I am developping a vue application protected by keycloak using keycloak-js.
I have a requirement that each user have an account page in my app to change their password.
.
However it seems that keycloak has no endpoint to check old password.
How can i achieve this ?
I am wondering if this is the appropriate way to do with keycloak or not ...
I already tried the update password action that send an email with magic link to the user so they can change their password. However it is not compliant with owasp recommendation that advise to force user to type their old password each time.
An alternative approach is for you to create a Keycloak client with Direct Access Grants enabled (i.e., Resource Owner Password Credentials Grant in OAuth2 terminology).
Then you can use the token endpoint and exchange the username and password for an access token. If the password is correct you get a token, otherwise it fails. Consequently, you can use this to infer if the user has inserted the old password.
In this GitHub repo you can see an example of how the call to the aforementioned endpoint would look like.
can GMAIL API be used for sending out account verification when registering to a site?
I plan to use it for email registration , verification, forgot password for transactional use
Yes it can but you may not want to unless you are using Google workspace.
To send an email using a standard google gmail account you will need to use Oauth2 and authorize the user who owns this account. Using Gmail scopes with an Oauth2 will require your application go go though a security audit. This audit is expensive and time consuming. Its up to you to decide if this is worth it or not.
You could go though the SMTP server and use something called an Apps password to authorize it. This solution would work but, google is shutting down unsave apps now and i fear that apps password will me next. If it is your only option then would be to use Xoauth2 with smtp. Which again may require that you verify the app.
If you do have a google workspace account then you could set up domain wide delegation to a service account allowing it to impersonate a user on your workspace domain. This solution would work without any issues. It would be optimal in my opinion.
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
I am reading about oauth2 now, and trying to understand its purpose. From all the resouces I read, it seems like oauth2 is only used when a webapp (say a game app) that has some users and the app wants to access a user's Facebook or Google data (some sort of data such as name or email, etc). This part is clear to me. However, things that remain unclear to me are the following:
For example: If I have a webapp, and I want the users of my webapp to log into the webapp with their login and passwords (just like how you do it with gmail) without using any third party. Does oauth2 also serve this type of authorization?
I have seen webapps, where they just let users sign up with IDs and passwords, then they salt the passwords and store the salts in the database. So when a user logs in later, they salt the password the user entered, and compare this salt to the salt in the database (created during the signup). If equal, then the user logged in. This does NOT seem like oath at all to me. So if this is not oauth, what standard is this? And are there any other standards for "direct login" like this?
Assume that I want to allow users to sign up and log in to my website, but let them log in via a third party (like Facebook or Google). This is just for authorization purposes and assume that my app has no plan to post on their facebook or request their facebook data except that I may want to use their facebook email as the user ID for my webapp. Does oauth2 serve this type of authorization?
Sorry for the naive questions, because I only read about oauth recently.
For sign-up/login without 3rd-party, as Kevin pointed out, each programming/web framework usually comes with a popular library that once, it will generate all the sign-up/login pages, database tables, flow, etc., for you. The only thing you then do is call a method provided by the library that returns the current signed in user, in your backend code when you need to figure out who the user is.
Using salted password scheme is NOT related you OAuth2 at all as you pointed out. It is a widely used scheme for local authentication because it has many benefits but I will just highlight 2 here:
a. A password when transmitted from user to server for authentication over the Internet is not sent in cleartext but rather in hashed format. Thus even if it were eavesdropped, the password will not be divulged.
b. Since each password is salted, even 2 same passwords will not have the same hash because each have different salt. Thus even if a password hash was eavesdropped, it cannot be reused at another service that the user uses the same password because the other service expected a password hash generated with a different salt.
OAuth2 is all about Authorization (asking a user for permission to perform something on her behalf at another web service, e.g., ask a user for permission to access her email address registered on Facebook). Using it for Authentication can be insecure (for OAuth2 implicit flow). Why? The end result of OAuth2 is an access key associated with a permission, e.g., 'permission to access email address'. When you use the OAuth2 result (access key) for authentication, it means that you are making the assumption that 'permission to access email address' means the user successfully authenticated with Facebook, which she did, so it seems fine. However, imagine if another site also uses OAuth2 for authentication as you did; if it receives an access key with 'permission to access email address' it will assume that you have authenticated with Facebook so it will grant you access to the account belonging to the email address. You could actually use the access key you got from a user, and login as her in the other site, and vice versa.
To use OAuth2 for authentication, you need to use it with OpenID Connect (OIDC), because the end result of OAuth2-OIDC contains an id_token with the aud (audience) field identifying who the access key is for (https://openid.net/specs/openid-connect-core-1_0.html#IDToken), which prevents the access key from being reused where it is not intended. The full explanation with easy-to-understand diagrams is here: https://www.slideshare.net/KhorSoonHin/the-many-flavors-of-oauth/36?src=clipshare
Another very simple but perhaps unnerving to a security-conscious way to do use OAuth2 for login is to use the Resource Owner Password Credential, where your website acts as a middle-man between the user, and OAuth2 provider (Facebook).
Show 'Login with Facebook' button
When user clicks on button, prompt user for Facebook username/password
Use the username/password to login to Facebook to confirm authentication and get access token.
If you don't have to time to read in-depth about OAuth2, perhaps this side-by-side comparison of all the OAuth2 flow can help.
This is courtesy of https://blog.oauth.io/introduction-oauth2-flow-diagrams/
You could use OAuth for local logins like this, but you don't have to. It might be easier, depending on available libraries, and it might make sense if you anticipate making your service available to third-parties in the future. For many sites, though, using OAuth for local logins would be overkill.
Standards are most useful when different actors need to speak a common language so they can interoperate. For local logins you don't need a standard because you're not interacting with any third parties. Many web frameworks include their own variation on the same basic flow.
I think you're asking whether OAuth makes sense for authentication (establishing identity) when you don't actually need any authorization (permission to access third-party resources). It can indeed be used that way, but lots of people will warn against it since it wasn't designed for that and has some security weaknesses in that context. See, for example, Common pitfalls for authentication using OAuth.
In my environment I have presently two applications, lets call them portal and sso. Portal is where I manage user accounts and allow people to register. SSO is my implementation of IdentityServer. I want to require users to reset their password after 90 days or after they had their password recovered for them. I can check for this in the AuthenticateLocalAsync function, but the question is how do I redirect them to the portal password reset page? Or is it easier to add a custom page to the IdentityServer to handle password resets of this nature? Are there any examples of this, specifically where the identityserver is not embedded into the application using its login functionality?
Your best option is to create a "reset password" page in the same IdentityServer project, and issue a partial login redirecting to that page every time an user with expired password completes the sign on process successfully.
With this approach you can catch users with expired password before they are effectively logged in, without completely breaking the login flow.
You can find some details in the IdentityServer3 CustomUserService sample, specifically in the "EULA" sample which uses "EulaAtLoginUserService".
I do not think there is a way to directly redirect the user to an external endpoint (e.g. your Portal residing in another domain) during the IdentityServer login flow.