I have a backend server in which is developed using Symfony 2 framework and FOSUserBundle as authentication provider.
I have made a custom (simple controller that return JSON) API to handle communication between server and the mobile app.
So basically all methods in this API need an authenticated user.
Blow is a little discussion between the server and the mobile app of what I’m planning to do :
mobile app: send https request with parameters(email and password)
server: verify email & password, generate a token, store it in the user table and send it to the mobile app
mobile app : include the token in future requests
server: getUserByToken() and continue the rest of logic
My Questions:
How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
I’m wondering what if a hacker use the Man In The Middle technic, get the token and use it to send requests to the server?
Disclaimer : I’m very novice in security and intermediate Symfony 2.
I’m sorry for not including image which will explain more(I haven’t enough reputation).
1.How to achieve credential(email & pass) verification on the server using FOSUserBundle (or anything else)?
Symfony2 handle it for you. You have an example of login here with FOSRestBundle using FosUserBundle. You just need to modify the code for only login with mail.
Related
I am using Django 2.2 for my webapp.
And I have been looking for tutorials that cater for QR code cross login to webapp using mobile app.
Basically the workflow is like this:
expected workflow
User arrives at website on desktop
Given a choice of username/password or QR code login (We assume user is registered)
User chooses QR code to login
User is prompted to install mobile app (can be android or iOS)
User installs mobile app and logins using username/password.
On mobile app, user then agrees to future login using QR code as alternative (this is done once)
After this, in future logins, when User chooses QR code to login as per step 3. They use the mobile app to scan QR code generated on the website login page.
The mobile app then uses FaceID or FingerPrint ID (assuming iOS) to then allow login. The user presses a Yes button on the mobile app to confirm login.
Somehow the webapp is notified dynamically and allows login on the desktop browser.
I don't quite get how the mobile and the web app at the backend all work with one another to achieve this seamlessly.
What I did find
I did find this library https://github.com/aruseni/django-qrauth which seems no longer maintained. But I still cannot quite get how the flow works between mobile app and webapp backend.
I also found this https://medium.com/#ksarthak4ever/django-two-factor-authentication-2ece42748610 which seems to use the mobile phone as a 2FA device. Not exactly the use case I am looking for unless I misunderstood.
I did find this article https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/ which is what gave me the term "cross login". However, the article is tilted heavily towards this particular vendor.
I am looking for an "understanding" of the concept without being reliant on the specifics of the vendor implementation.
What I am not looking for
In case, my question is poorly phrased and gets misunderstood, I have included this section to make clear what I am not looking for.
I am not looking for the use case where the QR code serves as a 2FA confirmation for the authenticator app.
I am also not looking at code examples yet. I just want a clear understanding first of how things work between the mobile and web app. I believe JWT is needed though I am guessing.
A workflow is more appreciated than actual code because I want to gain an understanding first of how this works.
The key concept is that login occurs when a user and browser are matched. A user means a user(or a user device) already recognized(authenticated) by the server.
user's PC browser requests QR login to server (without any account information)
server makes login request key and send the key to the user's browser. the key is displayed as QR code. (the role of this key is to identify the browser)
user's already logged-in device(user) read the key(QR) and sends a login acceptance request to the server with the key.
At this point, the server knows who both the user and the browser are.
The server allows the browser to log in as the user.
The key to identify browser could be session or web socket channel or any other form of information.
The server must store the key until the login process is complete.
If a valid login acceptance request is received, the server should prompt the browser to log in.(server->client, push). there are several techniques for accomplishing this.(polling via AJAX, Web socket, push notification services, etc..)
I'll explain it with Django-channels web socket framework. (In this case login request key and channel name is same. but different key and channel name is also okay.)
browser: user chooses QR login. (without any account information)
Backend: web socket channel is made. name of the channel is securely randomly generated string(FOO). key(FOO) is stored in redis as Django-channels[redis] made a channel named that string(FOO). send the key(FOO) to user's browser.
browser: get the key(=channel name=FOO) and open the web socket channel(FOO). and also displays QR code(FOO).
user(smart phone): user launch smart phone app(already logged in). and scan the QR code(FOO). user smart phone app send a login acceptance request to the server with QR code's information(FOO)
Backend: server send securely generated login key(BAR) via web socket channel(FOO).
browser: get login key(BAR) via web socket channel(name is FOO) and redirect to login url with login key(BAR).
server: get the login key(BAR) and let the browser to log in as the user
login request key(FOO) could be a JWT(contains key, url, expire, etc..) or just secure string(varies depending on the scenario). it doesn't contains account information and server must store it.
login key(BAR) is usually a JWT. with JWT, it contains account information and server does not have to store the key.(stateless)
I think you wanna do something like WhatsApp’s web where the users log to the web app by QR code, if I was doing such implementation I’ll do it as follows.
