SoundCloud: Authentication when the web server is local - authentication

I've created an app that uses Javascript and php. The php is hosted on an apache server which is located in my house and is not accessible from outside. To start the 'app' I just point my browser at
http://server-ip-address/my-app
The problem I'm having is with SoundCloud Authentication.
If I'm using a browser on the same machine as the apache server then I can authenticate using a redirect URL of
http://localhost/my-app/callback.html
and setting this in the app settings on soundcloud.com and the initialise function in the SDK.
The problem is, what if I'm not running the browser on the same machine as the apache server? The app is a remote control for a music player, hence the server will generally be running on a headless PC and the app will be accessed from another device. There seems to be no way to get Authentication to work in both these scenarios since the URI I send in the initialise function has to match the one on the soundcloud app settings and I have no way of knowing what server-ip-address will be for everyone who might use the app.

Unless you do have a way of locating that server (with static IP or some dynamic DNS service) you won't be able to authenticate – SoundCloud has to pass the oauth_token somewhere.

Related

Share JWT between an app and a browser on multiple subdomains

Here is what I'm trying to achieve:
Right now, the Desktop App, Auth server and API are working correctly, I can get my JWT and use it to call the API.
Both web apps are already in use, subdomain1.domain.com use NGINX auth_request, cookie and sessions on an old auth server to get access.
Web app in subdomain2.domain.com use session, and connect to the API with an app token.
And, all these servers are part of the same domain.
So, is it possible to share the JWT from my Desktop app with browsers? We generally use Chrome.
The desktop app use Python 3, and most of the user will be using Windows.
If I can't, and I'm pretty too stupid to do this working, my other concern is, can my browser use that JWT on all web app once it connected get it from auth server? All servers shares the same main domain.
Our web server can be using Apache2, Nginx, Nodejs or Flask (python), which is kind of annoying when trying to make things like that works.
I could use cookie for .domain.com, and store the jwt inside, am I right?
If yes, is this really the best idea?
The idea behind it is:
User log in the app or browser
JWT is generated
JWT is shared between app and browser (not sure about this one)
JWT is used on all subdomain by the browser
What is your advice on this?
I think you can use a cookie in that case with no regrets. Just configure it correctly that every domains you need to have an access to this token.

R shiny how to pass authentication from another App

How can authentication details be passed to a shiny app in a a secure way?
The shiny app is hosted on a a Linux machine with Shiny Server (Open Source version) and should only be accessible after login on another webpage (through SAML) which is hosted on another Linux machine. The shiny app should have different functionality, depending on user rights. So, that information has to be passed to the shiny app at startup.
How can this be achieved in a secure and reliable way?
The only options I could think of were:
Getting the IP-adress of the user and making a request from the other webpage to get the user-rights of that IP.
Passing user-rights within the URL params and using those with parseQueryString(session$clientData$url_search) at shiny-startup.
The first option would make the app depend on a third-party service that gives me the IP and I dont know how a proxy, Vpn etc would interfer with this approach and how reliable it would be. The second option doesn't really seem secure or professional.
What other options would there be?

Custom login page for Apache Free Radius 2fa authentication

For one of my projects I have to set up two factor authentication. We have Radius server set up at the back end. We have a Apache web server and JBoss application server beneath that. I have configured Apache Free Radius module which acts as a client to Radius Server. Once user authenticated, Apache web server redirects the request to application running on JBoss (using mod_jk load balancer). This set up currently works without any hassles. But, on the client side i.e. on the browser when user enters appropriate URL, Free Radius prompts for user credentials. This is purely browser dependent. Is there any way where I can use a custom web page instead of default one. I believe there must be some configuration in Free Radius module where I can use custom web page to consume user credentials. Please suggest. Thanks in advance.
You can not do this out of the box, since the apache module does basic authentication, i.e. it requires the credentials on each request and the browser takes care about fetching and caching the credentials.

Metro app using Enterprise Authentication: why do I still see login prompt

I have an WinJS metro application that I'm using to connect to a remote webservice that same domain. I read up on the app manifest capability (well the little that is present online) and was hoping that I would be able to use the logged in users credentials to access this webservice without requiring them to login.
I'm trying to authenticate to the webservice via a post using a contentType: "application/x-www-form-urlencoded;charset='utf-8'". This application was previously a website that would prompt the user for login credentials in the authentication step using the aforementioned post. In the WinJS metro application I'm effectively using the same code (minor tweaks) to achieve the same result.
Has anyone had experience with Enterprise Authentication in a WinJS metro application and could better explain what types of resources I would/wouldn't have access to. I'm hoping this isn't specific to accessing things like file shares and intranet sites.
I had this exact issue as well. After ensuring the following Capabilities were enabled in the package.appxmanifest:
Enterprise Authentication
Internet (Client)
Private Networks (Client & Server)
I had to still add the URL of our web service to Internet Explorer's list of Intranet Sites. Only then did the prompt go away.

OAuth 2.0 for distributable web applications

I'm trying to figure out, how to use OAuth 2.0 to access Google APIs from my web app. The problem is, that the protocol require developer to register redirect_uri (URL of page receiving access token). But my application can be distributed to many customers and can be hosted on endless number of servers. There is no way to know redirect_uri beforehand.
Google offers another option for installed applications, but I cannot use this variant neither. Auth server returns access code in window title and this information cannot be accessed from javascript of our page (JS cannot access content of window opened using window.open(); if that content comes from different server).
To conclude:
Cannot use method for web applications, because I don't know all URLs where will our app run in the future.
Cannot use method for installed applications, because window title is not accessible from our JavaScript code.
Is there any recommendation, how to use Google's OAuth 2.0 from distributable web application running on a lots of servers? Thank you.
Are you sure you cannot access the window title? If your app is opening the window, it should be able to access it. It should be possible to do this in a similar way you would do it in a mobile app.
If all attempts fail, you could set up a proxy server (that has a known redirect URI) and hands out the Google tokens to all your clients. Or better each of the apps could have its own proxy server - the server it was downloaded from. But then if each OAuth client can only have one redirect URI, each app would have to be a separate OAuth client.