Given a user's name and password, is there a way to check if the name is a valid user account on the system and if the supplied password matches the password for that user's account?
Edit: The need for this arises from the way authentication is structured in this application. The app uses the local accounts on the system to allow the users to remotely access files and stuff. My app needs a way of authenticating those users to provide them with access to its services.
You should be able to use the LogonUser() API for this purpose... If the call fails, then either the username or password are bogus.
Related
I want to build a webapp that uses the wallet address as account, but yet I want to store the user in my db to allow specifying a nickname.
The problem I'm dealing with is that I want to call different apis, where the user needs to be authenticated / authorized in order to gain access .
Since the authentication happens 100% client side in my case (through the tronlink extension and TronWeb), I don't see another way as to add supplementary authentication for my webapp specifically.
If the user logs in to my app with a different password (not using the private key of the wallet), it seems like bad user experience as the user needs to authenticate twice (through Tronweb AND my webapp with a password).
How do you solve this problem?
It seems that the way to handle this is to foresee a separate login flow for the web app after all.
Even when the user already has logged in into Tronlink, it needs to obtain a token to authenticate rest calls.
The way it would appear to work is by generating a random nonce and storing this nonce along with the public key in the User table.
The login flow then consists of signing the nonce in the front-end, and verifying the signature in the backend after which the token will be generated and returned.
I'm trying to implement OTA (one time access) using WSO2 (IS 5.7.0, AM 2.5.0, EI 6.4.0), and I need to find a way to generate user access token.
I have tried:
using admin service for password recovery. Disadvantage is email template is bound to password reset, but OTA is not a password reset scenario, so using password recovery email template will be spoiled.
find admin service that generate user access token, but nothing was found
find WSO2 extension\plugin, but nothing corresponding was found
using OTP, but met an error like this: https://github.com/wso2/product-is/issues/1860
Even admins are not allowed to generate tokens for a user without their consent.
For one-time password, this should work.
https://docs.wso2.com/display/IS570/Configuring+Email+OTP
You can write a custom grant handler, to authenticate user, not via password, but using something he has unique(mobile no, email, etc) as per your requirement and generates an access token from that grant.
You can easily do a token call to WSO2 Identity Server through your custom grant and get the access token.
You can check out for more details in [1]
[1] https://docs.wso2.com/display/IS570/Writing+a+Custom+OAuth+2.0+Grant+Type
I am using AWS Cognito for the user management. I want to achieve a feature called "login as". Basically, the admin can use this feature to login as a specific user. The APIs I designed require idTokens for the authentication. So if I am able to get the idToken of a user, then I am able to login as the user.
Therefore, the question is "is there a way or Cognito API to get the idToken of a specific user without user's password?".
No this isn't possible and there is a very good reason for it. It ensures that the admin cannot simply log in as user and make changes under his name. Only the user is allowed to use his account. If that wasn't the case you would not have data integrity or non-repudiation
I have a WSO2IS install in development configured with the OOTB PRIMARY user store and a secondary Active Directory user store. When signing in to WSO2IS Mgt Console I can sign in as an Active Directory user, but only if I provide the domain name like DEVUSERS/devadmin.
I have been experimenting with lots of different settings and I'm pretty sure I had it working at one point so I could sign in with either a PRIMARY user store user (admin) or a DEVUSERS Active Directory user without providing the domain name, but can't reproduce it now.
I should add that I really don't care if DEVUSERS can sign in to mgt console. I just need to authenticate them when they sign in to my web application that uses OIDC to have WSO2IS handle the authentication. I have a Service Provider configured for my web application connection.
I have tried replacing the OOTB PRIMARY user store with my DEVUSERS user store. With that setup users can sign in to my application without providing domain name, so that part works fine. But, the DEVUSERS user I am using to connect the user store (i.e. ConnectionName) doesn't have the 'admin' permission, so can't perform some mgt console functions.
You can log in to the IS with any user in primary or secondary user store either specifying a domain name or without a domain name.
Once you try to log in to the system by specifying the domain, IS will look at the specified domain user store to authenticate the user. Otherwise, it will go through all the define user stores starting from primary user store.
In your case, the devadmin user may be exisiting in the primary user store with another password.
I am developing an Ionic 2 App that is authenticating users against Microsoft Azure Active Directory. Having trouble in figuring out how to implement the following flow using ADAL:
User enters "user-name" and "password" ==> Clicks on Login button ==> App makes Azure AD call by passing over the user entered "user-name" and "password" ==> Azure AD authenticates the user and returns back the result.
Following the Azure AD documentation, I was able to successfully implement "server-flow" where on making an Azure AD call, it opens up a new Microsoft Azure-AD login page for my app to enter "user-name" and "password". And upon successful authentication the user is landed back on to my app's home-page. This works fine but the experience is not great from UX perspective.
Following is the way I did it:
myAzure = new WindowsAzure.MobileServiceClient(MY_AZURE_APP_SERVICE_URL);
myAzure .login('aad').then(
(result) => {
//Successful Login
},
(err) {
console.log("In client.login callback failed");
});
});
Then, I followed Azure AD documentation to implement "client-flow". I have a question in this:
1. How do I pass in the "user-name" and "password" to Azure AD when I make "authContext.acquireTokenSilentAsync()" call or "authContext.acquireTokenAsync()" call.
Upon going through the implementation of these methods in the ADAL library, it appears that
"authContext.acquireTokenSilentAsync()" can accept only user-name and not the password. So, is it safe to assume that this method is not supposed to be used for login purposes?
"authContext.acquireTokenAsync()" can accept user-name but in addition, there is a parameter called "extraQueryParameters". Am I supposed to use this parameter to pass in the password? However, this is supposed to open-up a login page for the user on the screen. It did open a new login page on my device. So not sure how to develop my functionality.
If both of the above ways are not the right way to implement my flow of authentication then can somebody please help me by giving some pointers, links or sample links on how I can implement this?
My app's users are going to be in our corporate Azure-AD. I have created a separate Azure-AD Tenant for my app (also created the required setup so that it's tied up with my Azure App Service, etc.) and I would add users to this tenant when required.
Thank you.
Based on my understanding, the Client-managed authentication flow enables you to provide a single sign-on experience for users or to retrieve additional user data from the identity provider.
That's mean if you doesn't authenticate the identity data provider before mobile authentication, it still require to prompt the users to enter their username and password.
"authContext.acquireTokenSilentAsync()" can accept only user-name and not the password. So, is it safe to assume that this method is not supposed to be used for login purposes?
This method is designed for get the token silently via getting the token from cache or renew the token using the refresh token. It is not designed for this purpose.
"authContext.acquireTokenAsync()" can accept user-name but in addition, there is a parameter called "extraQueryParameters". Am I supposed to use this parameter to pass in the password? However, this is supposed to open-up a login page for the user on the screen. It did open a new login page on my device. So not sure how to develop my functionality.
No. You are not able to pass the password using this function. It will prompt users to enter their username and password by default. However if you have sign-in the Azure AD, you can acquire the access token without prompt via specify the PromptBehavior.Never like below:
var resoult = authContext.AcquireTokenAsync(resource, clientId,new Uri("http://localhost"),new PlatformParameters( PromptBehavior.Never)).Result;
Console.WriteLine(resoult.AccessToken);