MobileFirst 8 Security issue in Web SDK - ibm-mobilefirst

We have notice a security breach when implementing/testing the authentication module with MFP 8.0.
We are building a MobileFirst 8 web-based app using MFP Web SDK and we implemented the security check as per the credentials validation security check:
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/credentials-validation/
In the client side, after a user is authenticated, we found out that MFP Web SDK is using LocalStorage to save the following entries :
com.mfp.browser.uniqueid, com.sample.pincodeweb.com.mfp.oauth.application.data and com.sample.pincodeweb.com.mfp.oauth.clientid
The problem is when we took the clientid key/value pair from an authenticated user's browser and inserted them in a whole new different browser, unfortunately we found out that the user is being fully authorized and authenticated in the new browser even though we didn't provide any user credentials nor redirected to login.
We have tried it on the PinCode sample:
https://github.com/MobileFirst-Platform-Developer-Center/PinCodeWeb/tree/release80
Even the user authentication share the same problem.

Related

Technology used to proceed with login from CMD or desktop application via web browser

Hello Stack Community.
I'm looking for formal name of technology/technique that's being used in Microsoft Azure CLI and in Epic Games Desktop application, that is responsible for delegation of authentication from target application to browser, where you perform OpenID Connect authentication and brings you back to target application: CLI App or Desktop App, where you can proceed as logged in user by using authentication you gained via browser.
The steps would be:
you launch target app (CLI, desktop app)
login attempt lets you choose oAuth OIDC via Google or so
selecting it opens default browser, where you proceed with login
You gain auth inside app you started from (CLI, dektop app)
In classic OIDC process you gaining your token in same app/browser environment, while here authorization is expected in app A, token is gained in web browser and afterwards there is possibility to re-use it in completely different application.
I'm wondering is this some particular OIDC extension, usage of some particular grant flow or just some particular hacky way of sharing token across entities?
I found one online resource here but my investigation don't confirm starting of any redirection URL localhost server for toke possession.
I'd appreciate any help in my investigation.

Setting Up SSO and WebIdentity in MobileFirst Platform

I am trying to make an app using Ionic in Mobile First.
The web application is has got both sso and WebIdentity(LDAP) for the login functionality....
How to approach for the Hybrid Mobile App?
I do not believe there is direct relation between using LDAP in IBM MobileFirst Platform and using SSO in IBM MobileFirst Platform.
SSO in MFP allows you to automatically login to app2 if you have already logged-in in app1.
So assuming your are able to login to app1 via LDAP (which is server-side anyway, to check your credentials against a list of users), and assuming you have correctly set-up both apps for SSO, it should work.
Read about setting up SSO: http://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/c_device_single_sign_on.html

Worklight server with LTPAAuthentication request login for all applications

I've set my authenticationConfig.xml to work with LTPAAuthentication in this way:
It works well with application where i require LTPA Authentication.
But there are some apps deployed on the WL Console that not need any authentication, they just call adapters. From browser (PReview common resource) they work as well as before, but if i run them from my android i get those error on Logcat:
...................................... (all the login.html page)
It returns me the entire login.html page as it does with application that requires LTPA mobile test, here you can see the application-descriptor.xml that highlight no need of security tests:
Any suggestion?
EDIT: this is the adapter, it doesn't require security tests
So it looks like you have an adapter that you have protected using WASLTPA security that you want to be accessible by all devices regardless of whether or not they have been authenticated by the WASLTPARealm. I think the solution is to re-design how your security and adapters behave.
If you wish for an adapter to be called from an application that does not need to be authenticated, then don't protect the adapter using a security realm. If being logged into the WASLTPARealm is not a requirement for accessing the resources that this adapter is exposing, then there is no point in using the realm to protect it.
For the apps that do require login, you should separate the authentication logic from the adapter calls. You can still require the client to login in order to use the app and call adapters without having to protect the adapter with the security test. There are APIs to check if a user is logged in and to prompt them to login to a realm. You don't have to use the challenge sent back from adapter to prompt a login.
An adapter should be protected by a security test only if being logged into that realm defined by the security test is a requirement for using that adapter. From reading your post, it does not seem to be a requirement.
From browser (PReview common resource) they work as well as before, but if i run them from my android i get those error on Logcat
I have a strong feeling that in your browser you have an LTPA token which is why this is working from an app that hasn't logged in to the LTPA realm. Try clearing your cookies and trying to do this again to confirm.

GWT User Authentication like Spring Security?

I use Google Webtoolkit together with Phonegap to build a mobile app. My app is communicating over a REST APi with my Backend Server.
What I want to do is a user authentication, i.e., my app user should be able to signup and login. If a user closes the app and reopens it, he should be authenticated again if he has not logged out before.
Usually, with Spring Security you do the authentication on the server by calling the required methods. The client (browser) then contains some cookie information for a persistent login.
1. How can achieve this kind of authentication for my app?
2. Should I do the authentication as for a normal web site with the only difference that the authentication methods are called by the REST api methods?
3. Is there another way of doing the authentication for my mobile app?
I think user authentication for the mobile app will be the same as for a normal web-app.
The Spring backend will create a session once a user is authenticated. By default the user is authenticated for the duration of the specific session (until the user closes the browser/app).
Spring Security has a Remember-me functionality that is typically based on a Cookie approach and allows the user to be re-authenticated automatically..
I don't know if phonegap work with Cookies (see here for some pointers). I guess it depends on the plattform (if webview supports cookies).
May be this will help you I wrote an article that show how to adapt Spring Security to secure REST services.
You can check it in here : http://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/
I also posted a working example which shows how I did use that with GWT on GitHub.

OpenID authentication from an installed application

I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about installed applications (such as j2me client installed on a mobile device) - regular OpenID authentication is performed by entering username/password on a webpage of particular OpenID provider - which is quite a limitation :)
Has anyone coped with such a situation? Is it possible to create authentication mechanism to the site that uses OpenID from a mobile j2me client?
Currently, I think of solution that users who would like to connect from their mobiles download necessary j2me application from the server web site after they have authenticated themselves (regular browser authentication). The mobile client app could be assembled dynamically on the server with the SSL certificate embedded that is associated with particular logged in OpenID user. After that, j2me client could authenticate to the server without entering any username/password. The data that is going to be stored on the server is not THAT sensitive - considering cases of mobile phone thefts etc.
Can anybody come up with a better solution?
The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:
User installs app on their device
During install or on first launch, the app has an "Authorize me" button.
The user presses the button and a web browser pops up the web site that the client app needs to access data from.
User logs into that site using their OpenID
Site now asks "do you want to authorize client app X?"
User says yes and closes the browser.
The client app reappears and says "thanks." and now has the OAuth token necessary to access the user's data without the user ever logging in again.