I'm working on creating a web service to expose customer authentication to external vendors. In this case the vendor is a wifi-provider.
My question is if they (the vendor) is POSTing a login and password to a service over SSL, is it a good idea to authenticate the vendor (to access the API) first? I can see both sides of the argument.
EDIT
The end user will be entering their credentials on the vendor's side (ie on the vendor's login page)
Vendors should never see your users' credentials. Instead the login form that the user enters their credentials on should submit directly to your server. If the username and password is correct it should redirect back to the vendor's site with a ticket id. The vendor's server can then take that ticket and ask your service if it's a valid ticket and for any relevant user information.
Related
I am using Django 2.2 for my webapp.
And I have been looking for tutorials that cater for QR code cross login to webapp using mobile app.
Basically the workflow is like this:
expected workflow
User arrives at website on desktop
Given a choice of username/password or QR code login (We assume user is registered)
User chooses QR code to login
User is prompted to install mobile app (can be android or iOS)
User installs mobile app and logins using username/password.
On mobile app, user then agrees to future login using QR code as alternative (this is done once)
After this, in future logins, when User chooses QR code to login as per step 3. They use the mobile app to scan QR code generated on the website login page.
The mobile app then uses FaceID or FingerPrint ID (assuming iOS) to then allow login. The user presses a Yes button on the mobile app to confirm login.
Somehow the webapp is notified dynamically and allows login on the desktop browser.
I don't quite get how the mobile and the web app at the backend all work with one another to achieve this seamlessly.
What I did find
I did find this library https://github.com/aruseni/django-qrauth which seems no longer maintained. But I still cannot quite get how the flow works between mobile app and webapp backend.
I also found this https://medium.com/#ksarthak4ever/django-two-factor-authentication-2ece42748610 which seems to use the mobile phone as a 2FA device. Not exactly the use case I am looking for unless I misunderstood.
I did find this article https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/ which is what gave me the term "cross login". However, the article is tilted heavily towards this particular vendor.
I am looking for an "understanding" of the concept without being reliant on the specifics of the vendor implementation.
What I am not looking for
In case, my question is poorly phrased and gets misunderstood, I have included this section to make clear what I am not looking for.
I am not looking for the use case where the QR code serves as a 2FA confirmation for the authenticator app.
I am also not looking at code examples yet. I just want a clear understanding first of how things work between the mobile and web app. I believe JWT is needed though I am guessing.
A workflow is more appreciated than actual code because I want to gain an understanding first of how this works.
The key concept is that login occurs when a user and browser are matched. A user means a user(or a user device) already recognized(authenticated) by the server.
user's PC browser requests QR login to server (without any account information)
server makes login request key and send the key to the user's browser. the key is displayed as QR code. (the role of this key is to identify the browser)
user's already logged-in device(user) read the key(QR) and sends a login acceptance request to the server with the key.
At this point, the server knows who both the user and the browser are.
The server allows the browser to log in as the user.
The key to identify browser could be session or web socket channel or any other form of information.
The server must store the key until the login process is complete.
If a valid login acceptance request is received, the server should prompt the browser to log in.(server->client, push). there are several techniques for accomplishing this.(polling via AJAX, Web socket, push notification services, etc..)
I'll explain it with Django-channels web socket framework. (In this case login request key and channel name is same. but different key and channel name is also okay.)
browser: user chooses QR login. (without any account information)
Backend: web socket channel is made. name of the channel is securely randomly generated string(FOO). key(FOO) is stored in redis as Django-channels[redis] made a channel named that string(FOO). send the key(FOO) to user's browser.
browser: get the key(=channel name=FOO) and open the web socket channel(FOO). and also displays QR code(FOO).
user(smart phone): user launch smart phone app(already logged in). and scan the QR code(FOO). user smart phone app send a login acceptance request to the server with QR code's information(FOO)
Backend: server send securely generated login key(BAR) via web socket channel(FOO).
browser: get login key(BAR) via web socket channel(name is FOO) and redirect to login url with login key(BAR).
server: get the login key(BAR) and let the browser to log in as the user
login request key(FOO) could be a JWT(contains key, url, expire, etc..) or just secure string(varies depending on the scenario). it doesn't contains account information and server must store it.
login key(BAR) is usually a JWT. with JWT, it contains account information and server does not have to store the key.(stateless)
I think you wanna do something like WhatsApp’s web where the users log to the web app by QR code, if I was doing such implementation I’ll do it as follows.
