check if they are actually eligible to sign up (it's basically some kind of survey)
Once they are eligible, they are redirected to Auth0 to log in (the previous step will create a new account if they pass the eligibility checks).
Now, after successful login, the user is redirected back to the app.
That's the theory. Now, before we try to implement it, here are the questions:
a) Is the last point possible in this scenario?
b) If so, is this just a matter of setting a custom URL scheme as the redirection callback so the app will be open on the user's device?
c) Will it be easy then consume the id token and access token by the app so we can call the API?
d) Can https://pub.dev/packages/flutter_appauth be configured to work with this scenario where we have an additional website in the middle of the process?
I'm currently blackbox testing a React SPA (the login page is located at the root of the url, e.g. https://myapp.com). The Webapp authenticates with Firebase and the session token is stored in the Indexed DB of the application.
The React app routes the request based to the authenticated section based on whether the session token is present in this part of the storage or not.
Now I try to scan the authenticated section of the Webapp.
I've tried creating multiple authentication scripts for this problem. My first approach was to record a ZEST script. While it recorded the post requests to get the tokens just fine, I still couldn't scan the authenticated part.
Then I found this google forum where a user had a similar problem. I created a new login script which entered the login details and clicked the login button as described. While testing, I correctly launched a browser, logged in and got redirected to the correct page. When trying to use this method with an ajax spider, for every crawled URL a browser was launched, which logged in correctly, but in the background the spider still only crawled the non authenticated website and didn't use the authenticated site that was presented after the script has run.
As far as I understood I would need to extract the session token and then I can include this token in all my authenticated http requests. Unfortunately I still cannot access the restricted part of the webapp, as the ajax spider does not know that it has to put the session token in the local storage of the app.
How can I achieve this or is it somehow possible to spawn a browser which logs in with the script and then uses this spawned browser to continue with an ajax spider?
We have a program that runs in IIS with Windows authentication, and which is available to the outside world.
Right now, we provide to every interested party a link to the program, along with guest credentials they then have to type.
Is there a possibility to do away with the credentials? Our internal people should be able to login as usual, but we want to provide a link to get into the guest account without typing any login credentials.
I have tried to add the credentials into the clickable url, but Internet Explorer and Edge browser do not support this, and Mobile Safari throws phishing warnings.
Can this be done universally, that the authentication is done invisibly in the background in all browsers, using some kind of redirect or XHR call with arguments or something like that?
I am developing an hybrid mobile application using ibm mobilefirst platform.
I am using the custom authentication module example to implement the login module. The problem here is when the user closes the application the app gets logged out.
Is there anyway that I can implement so that the user will not be logged out unless they opt to click on logout button. In simple I am trying to achieve something similar to Facebook remember me option.
You could do something like this (very rough idea):
As part of your authentication flow, if the user has passed the authentication - store in either localStorange or JSONStore a "token" that will basically state that the user has previously logged in. Also save in the server's database using userPrefs something to validate the token.
Whenever the app launches, it will attempt to connect to the server. The environment will be protected with a securityTest so that the server will present a challenge - if a token exist it will attempt to verify it, if there is no token, a login form will display instead.
Assuming this is a first-time launch, if the login passed successfully then store a token in the device and store in the database its "public key"
The next time the app is launched the challenge will be presented again but this time, since we have a token - it will attempt to verify it. If verified - don't present the login screen, skip the rest of the authentication flow and display the secure content
Something like that...
Perhaps to create a 'better' user experience, on app launch also extend the splash screen duration while you're checking for the token, This can be done using this API method.
On logout, clear the token from the device and server.
I am trying to integrate a two factor authentication solution with a mail server that is hosted on Apache Tomcat. Right now the app is using form based authentication and the user enters his user name and password and is authenticated against openLDAP as back end.
What we want is the following -
1). User enters his Un and PWD
2). The request is "intercepted" and put on "hold"
3). A one time pwd (OTP) is generated and sent as SMS to the user.
4). The user sees a new page with a box to enter that OTP.
5). The user enters his/her OTP sent as SMS
6). The OTP is verified and if true the "held" request in step "2" is forwarded for further authentication
The trouble is that I have no access to source code of the mail server app.
I can achieve something very similar in IIS(Microsoft) using an ISAPI filter, but need to know how to achieve this in Apache?
I am looking on the lines of Valve/Filter and SAML, but have no clue how and where to progress.
I contacted the logintc guys for their 2-factor credential and resolved my 2-factor using their apps. Check them out.
https://cloud.logintc.com
The LoginTC platform services are free for under 1,000 users. So that's great.
I followed the instructions from this URL: https://cloud.logintc.com/help/developers
Basically, I created an admin account for my domain in the logintc cloud control panel. Then I used the Server-Side Authentication instructions to enable my Apache website with the logintc button, and added the code snippet in my authentication page.
My users download the logintc app from Appstore, Android or Blackberry marketplaces, I issue them a Confirmation Code and they create their credential token in the app with a PIN (same as ATM cards)
The whole thing takes less than 1 hour to configure. My users get an out-of-band notification to unlock their credential with the PIN, and bingo, they achieve 2FA.
You must check them out
I would suggest using OpenAM former OpenSSO from Sun
It has a filter/agent that can be deployed on apache And it has very good support for multi-factor authentication including SMS authentication module.