In my client application I have to use web service UserNameOverTransport, so I need in client set username and password like:
client.ClientCredentials.UserName.UserName = "account";
client.ClientCredentials.UserName.Password = "password";
Is it some best practices where store username and password?
From my point of view it isn't good idea to store credentials in config file.
[Update]
When I asked this question I though that WCF provide some standard ability to store credentials in config file or have ability to setup with help of endpoints behaiviours.
The example which I looked for is solution by the following link:
http://blog.shutupandcode.net/?p=22
If you want to store credentials in the app.config/web.config, you can encrypt them using the ProtectedData class or a ProtectedConfigurationProvider. See the following links for more info (ordered from least detailed to most):
http://geekswithblogs.net/afeng/archive/2006/12/10/100821.aspx
http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
http://msdn.microsoft.com/en-us/library/89211k9b%28v=vs.80%29.aspx
http://msdn.microsoft.com/en-us/library/53tyfkaw%28v=vs.80%29.aspx
You do not need to store your username and password in config. What you usually store in config are client settings, like endpoints, behaviours and security settings.
Username and password should be set from inside the code, like you have shown:
client.ClientCredentials.UserName.UserName = "account";
client.ClientCredentials.UserName.Password = "password";
It's completely up to you where you will get these values from and how you are going to secure it
Related
I am working om using Auth0 has authentication for services. I have the following problem. I have created a user but when I try to make a request with that user I get the following error.
Authorization server not configured with default connection
I have researched this and found I need to Configure the tenant
The Resource Owner Password Flow relies on a connection that is capable of authenticating users by username and password, so you must set the default connection for the tenant.
Go to Auth0 Dashboard > Tenant Settings, and scroll down to locate the Default Directory setting.
Enter the name of the connection you would like to use. Make sure it is capable of authenticating users by username and password.
But I have on idea what they mean by Default Directory. Is that the name of the Auth0 application I generated, since that is the service, that is supposed to authenticate users by username and password.
I have generated a SpringBoot app from the auth0 console. is that what they mean by connection.
Follow these steps.
Navigate to your dashboard - manage.auth0.com/dashboard
On the left menu, click on Setting
Scroll down to "API Authorization Settings"
Enter Username-Password-Authentication in the "Default Directory" input
Hit save - It typically takes about 30secs for changes to take effect
In Default Directory put Username-Password-Authentication
My auth0 was configured with a custom database, and when I was trying to get tokens using the Resource Owner Password API, I had the same issue Authorization server not configured with default connection .
The solution to this issue was:
Set the grant_type to http://auth0.com/oauth/grant-type/password-realm
Set the realm to the name of the custom database
For anyone else stumbling upon this question, you can also use the Realm property to define a specific Database connection instead of setting up a default one.
I'm currently working on a project where I'm trying to set up a service based on IdentityServer4 (https://github.com/IdentityServer/IdentityServer4) that authenticates users by querying a local Active Directory via LDAP.
To achieve that, I also included the IdentityServer4.LdapExtension (https://github.com/Nordes/IdentityServer4.LdapExtension) in my project. The working example from the repository works fine (https://github.com/Nordes/IdentityServer4.LdapExtension/tree/master/Sample/IdentityServer) - but the custom logic is part of the UI, and I need my service to operate without any UI.
Simply adding
.AddLdapUsers<ActiveDirectoryAppUser>(Conf.GetSection("ldap"), UserStore.InMemory)
as described in the documentation does not change the request pipeline, as the provided login/validation methods are never executed - they are only triggered with calls from the UI (AccountController). However, as I said, I don't want to integrate any UI in this service and rather use the interface which the Token-Endpoint already provides (POST request with client_id and client_secret, response with JWT).
Is there a way to integrate LDAP authentication without rewriting big parts that work out-of-the-box as desired?
From your question it sounds like you already have a username and password. Note client_id != username and client_secret != password. client_id is the identity for a client application.
The grant type you are trying to use is called Resource Owner Password when using the authorize endpoint or password when using the token endpoint.
This grant type is used to support legacy systems and is not recommended for new development.
The code that you want to executed to authenticate a user is in LdapUserResourceOwnerPasswordValidator.cs and it should be executed if you pass the correct parameters to the token endpoint:
POST /connect/token
client_id=yourclientid&
client_secret=yourclientsecret&
grant_type=password&
username=yourusername&password=yourusernamespassword
See token endpoint documentation: https://identityserver4.readthedocs.io/en/release/endpoints/token.html
You can use Identity Model to help you make the token request:
var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
Address = "https://demo.identityserver.io/connect/token",
ClientId = "yourclientid",
ClientSecret = "yourclientsecret",
UserName = "yourusername",
Password = "yourusernamespassword"
});
This is documented here https://identitymodel.readthedocs.io/en/latest/client/token.html
Currently, I have 1 user have the permission to bind OpenDJ server. Then I need to verify the username and password from the end user. How can I do that?