When the user arrives to the login page, we create a logInSession with a random token and we save it to the database.
we send that random token to the browser, which will render QR code based on the random token. We start a pooling for ‘log_me_in’ view to check if the user scanned the barcode.
The user goes to the mobile app and select log-on browser activity which will launch the camera.
Once QR is read on the phone, make a request to the backend with the scanned token and update the logInSession with the username.
With the next call to ‘log_me_in’ view, log the user in based on the username and tell js to redirect to homepage.
Hope this is clear enough.
We have the WSO2 API Manager deployed and working, although we are unable to figure out an issue about users addition. We want to add the users via the management console (Carbon) and after being added we want the user to receive an email saying that his/her account was successfully created.
Although there is documentation for a workflow extension when the user signs up, we were unable to find any documentation regarding the matter we've pointed out, is this possible to achieve via the API Manager or with some kind workflow extension?
Thanks in advance!
EDIT: We are using WSO2 API Manager 1.10.0.
If your requirement is to create a user through the management console and allow the created user to define a password, you can configure APIM server to support 'Ask password from user' feature. (In this feature, APIM server administration can create a user through the management console and provide the email address of the user, so that user can set the password through the redirection URL provided in the email). To configure 'Ask password from user' feature follow the instructions given in https://docs.wso2.com/display/IS510/Creating+Users+Using+the+Ask+Password+Option.
If you want the APIM server administrator to set the username and password through the APIM management console and only send a notification to the user that his/her account is created successfully, then you have to write a custom component, because this is not supported by default.
I have to implement a REST backend for mobile applications.
I will have to use Django REST Framework.
Among the features that I need to implement there will be the registration user and login.
Through the mobile application the user can create an account using ONLY the Facebook login.
Then, the application will take the information from Facebook using the token-facebook and it will send this data to my server.
I tried using python_social about Facebook authentication and user registration using the Facebook token.
At this point I have doubts:
think there could be two choices:
1:
The mobile application use the Facebook-login to retrieve user data and will send a request to my server to create a new user with the Facebook data user and passing the Facebook-token.
In this case, in the server side, it will not be integrated python_social and facebook-token is a simple profile field.
Doubts: how can you implement the next login (which password Is necessary to use?)
2:
The second possibility is to use python_social. In this way there are no problems for subsequent logins. The token Facebook will be used to retrieve the data (and validate the user) by calling: do_auth
But in this case, for each user, the server will have to make a request to Facebbok (which actually is possible to avoid: the mobile application has already recovered all the data)
What is the best case? What do you usually use for authentication backend rest with Facebook?
i didn't unerstand the first case, when you are using facebook login it does the authentication and we will register the user with the access token provided by facebook. When ever user log in we are not worried about the password, authentication is not done on our end. so when ever user tries to login it contacts facebook if everything goes good there, it will give you a token with that user can login.
I want to develop custom form based login portlet because I have to validate the user crendential (username/password) using calling some webservice provided by the customer as he is maintaining the user credential in his side not in the portal side, So that if the webservices returns true then I need to authenticate the user to the Portal and redirect to some specific portal page.
Note: based on the customer request, the user's password is not stored in default portal LDAP which means, I can not use the portal Login service.
How can ask the portal to authenticate some user without passing the password in my custom login portlet?
thanks in advance.
You'll want to look at the WebSphere Application Server Trust Association Interceptor mechanism for what (to the portal and appserver) is password-less authentication.
Here is a post that outlines the steps you'll take. You won't be using WPS mechanisms other than your custom portlet for gathering credentials. The rest uses a common technique in the underlying WebSphere App Server.
I have the following scenario:
I have an application (html files + javascripts hosted in a webserver)
There is a SOAP web service that we need to develop.
Web service will be called from java script (AJAX calls).
User will access the application in intranet scenario. Users are validated against active drectory.
Requirement states that user need to be logging in using logged in users network credentials. There should not be a login screen shown to user.
Web service interfaces need to be invoked with logged in users credentials. A login inteface of web service specifically needs to be called as first call.
I have a specific question on how to pass user credential to web service.
I am planning to configure Integrated windows authentication (NTLM) for web application to avoid login screen.
However I do not know a way to capture and send user id and password to login interface of web service.
Most of the questions and answers around this topic has been for microsoft technlogies. Any specific ideas?
Further research and several blog posts pointed me to Kerberos authentication and a single sign on framework. With NTLM i cannot delegate credentials to web service. However with Kerberos i can. I will be using SPNEGO and delegate the credentials after authentication. Please refer to below link for further details.
http://spnego.sourceforge.net/