When the user arrives to the login page, we create a logInSession with a random token and we save it to the database.
we send that random token to the browser, which will render QR code based on the random token. We start a pooling for ‘log_me_in’ view to check if the user scanned the barcode.
The user goes to the mobile app and select log-on browser activity which will launch the camera.
Once QR is read on the phone, make a request to the backend with the scanned token and update the logInSession with the username.
With the next call to ‘log_me_in’ view, log the user in based on the username and tell js to redirect to homepage.
Hope this is clear enough.
I am trying to create an authentication in ADF mobile where the login URL is the peoplesoft login page. When i give in the username and password in the emulator, it throws an error.\
Terminating
Authentication URL responded with an illegal response code.
It is not basic authentication end point.
Please contact administrator
I have followed the following tutorial
https://blogs.oracle.com/shay/entry/accessing_secure_web_services_from
Here instead of creating a remote secured login server, I want to use peoplesoft to authenticate.Any Ideas?
I have also seen somewhere that you can authenticate each web service you call by adding the username and password in the SOAP header. Any tutorials for ADF would be much appreciated and #Shay Shmeltzer any ideas would be helpful
Thanks
Oracle MAF only supports security authentication against HTTP Basic Authentication pages, so I don't think you can use peoplesoft login page to authenticate neither your application nor you web services.
Otherwise you can create a secure ADF page the validates login through peoplesoft login credentials(username-password) then deploy that page to a server and secure your MAF application using that page.
Some useful links
Accessing Secure Web Services from ADF Mobile
ADF Mobile - Secured Web Service Access
ADF Mobile Application Security
And about your second question yes you can customize the envelop header being send from MAF application to a soap webservice (add username and password or any other attributes) by extending the SOAPProvider class and add it to the datacontrol.dcx file as the provider for the webservice.
The only example I can find online
http://docs.oracle.com/cd/E37975_01/doc.111240/e24475/amxwebservices.htm#autoId3
I have a web-service which is used to create entries in the Database hosted by GoDaddy and the web-service are written in .net and this web-service or url will be only used in the Mobile Platforms like IOS and Android.
Now I have few questions?
1>How can I secure my URL(web-service) and its content from getting exposed?
Currently I have used post method so that I can hide the parameters but still I fear the URL might be hacked so please suggest a way to secure.
2>Regarding the contents I want to encrypt the data and send to server and in server side it will be decrypted .
Now please suggest me an algorithm or code which can be used across platform like IOS,Android , .Net
Thanks and Regards,
Anil
Use HTTPS
Use login/password auth (no access at all without login and
password)
I'm working on an iPhone app that uses xAuth to login to Twitter. The app also communicates with my own web service. Rather than maintain a user model inside the web service, I'd like to just allow anyone who's already authenticated via Twitter to make requests.
The high-level use case is this: the user logs into and interacts with Twitter through the app. They can also interact with my web service through the app. The web service itself never interacts with Twitter. Instead of maintaining a separate authentication system on my side, I'd like the server to say "OK, if Twitter says you're #joshfrench then you can have access."
I'm not sure how I should validate requests on the server side, though. How would I pass some proof of authentication from the mobile client to my web service? Can I send along the existing Twitter token and verify it from the server? Or somehow sign the request with my Twitter app's credentials? Is this even a valid use of OAuth?
If you store your twitter app key and secret on both he iphone app and your server, and then somehow transmit the user's oauth token (also called "access token") key/secret from the iphone app to the server, then you can do the same type of api calls from the server.
consumer = OAuth::Consumer.new(app_key, app_secret, …)
access_token = OAuth::AccessToken.new(consumer, user_key, user_secret)
response = access_token.get('/stuff.xml')
So, is it Okay to transmit that info from the app to the server? If you do it securely, and it's within the user's expectation for how the app behaves, then it's a perfectly fine use of oauth.
It's possible that it's not allowed by Twitter's terms of service -- I could imagine there being something that says you can't transfer a user's access secret across the network, or some such thing. (total wild speculation, I don't think it's particularly likely that that's the case)
i'm developping a mobile application in Android and blackberry, I want that Users can connect from their Smartphones to Webservice witch will verify their login and password in an Oracle Database, I should maintain connection between Client and server within Sessions.
my webservice should be under apache Tomcat using Axis2.
how can I implement this Session via Soap Messages ???
Thanks in advance :)
its best if you could get this without having to maintain sessions. if maintaining session is a must, you'll have to pass authentication details with each soap request along with a token or a session status object where at each end you'll be manually updating with status.