We are trying to use WebAuthenticationBroker in a WinJS app using ACS as the provider.
The problem is our SWT token is a little large, it seems longer than 2K and therefore exceeds max length for a URI.
Can anyone tell me is there a way to return large tokens to WebAuthenticationBroker ?
Since the max length of a URI is 2048 characters, you will need to find a way to reduce the URL to the point that the tokens can fit in the 2048 characters.
Related
I noticed Instagram and some other image APIs send a link to a photo when a GET request is made for images. Wouldn't the client have to make a GET request for every single link that the API provides? This seems like a lot of extra work for the client. However, most major photo APIs seem to follow this pattern instead of sending actual bytes. Just curious why this is considered a better practice? Thank you!
Let’s say I have a client who has spent a lot of time and money creating a custom database. So there is a need for extra data security. They have concerns that the information from the database could get scraped if they allow access to it from a normal web app. A secure login won’t be enough; someone could log in and then scrape the data. Just like any other web app, a PWA won't protect against this.
My overall opinion is that sensitive data would be better protected on a hybrid app that has to be installed. I am leaning toward React-Native or Ionic for this project.
Am I wrong? Is there a way to protect the data from being scraped in a PWA?
There is no way to protected data visible to browser client regardless of technology - simple HTML or PWA/hybrid app.
Though you can make it more difficult.
Enforce limits on how many information a client can fetch per minute/hour/day. The one who exceed limits can be blocked/sued/whatever.
You can return some data as images rather than text. Would make extraction process a bit more difficult but would complicate your app and will use more bandwidth.
If we are talking about a native/hybrid app it can add few more layers to make it more secure:
Use HTTPS connection and enforce check for valid certificate.
Even better if you can check for a specific certificate so it's not replaced by a man-in-the-middle.
I guess iOS app would be more secure then Android as Android is easier to decompile and run modified version with removed restrictions.
Again, rate limiting seems to be the most cost effective solution.
On top of rate limiting, you can add some sort of pattern limiting. For example, if a client requests data with regular intervals close to limits, it is logical to think that requests are from a robot and data is being scrapped.
HTTPS encrypts the data being retrieved from your API, so it could not be 'sniffed' by a man in the middle.
The data stored in the Cache and IndexedDB is somewhat encrypted, which makes it tough to access.
What you should do is protect access to the data behind authentication.
The only way someone could get to the stored data is by opening the developer tools and viewing the data in InsdexedDB. Right now you can only see a response has been cached in the Cache database.
Like Alexander says, a hybrid or native application will not protect the data any better than a web app.
I am working on my first Shopify app. While it's not embedded (setting in application settings) it works okay but when I turn it into embedded mode then I get invalid HMAC error.
I searched for different kind of validation for embedded apps but didn't find anything. It seems that it should be the same for usual and embedded apps
UPDATE (with solution):
the embedded app adds one additional param:
protocol=https://
This additional param must be included in HMAC calculation (in case it is embedded app). Important thing that this param MUST BE NOT ENCODED when you pass this param for HMAC calculation.
I would like to test the Flickr API using Matlab. There is no Flickr API library available for Matlab, so I have to do everything myself.
I am having troubles pretty much in the beginning: cannot cope with authentication. The process description is here: http://www.flickr.com/services/api/auth.oauth.html. However, I do not understand a couple of things in Signing Requests:
First,
the key is the concatenated values of the Consumer Secret
and Token Secret, separated by an '&'.
What are the Consumer Secret and the Token Secret? I only have the API key and API secret, issued for my test application by Flickr.
Second, the result of signing a string (which should be the output of the HMAC SHA1 function, i.e. a number, right?) in the example is w18YS2bONDPL%2FzgyzP5XTr5af4%3D. What is it? It is neither a hex number nor a base64 string.
You might find it easier to build an interface from MATLAB to one of the available Flickr API kits. MATLAB makes it particularly easy to call C, Java and perl, so those might be a good choice.
I've solved this task. The answer I put in the form of a short tutorial to Matlab file exchange: http://www.mathworks.com/matlabcentral/fileexchange/34162. I will also keep a list of additional hints in my blog http://texnical.wordpress.com/2011/12/12/flickr-api-with-user-authentication-in-matlab/.
I'd like to acknowledge the help of Sam Judson from the Flickr API discussion list.
I've been looking around at various APIs, and since twitter seems to be a common discussion point, I'll use it as an example.
A lot of APIs are implementing oAuth which is great for allowing the service to authenicate and authorize the application connecting to it, however, from what I have seen there doesnt seem to be a way for the application to verify that Twitter is actually Twitter (and not a man in the middle based attack)? I would expect to see some kind of signature (using a shared / public key) of the response body which I can use to validate that twitter signed it.
Is it just because currently there isnt really a point to a man in the middle attack with twitter tweets since currently, whats the worst that can happen (and why would someone want to give me invalid tweets)
On this point, if you were to sign the response, what method would you use? Im currently considering a HMAC-SHA1 signature of the response body using a shared key.
This is what the 'trust' part of SSL does.
-- Edit
I note this has been downvoted, but it's important that other readers realise it's due to a personal disagreement, not due to incorrectness.
In the .NET world we use WCF, which has many different security models, including signing (and if desired encrypting) each message/response. This adds up to a non-trivial amount of overhead, but can give you more 'trust' in the security model. You can switch to using binary-serialized data to cut down on the bloat and message size if you desire.
I'm not sure what other Web Service APIs offer in that area, though I'm sure someone else can add further details as needed.