I am currently assessing what are the best options to integrate multiple sites to a single sign-on system. The ambition is to have a unified header with shared assets across the sites. Currently it operates as a separate login page where the user is redirected back to the page they were on before, similar to Google accounts.
There has been a proposal for an iframe or a popup iframe.
The benefits for this appear to be entirely for the user, so the user does not have to leave the page they are on. My concerns with this approach are
if we make changes to the login page itself we will need to make changes to the iframe which could require a redeployment of all the sites at the same time
the suggestion for a regular iframe is intricate to the design and will create problems across browsers
pop up iframes are problematic on mobile devices
if a user has scripting disabled they will be unable to login
a user may have a pop up blocker in place
Does anyone have any other arguments for or against using iframes for an SSO system? Any critique on the points I have already raised are also greatly appreciated.
Thanks!
Related
I'm working on an app that (for now) is essentially a WebView wrapper over an existing website.
There are social logins there, but when you click on them in the context of the app, the oAuth providers say the WebView user agent is not allowed. This is because in 2021 oAuth stopped allowing social logins via WebViews due to the risk of key-logging. I messed around with spoofing the user agent, but that both felt wrong and also didn't work for all social logins.
What would you recommend doing in this situation? My goal is to somehow allow people to log in with Google/Facebook. I'm open to ideas - e.g.
implementing native login solutions and passing tokens back to the main site the WebView
opening an external browser and doing the login action in this higher security area
Where I'm having trouble is the specifics of making this all connect together. If anyone has any experience here, I'd love to hear from them.
I'm enjoying developing cross-browser web extensions, the main target being Chrome, so much that I started to think to develop one for my company. I find a chrome extension quite a cheap and efficient way to deploy internal apps. The main purpose is to host a couple of dynamic dashboards that fetch data from various APIs by using cross-domain ajax in background scripts. I finalized the app and I was also able to implement the authentication via chrome.identity and Azure AD.
However, I am struggling to find a safe way to customise the content.
I mean, when the extension is installed it requires to login to azure via the chrome.identity flow. Then I get a token that I use to query ms graph and get the user ID, name, email and basic info.
Until I get this information I want the browser action (popup) to be unavailable to the user as well as any other extension pages. After a successful login I would like to show the content on the pop up and to let the user access the pages, but here I want to customize the experience.
I know how to use the user id retrieved from the api call to customize the extension, but I think it is not safe because all the code is in the client.
If I code something like
if (user === logged) show something
it will be damn easy for a malicious user to look at the code and bypass it, or even to impersonate another user. And chrome extension cannot be obfuscated.
Any help?
Thanks
Currently we have a Hybrid solution where we show a web form in our Movilizer screen. This solution does not open a new browser window, but the form is shown in the movlizer screen.
This form need to be logged in with our credentials (using our login page).
Now we have a new requirement that on referring to the form, instead of our login screen, it will be redirected to a third party authentication login. Once the user is authenticated by this third party authentication, it will be redirected to the our web form.
How can we achieve this?
This must be solved first in the HTML world. Once the auth in HTML is completed (positive or negative), you can use the Movilizer specific Cordova JScript functions to provide the result to Movilizer, so the MEL logic in your Movelets can operate with it.
Movilizer runs HTML through lightweight html engines / browser components out of the frameworks of that specific platform. In other words, Movilizer clients use functionality that the native frameworks provide ... Movilizer does not have impact on how HTML itself is processed in there. Regarding the typical problems different browsers on different platforms normally bring, this means you have to carefully test the HTML part of this process on a multitude of platforms and devices.
I have administrated a community site for quite a while and over the time a handful people have told me that their browsers got infected with a "malware addon" that randomly inserts ad banners in websites they visit.
While they say some websites don't seem to "allow" such foreign insertions, my forum did "allow" the adding of the browser ads. (For example a malware thing called "OnlineBrowserAdvertising")
Is there a way (through HTML, Javascript...) to prohibit browsers to add something to my site? I am 100% sure that my site or my webspace are not infected. It's the visitors' browser add-ons messing with my page.
You cannot prevent browsers from injecting their own code on your end - the data is retrieved from your server and stored locally (at least temporarily) by the user's device. From the moment the data leaves your server, it is essentially out of your control.
This is purely a client-side issue that can be rectified by following standard security practices. Tell your users to keep their software up-to-date, use an antivirus/firewall solution, and not to visit or download from suspicious websites.
I am having trouble how to implement the Given step (with SpecFlow for example) of a logged in user role throught Web UI automation (with WatiN for example).
Let's say I have the following feature:
Feature: Site usage overview
As an admin
I want to view a site usage overview
So that I know how many visitors my site attracts
This feature uses the admin user role. One possible scenario would be:
Scenario: Admin should see site usage
Given I am logged in as an admin
When I navigate to the Site usage overview page
Then I should see the site usage statistics
This is just as an example. The scenario could also be written with clicking buttons or links and validating some text on the page or something, but I'm not going into that discussion.
What I want to know is how to implement this Given step. I see a couple of options:
Writing all the stuff for logging in as some admin (go to login page, log in as admin)
Verifying some loggid in state that is visible on every page (currently logged in as ...)
But what if the authentication mechanism is Windows Authentication (Integrated Security / Active Directory) or something similar in other environments and there is no visible indication of your logged in status and you need to be logged in for every page in the whole site?
I hope I am missing something and someone can point me in the right direction.