Is it possible to give a user system-wide the right coursecreator in Moodle by using the webservice core_role_assign_roles?
Related
i have a django webapp running at work. we have some REST APIs available which get accessed by our flow in unix. currently to avoid asking the users to enter their credentials, we store a service account name and credentials in a "secret" location on disk. my python code reads credentials from there to login and access the REST API running on our django app.
i am sure there is a better way to do this. is there a way to leverage that the user is logged into unix somehow to get authentication to work with the REST API? i heard kerberos might be useful here?
thanks for the help!
I have created a chrome extension which gets data from the current active tab in chrome. I send the data to my webapp via an API which stores it in the database.
At the moment my chrome extension has a fixed user_id. I would like to prompt the user the user to log in in order to get the correct user.
Is it safe/valid to check for cookie - if it exists use it otherwise prompt user to sign in via the browser?
It's probably okay, as long as you're not storing anything sensitive in the cookie like a password (obviously).
However, the appropriate way to accomplish this would be through something like oAuth. In this scenario your web app's API would be a oAuth consumer, and you would use the following library to authenticate in a Chrome extension:
https://developer.chrome.com/extensions/tut_oauth.html
This library will save an authentication to local storage for you. It's pretty easy to use. The difficult part is ensuring your web app's API supports OpenID. Google's AppEngine supports this pretty much out of the box with little configuration on your side, but this may not be the case with your API.
So I want to do the following:
A person registers online and selects their login and password for a desktop and web application (same login and password for both applications)
They then download the desktop application (written in C++ with Qt as it's cross platform)
Then the login and password is automatically passed to the desktop application without the person needing to enter this data. The login and password is used to authenticate with the server.
Each version of the desktop application needs to be individually coded with the person's login and password based on the fact that they signed up on the web page.
So here is a more simple explanation:
1. The user signs up on the web site and choose login\password
2. The user download desktop client on his computer
3. The user runs desktop client (C++ binary) and it asks for a login/password from the step
I would like that software fill in login/password automatically on step 3 for the first time. Is it possible? How would it be done without security risks?
The main problem is, that anyone could execute the program and gain access to a user account. I would suggest using a one-time login for first authentification with random tokens and after the first start, get the user/password information through an ssl-connection. After that delete your one-time login token and replace it with the actual login.
I don't really know whether you're asking for precise code examples or just want to have a basic concept... But anyway, storing login-data in the application itself is a security risk.
Have you look at HTTP Authentication?
I do not fully understand the download process of the QT app, but, if you use a Basic/Digest Authentication on your web server, propagating the authenticate token will be easy and safe.
Basic use a 64 base encoding, Digest a MD5 hashing. A lot of library implements those steps out there (Spring Security and Shiro in the Java world).
I saw two ways:
the server can provide a user with unique link for downloading installation package. The server patches that package by unique one-time password. So client will be able to login for a first time
the browser collects some information about a user's computer. For example, IP, MAC, OS Version, etc. Then it calulate digital sign of the computer based on these data. The C++ binary do the same. You can use that digital sign as one-time password.
I am building an application that has a web front end and a desktop client application. The web front end allows users to login using Facebook. It exposes a web service to the Desktop application for uploading data. The web service needs to insure that the desktop application uploading data for a user is really from that user. I have already implemented Facebook login on both the client and web interface using the Graph API. How would I go about using Facebook to validate that the user using the desktop application is who they say they are? Also, how can I make it so the user can login once and not need to login again on the desktop application?
After much struggle I figured out that it's possible to receive a session key that does not expire. You can do this by requesting offline access to a user's profile. I stored this in the database on the web side and retrieved and stored it on the desktop side. The only problem is the session key technically can be viewed and used by someone other than the user to make requests. Any other suggestion would be appreciated.
I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.