I have a WCF web service that uses FormsAuthentication that logs the User into the Silverlight website. I have another web-service that needs to know what Role the user is in (e.g. Admin, User, Guest) to determine which functions that will run when called by the user from the Silverlight.
How can I pass this session state / User to the 2nd WCF web-service, or how can I get the username/password in the Silverlight application, and then pass that to the web-service to re-authenticate?
After doing research into this, the eastiest thing appears to be have some methods in my first web service where the user logs in. From there I can check what roles they are in and if they are authenticated. If anyone has a better idea I'm eager to hear it.
Related
I am developing web platform which has to have 3 type of users (user, admin, partner companies). For the authentication I am considering to use google Identity platform with multitenancy (probably users in one tenant and admins are in different tenant).
As I understand from documentation, how do we integrate identity platform to our application is to create identity platform provider from console and integrate it into frontend with UI. From front-end, without contacting backend service we can sign up, login and logout by calling firebase SDK and it will give us authentication token. From backend I can check that token with middleware and decide if I agree the user as authenticated or not. Correct me if I am wrong.
Then I can get some metadata of authenticated user from the token, maybe email or name etc. But I want to store user related information on noSQL database as well. For example, if user wants to change his email I need to handle it in backend server, also, I'd like to store users log (access and audit log on somewhere else). In case of, I am using frontend UI and SDK how do log the access and audit information on my backend? also, when changing user's information, do I just write handler function in backend end update user's data with REST API or Admin SDK? what is the best practice over here? Or should I better write my own login and logout function on my backend then call REST API or Admin SDK? is there preferred way? Google is showing me only integration way of authentication from frontend?
BTW, I am deploying backend application on google cloud run, and frontend would be developed in react and should be deployed maybe in firebase or in cloud run as well.
Thanks
As per the Documentation,Yes your understanding is correct to integrate identity platform to the application.
You can store the user related information on a noSQL database like Firestore or Firebase Realtime Database. You can write the Rest API to change or update the user's information in the database.
If you want to write your own login and logout function, I don’t think it is necessary because Firebase Admin SDK provides these features. But if you want to manage user authentication in the backend for specific requirements, you can write your own login and logout function on the backend and use the Firebase Admin SDK.
For access and audit log information you can use Firebase Analytics, Firebase Analytics helps you understand what your users are doing in your app. It has all of the metrics that you’d expect in an app analytics tool combined with user properties like device type, app version, and OS version to give you insight into how users interact with your app.
But finally, the best way would depend on your requirements and use case.
Mind App Automation Testing with Postman or Newman possibility?
Is there a mechanism to login to a MindSphere Tenant in Postman??
Exposing access token via API in a mind app in the same tenant and using it in subsequent Rest API calls is another option which I am not looking for.
https://developer.mindsphere.io/howto/howto-local-development.html says two options. But,
1) Access tokens generated using service credentials have admin scope, which means it is not suitable for testing applications with different user types.
2) Session cookies are only valid for up to 12 hours and expire after 30 minutes of inactivity. However, by assigning your user specific application roles it is possible to test your application's behavior for users other than admin. Is there a way to avoid this copy paste sessions for complete automation??
At this moment, there is no known solution for this. But you can try this:
Use selenium to login in a headless chrome and get session cookies and XSRF Token and store them in environment. Then attach them in API calls.
This is what I am doing at this moment. Let me know if you come to know any other solutions/suggestions.
I created a rest web service on my site, through Drupal Service module. Now, i need it to expose registration to the site for my app to use it, but if i allow anonymous user to do that, is the same that opening spread doors to spammers.
So, how do i prevent anonymous users to use my web service to register? I tried using session authentication but giving it a try, i could register users as anonymous...
Maybe oauth authentication could be helpful? Or using some hook like
mymodule_services_resources
Obviously i can't prevent anonymous user to register to the website in the canonical way. (which is protected by spam by captcha, which i cannot use, for obvious reasons, in the web service case)
Maybe the Services API Key module could help.
Im developing a java web application which is deployed on a glassfish server. The web services are used to connect to user databases. Each user has a database. My question is, is there a way to keep track of the user? For example in servlets we use sessions in order to store some user specific data. Is there something similar to it in web services? It seems impractical to have to authenticate the username and password each time the user sends a request to a web service. Thanks.
Web services may also use sessions, however there are good reasons to keep them stateless:
it might be that the clients do not support sessions (cookies), e.g. if your clients are not browser based;
stateless services are easier to scale.
You do not have to use username+password for authentication. You may use JWT (or other kind of access tokens) to protect them.
Auth0 has got nice article on this topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
I am creating a service that will include a website, a mobile app, and a web service.
Both the website and mobile app will talk to the web service to interact with the database and any other backend items.
I would like users to be able to log in with other services (such as google, facebook, twitter, etc.)
I have two questions in implementing this:
1.) Should I use OpenID or OAuth? I'm not sure which is better for the situation. I have no need to actually access features from a users account, I just want them to be able to log in with accounts they already have,
2.) Where should I implement the authentication? Do I have to implement it both on the website and on the mobile app, or could I have both talk to the web service and do the authentication there?
Thanks
If you are just doing authentication and not syncing any account details, I think OpenID is the way to go. From a security standpoint, I would say to implement your authentication on the website and on the app and not in the webservice. You want to handle credentials the least amount possible and especially avoid sending the credentials via webservice if not using SSL.