This is the way I create the LDAP connection and bind successfully:
LdapConnection connection = new LdapConnection("opendj.mydn.com.vn");
//Set session options
connection.SessionOptions.SecureSocketLayer = false;
connection.AuthType = AuthType.Basic;
connection.Bind(new NetworkCredential("myuser", "mypassword"));
After that, I need to use this connection to verify the "user1" and "password1".
How can I query this action?
This is the configuration of OpenDJ:
Host_LDAP=opendj.mydn.com.vn
dn_LDAP=ou\=People,dc\=mydn,dc\=com
#uid_LDAP=uid\=webservice,ou\=People,dc\=mydn,dc\=com
uid_LDAP=webservice
admin_LDAP_verify_attr=uid
admin_LDAP_verify_dn=ou\=People,dc\=mydn,dc\=com
You've already done it. If the bind succeeded, the username and password were correct.
EDIT Your 'IT guy' is seriously misinformed. According to the OpenDJ configuration documentation #6.1.5, there is no real 'bind' permission. Instead:
Bind
Because this is used to establish the user's identity and derived authorizations, ACI is irrelevant for this operation and is not checked. To prevent authentication, disable the account instead. For details see Section 11.2, "Managing Accounts Manually".
[Emphasis added.]
I use ldap_bind_s to bind to ldap server.
example:
SEC_WINNT_AUTH_IDENTITY *pSecIdentity;
ldap_bind_s( pLdapConnection, // Session Handle
NULL, // Domain DN
(_TCHAR*)pSecIdentity, // Credential structure
LDAP_AUTH_NEGOTIATE)
pSecIdentity is filled with username and password.
But the problem is i want to do the same with PKI users where i dont have username and password instead a user token.
So how to proceed with this scenario.
Are there any Structure to provide usertoken instead of username/password to authenticate?
Check if this helps
Not very sure but looks promising
https://pkienthusiast.wordpress.com/2011/09/16/apache2-pki-certificate-authentication-and-ldap-authorisation-example-2/
If my Gmail account has Access for less secure apps disabled, then my application can't send emails through this account. Instead I get "The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required" exception.
Here Google explains that by disabling Access for less secure apps, only apps that use modern security standards can sign in.
What are those modern security standards my code needs to implement and can you show me how to implement them with an example ( not sure if it matters, but my app and Gmail account aren't using 2-step verification )?
Here's the code I'm currently using:
public class EmailService : IIdentityMessageService
{
public Task SendAsync(IdentityMessage message)
{
var credentialUserName = "myAccount#gmail.com";
var sentFrom = "myAccount#gmail.com";
var pwd = "myPwd";
System.Net.Mail.SmtpClient client =
new System.Net.Mail.SmtpClient("smtp.gmail.com");
client.Port = 587;
client.DeliveryMethod = System.Net.Mail.SmtpDeliveryMethod.Network;
client.UseDefaultCredentials = false;
System.Net.NetworkCredential credentials =
new System.Net.NetworkCredential(credentialUserName, pwd);
client.EnableSsl = true;
client.Credentials = credentials;
var mail =
new System.Net.Mail.MailMessage(sentFrom, message.Destination);
mail.Subject = message.Subject;
mail.Body = message.Body;
return client.SendMailAsync(mail);
}
}
Considering that the asp.net-identity-2 tag is applied to this question, and considering that Google requires use of OAuth 2.0 to avoid having to use the Access for less secure applications option, it appears that one option is to use the OWIN middleware able to be found by searching for the term Oauth 2.0 at www.asp.net.
This site hosts an article titled Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on that might be of some interest. The article appears to show many screenshots that walk a developer through the process of getting the resource, creating an app, and authenticating with a Google server.
I think it "Less secure" only means that you are giving credentials to third party and they do not use two step verification.
About Google "Less Secure" Settings
It should be noted that Google's statement of Less Secure should not
be read as Insecure. Less Secure Apps is a label describing a
behavioral issue and not a technical issue. Lots of things can go
wrong when you give your credentials to a third party to give to the
authentication authority: the third party might keep the credentials
in storage without telling you, they might use your credentials for
purposes outside the stated scope of the application, they might send
your credentials over a network without encryption, etc. Ultimately,
it is only Less Secure if the third party in question has malicious
intent and therefore you should always be vigilant in knowing who you
are sending your credentials to. COMPanion Corp stores your
credentials only for the purpose of utilizing Googles SMTP Email
service and they are stored using the most up-to-date security.
Source: http://www.goalexandria.com/v7Docs/index.php/Using_Gmail_as_Your_SMTP_Server