I'm currently new to Claim Based Model and Secure Token Service.
I have successfully installed thinktecture identity server and tested it.
The next step that i would like to make , is to change the login method from the normal method of user name and password to another biometric method (actually a fingerprint) ,
i.e. i would like to know how to make the thinktecture server to accept biometric data (where do I have to tune) rather than the user name and the password.
There's nothing built-in for that. You would need to do that yourself. The obvious place to start would be the login view/controller.
Related
I'm using Oracle Rest Data Services (ORDS) to build APIs.
The client requires basic authentication (username and password). This does not seem to be supported by OAUTH2.
Is there another way I can protect the APIs by means of just a username and password?
EDIT:
We are using IIS10 - is it possible to setup basic authentication from an IIS perspective?
Yes you can, but we don't recommend it.
You can create an ORDS user (use the user command), and assign a password and one or more roles.
You can fall back to database user/password auth. That authenticated user session is given a role called 'SQL Developer,' so if your REST API was protected via privilege that was also put into the 'SQL Developer' role, it would get authorized.
We don't recommend this for a few reasons.
One of the biggest is how much slower it is. We have to make an actual database connection to ensure your user/password combo are correct. That takes TIME.
Hence, we point folks to OAuth2, or something higher up the stack like an API Gateway.
Coming later this year, we'll have out-of-the-box support for OpenID. This will add tremendous amounts of flexibility without sacrificing security or performance.
Disclaimer: I work for Oracle and am a product manager for ORDS.
I'm using IdentityServer4 and EF Core in my Blazor WASM project with ASP.NET Core hosted option and in that project I use multiple databases.(dynamic string connection - duplicates of databases)
In the login page you choose what database to use and I store the database name in the cookies.
The system should work like that when you login using one database you can't use the other databases.
Every thing is working fine except that that I can change the database name in the cookies and then use the other databases.
My question is how can I modify the IdentityServer4 authroize so when you login using one database you can't access the another databases(return 403 error code when send http request if you changed database name in cookies) - database depended.
I thought maybe I could check each request if token is stored in AspNetUserTokens table ,but I noticed that the table is empty even after logged in successfully.
It sounds like the current database value should be set as a Claim on the user's identity, rather than in a raw cookie. Adding custom claims to the identity will protect them in an encrypted token.
Here's some documentation around this scenario, in particular look at implementing an IProfileService that adds your claim.
I'm working on a client-server application using WCF. The first client will be a desktop app (WPF) but I plan to add Xamarin (Android and iOS) and web client. I want this to be an internet service, and to potentially support a large number of clients, so I'm using http, a stateless service to conserve server resources.
I am having difficulties implementing authentication logic.
I found this great example that implements forms authentication:
http://www.dotnetspeak.com/wcf/securing-wcf-with-forms-authentication/
It allows me to handle authentication how I want - compare username and password against the database, create an authentication cookie and return it. Subsequent calls using this cookie will be authenticated automatically.
But the problem is, I don't know which user called the service. If GetMyData() is called by user1, I want to make sure he only gets his own data. I obviously don't want to have the client send their ID separately with each request, because that can be easily tampered with - just switch "user1" for "user2" and hey presto, you're getting someone else's data.
I can get to the authentication cookie inside the service method by calling
WebOperationContext.Current.IncomingRequest.Headers[HttpRequestHeader.Cookie]
(I can also see there's one other header called "Host")
The cookie is generated from a FormsAuthenticationTicket, which contains the username and password, but it's encrypted. I'm not sure whether it's possible for me to decrypt the cookie in my code, but I'm pretty sure it wouldn't be the correct approach. My method was called AFTER the underlying system authenticated the caller, so presumably the cookie was decrypted and the ticket was found to be valid. So why can't I get to the data?
Sadly, every article I've found only deals with authenticating the user, but nobody seems to care about which user is using the service afterwards, as long as he's authorized.
I suppose I could store the cookies server-side, along with mapping to the specific user, and find the user that way. But I want the service to be as stateless as possible for performance reasons. Also, this would involve doing fulltext matching on a 300 character long string - for every single request! Yikes!
It seems to me that what I need is a very common use case, so there must be a proper way to do it. I just can't seem to find it. Can anyone help me out?
If you have Forms authentication setup correctly then you can get the logged-in username via Thread.CurrentPrincipal.Identity.Name and send it to your service method for data access validation. Get the user id from username and validate ownership.
Thread.CurrentPrincipal.Identity.Name decrypts the cookie ticket and returns the logged-in username.
Can you please let me know the differences between Form and Adapter Based Authentication. I've gone through the pdf provided by IBM but was not able to find actual difference.
Certain queries comes into my mind is:
How validation occurs? and comparison of username and password from server with entered j_username and j_password.
Right now for example it's accepting any combination of username and password.
Since they are using requrl = /j_security_check
How to validate username and password with server?
The main difference between Form and Adapter Based Authentication is that Form Based Authentication is using MobileFirst internal classes and methods, and When using Adapter Based Authentication you are responsible for the authentication procedures (which should be located inside an adapter) - you only declare in the securityTest what procedures to use for login and logout.
If you want to use Form-Based Authentication with username and password you can use Single Identity login module.
More information about Single Identity login module can be found here:
https://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/r_single_identity_login_module.html
I'm using Firebase for an Atlassian Connect AddOn. I want to use Firebase users to secure the data.
The users will be identified by a clientKey provided by Atlassian (probably after I fudge it a bit) - NOT BY EMAIL.
Ideally, I don't want to have to do my own authentication here, as the Firebase.createUser method would suffice entirely if I could provide something other than an email to it, but I can't find anything like that in the documentation.
Is there a way I can create Firebase users WITHOUT AN EMAIL (just an ID and password), without going to all the way into oAuth and all that jargon to create my own custom authentication?
A Firebase user must have an email. If that is a problem then we can't use a Firebase "user", but instead a "token" (which must have a UID as part of it's payload and hence behaves the same way in terms of security once it reaches their datastore).
If you don't need a password, then "instead of double-authenticating and duct taping" as #Kato kindly pointed out, you can generate your own Firebase tokens and serve them to the client.
If you require the user to provide a password then you'd have to implement your own verification before you generate the token and serve it to the client. Since there's no Firebase user involved anymore, but rather a token your privileged server can arbitrarily create and serve, it's your responsibility to ensure you're doing that at the right time (i.e. when a user has provided your server with an adequate ID and password).
Read more about Custom Authentication here and tokens.