I'm developing an app that will essentially be a kiosk app (I'll use the kiosk features of Windows 8.1 to lock the device down).
So the computer will be always on and always logged into an account with this app running.
However, part of the process is that I need to authenticate users. They'll log in with username and password, choose a couple of things and then click finish which will log them out and take the app back to the login screen.
How can I do this? System.DirectoryServices is not available for Windows Store Apps. I was looking at other ways of doing LDAP Authentication and Active Directory Web Services looks promising (and would be supported). But I don't see how I could use it to authenticate (other than the fact that it authenticates he calling user, but I can't seem to get impersonation working there either).
I was looking for this answer too. I discovered that you have to go to the package.appxmanifest and check off Enterprise Authentication and then you can use CredentialCache.DefaultNetworkCredentials in your app to get the username, but not the password.
Related
I know this might be a very unusual question but I have been using IdentityServer 4 on .Net Core 2.1 for quite a while, serving all sorts of different APIs/Clients/Mobile Apps with connection to the internet at 'all times'.
Now I have encountered an interesting scenario where a User will have access to the internet and be able to authenticate with IdentityServer once but might not have access to internet after an X amount of time (X could be minutes/hours/days), but I still need to authenticate that user and login to use the 'offline features' of the app (even after closing the app).
I have thought about caching some credentials to then verify that the user is valid or using a system where I send an SMS code to then verify the user has the right phone (But that will only work if the app is on a mobile device, hence, not ideal). I'm still not set on any of the options.
I just wanted to ask if anyone else has encountered a similar problem like this, any suggestions would be appreciated. Please have in mind that the user may be logged out after using the app and still needs to be authenticated even if there is no internet connection. I like IdentityServer4 quite a lot, so I will prefer to keep it that way, and My App is developed using Xamarin Forms (iOS, Android, UWP), and the IdentityServer instance is on the cloud.
Thanks a lot for the help, any suggestion is appreciated.
Since only your service will know how to authenticate someone using their server-side credentials how about using the local secure platform features of the device (Secure Enclave, SafetyNet, whatever Windows does)?
The end result is that the user can use their already-configured PIN / fingerprint / faceprint to access your app, all backed by tamper-proof security hardware.
This also gives you the option to allow users to sign in only using their local credential by unlocking a previously stored refresh token. My banking app works like this for example - modern phones are really quite secure by default.
If you want to get fancy you could also enroll their device as a WebAuthn authenticator in your IdentityServer4 service and they could then use the same method to authenticate with the server when necessary.
I am building an application for Mobile using IBM MobileFirst 6.3. The app will work as follows:-
User has to enter username and password to access the application features.
JSON Store is being used to store the user data with encryption.
At first use of the application JSON Store will be created and it is protected by the User's password[JSON STORE KEY] upon the successful login.
Users are allowed to change the password in any environment[Mobile or Web].
Lets take a scenario, if the user has changed password in Web and he tries to login in Mobile app. Login will be successful but JSON Store cannot be initialized since the user has changed the password.
Mobile and web application uses the same webservice and we are not allowed to modify the webservice for mobile application.
How can we handle this scenario?
The answer to Worklight Online + Offline Authentication describes an approach that I think that could work in your scenario.
Do you mean that you base the login to the mobile app on JSONStore? Meaning, that in order to login to the mobile app, you need to open your JSONStore?
I am not convinced at all that is the correct approach.
You are storing the password on the device. Not particularly secure...
To complicate matters you also want to be able to change the password from both the web and mobile, and as you have found out - you cannot change it on the mobile before first logging in with the old password and then somehow programmatically trigger a password change based on the password the end-user entered in the web version.
As you can see, this creates a scenario of lack of synchronicity between the web and mobile apps.
Maybe you shouldn't do that if you plan on allowing changing the password.
My suggestion is to use a centralized location for the password, such as an LDAP or alike server connected to the Worklight Server. As well as not base your login on JSONStore in this fashion.
You could use JSONStore for offline authentication, but not for online authentication. See here: Offline authentication tutorial.
I have already a Windows Mobile application developed in .Net Compact Framework 3.5 (C#), my application runs in Enterprise Mode and I want actually to add a remote authentication to my application, I'm thinking about single sign on. Following are my questions:
1- Do you have any suggestion for a single sign on implementation that can be added to my Windows Mobile Application? So, which Authentication Server to be used and what are the modifications to be done into my application?
2- If 1- is not technically feasible in Windows Mobile, do you have any suggestion for a remote authentication solution to be implemented?
3- I'm thinking to use either Active Directory or LDAP to store user credentials. Can I add SSO to AD or LDAP? what is to be done in my application to add the authentication in this case?
Thanks for your support.
I have not been able to personally get Active Directory to work on Windows Mobile.
Instead, I created a service running on our network that authenticates using Active Directory.
I can call a web service! (Learned about that not too many months back)
The username and password, I believe, would be sent as open text (not encrypted), but that is OK for our use.
I have an WinJS metro application that I'm using to connect to a remote webservice that same domain. I read up on the app manifest capability (well the little that is present online) and was hoping that I would be able to use the logged in users credentials to access this webservice without requiring them to login.
I'm trying to authenticate to the webservice via a post using a contentType: "application/x-www-form-urlencoded;charset='utf-8'". This application was previously a website that would prompt the user for login credentials in the authentication step using the aforementioned post. In the WinJS metro application I'm effectively using the same code (minor tweaks) to achieve the same result.
Has anyone had experience with Enterprise Authentication in a WinJS metro application and could better explain what types of resources I would/wouldn't have access to. I'm hoping this isn't specific to accessing things like file shares and intranet sites.
I had this exact issue as well. After ensuring the following Capabilities were enabled in the package.appxmanifest:
Enterprise Authentication
Internet (Client)
Private Networks (Client & Server)
I had to still add the URL of our web service to Internet Explorer's list of Intranet Sites. Only then did the prompt go away.
I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about installed applications (such as j2me client installed on a mobile device) - regular OpenID authentication is performed by entering username/password on a webpage of particular OpenID provider - which is quite a limitation :)
Has anyone coped with such a situation? Is it possible to create authentication mechanism to the site that uses OpenID from a mobile j2me client?
Currently, I think of solution that users who would like to connect from their mobiles download necessary j2me application from the server web site after they have authenticated themselves (regular browser authentication). The mobile client app could be assembled dynamically on the server with the SSL certificate embedded that is associated with particular logged in OpenID user. After that, j2me client could authenticate to the server without entering any username/password. The data that is going to be stored on the server is not THAT sensitive - considering cases of mobile phone thefts etc.
Can anybody come up with a better solution?
The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:
User installs app on their device
During install or on first launch, the app has an "Authorize me" button.
The user presses the button and a web browser pops up the web site that the client app needs to access data from.
User logs into that site using their OpenID
Site now asks "do you want to authorize client app X?"
User says yes and closes the browser.
The client app reappears and says "thanks." and now has the OAuth token necessary to access the user's data without the user ever logging in again.