We are developing an angular 6 App for showing the sensor data and other details.
In this app, we are having the login screen, in that we have only the USERNAME & PASSWORD fields.
once we enter the Username & Password, the request will go to the BACK-END Layer (.net ) controller logic, which in-turn contacts the Adamos / Cumulocity Platform and get the associated tenant and return the authorization token to the front end, which will gets saved in the Local Storage or Session storage.
From the above details, i wanted to know what are the things possible
Can we contact the cumulocity / Adamos from the .net back end layer and find out the associated tenant for the given username & password ?
Can we create & return the custom User Object & with user permission, token for login authorization checkings ?
If we want to store the jwt token, where we have to store the token?
Note:
We know that we can directly contact the Adamos / cumulocity to authorize the user using the tenant, username and password, but don't want the user to enter their tenant, instead directly using the corporate user id & password only, which has been registered in the adamos environment.
Please give us details information, as we are developing an complicated application, so that there won't be any problem with the core design.
Thank you
PCAPA B.
You cannot determine the tenant from a username and a password. Each tenant has their own user domain with their own users. If you have a user in a tenant with global user read permission, you can query the users in the tenant. You can also the query the permissions.
In case you are using OAuth, you do not handle the JWT token, at least in a web application. The token is managed by the browser in a cookie. This is transparent for you and the cookie is not accessible from your (JavaScript) application code. If you use a "fat" client or microservice, you would need to emulate that logic (i.e., passing the cookie around).
I am not sure if that really answers your question. If not, please be a bit more specific.
Related
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
I need to log-in to Azure Active Directory to display the embedded report on a website using asp.net MVC.
However, the API provided is only valid for only username and password.
For logging-on to the AD, all I need to do is to type-in username (email address) and the log-in portal will redirect me to another log-in page and then type in and username and password.
I wonder is there anyway to do the programmatically log-in without using the application secret?
There are two ways to implement Power BI report embedding using Azure AD authentication:
User Owns Data embedding
App Owns Data embedding
If you don't want user sign-in experience, you can implement App Owns Data authentication in the following ways:
Client secret
Master user credentials (username and password (MFA disabled account))
Please go through this documentation to achieve your goal and also, here is a sample code for it.
I have an existing system and want to utilize Auth0(still considering).
Context:
I have my own login screen, which is quite dynamic(white labeled) per client. So I dont want to use Auth0 login screen.
I have my own user and tenant database, so dont want to use Auth0 user database for now.
So the idea is to validate the user credentials after login on my backend and create access token to return to client side.
I want that access token to be validated by Auth0.
Questions:
1) Probably most important question. Should go with Auth0 or just stick with native jwt's
2) Is there a way I can create a valid access token in my backend which can be validated by Auth0.
Stack:
I am using vue.js as my front-end SPA.
I am using .net core as my backend.
Probably most important question. Should go with Auth0 or just stick with native jwt's
That is determined by whether you want to enable the online identity provider's features like Single Sign-On . If not , just keep using the current one since you don't need the Auth0 user database .
Is there a way I can create a valid access token in my backend which can be validated by Auth0.
Since your scenario is collect username and password in front-end application , and pass to backend .net application to validate credential and create token . You can implement the Resource Owner Password Grant in Auth0 to create access token for accessing resource which protected by Auth0, but as document shows :
You should use this flow only if the following apply:
The application is absolutely trusted with the user's credentials. For Single-Page Apps and Native/Mobile Apps, we recommend using web flows instead.
Using a redirect-based flow is not possible. If this is not the case and redirects are possible in your application, you should use the Authorization Code Flow instead.
So that it's not recommended in your scenario . If you need the features like SSO and want to use Auth0 , it is recommended to directly use Auth0 in vue application to manage your users and roles :
https://auth0.com/docs/quickstart/spa/vuejs/01-login
After login with Auth0 , you can map the user to local database user for specific management if needed .
Another way is using Client Credential flow . For this scenario, typical authentication schemes like username + password or social logins don't make sense. Instead, M2M apps use the Client Credentials Flow , your backend app will authenticates and authorizes the app rather than a user. It's not suitable if you want to acquire access token for specific user to access protected resource .
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
I have a web application built using React that has an existing User/Session system. Right now, username and password are passed to server to authenticate and create session.
Enter Facebook Login (web). I want to allow for both username/password and also Facebook Login. So, now Facebook Dialog box appears and users can connect. I now receive the Facebook User Id and access token (short-life) on the client side (not the server side). How, now do I authenticate this user on my existing system and create a session?
If I use just the user id, this reveals a security issue (anyone can authenticate with a known user id and get a hijacked session). The short-lived access token is just that, short-lived. So that can't be used as an effective "password". So, what is the best way to securely authenticate someone on my existing login system if they've authenticated themselves via Facebook.
Thanks so much.
Found another user with the same issue here. It was resolved by the following:
The Facebook login request returns user id + short lived access token (client side).
Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).
You can trust the user_id field returned from the Facebook API to check against your existing user database.