I am trying to authenticate against our corporate Azure B2C server using the MSAL written in GO. I am using the public authentication. I am able to successful authenticate with the python version of MSAL, but I have some challenges with the GO version as the discovery does not work. The generated URL for AADInstanceDiscovery does not exists. So the authentication process fails in an early stage.
I assume that I need to set the KnownAuthorityHost property in AuthParams to prevent the system from doing the discovery, but I am not sure how to set that parameter. It seems like the property and the function WithKnownAuthorityHosts in base are not exported in public.
I must admit that I am quite new to GO.
Is there any way I can set the WithKnownAuthorityHosts from my application?
Related
I'm working on an Absinthe GraphQL API for my app. I'm still learning the procedure(so please go easy on me).
I've a Absinthe/GraphQL MyAppWeb.schema.ex file in which I use for my queries and mutations. My question is how do I use this API for authenticating the user on both Mobile and Web app?
How do set a cookie(httpOnly & secure) in my web app and access/refresh tokens in a single Absinthe API to serve my website and mobile app. Basically what I'm trying to learn is how do I authenticate the user based on specific platform.
If my question sounds bit confusing, I would be happy to provide more information related to my question. I would really be grateful if someone could explain the procedure, I've been very stuck on this for a while.
I would avoid using authentication mechanisms provided by absinthe(if there are any). Depending on what front-end you are using, I would go with JSON API authentication. The flow on server goes the following way:
Create a endpoint for login that will receive a user and password and will return a refresh token.
Create a endpoint for exchanging refresh token for access token.
Use a library like guardian to generate your refresh/access tokens.
Create a phoenix plug for authentication that will check your tokens, guardian has some built-in plugs for this.
Now on device you have to implement:
Ability to save refresh and access token on device.
Have a global handler for injecting access token on authorized requests.
Have a global handler for case when access token is expired. (you usually check if your request returns Unauthorized, then you should request a new access token from the server using your refresh token)
This seems like a crude implementation, however I would advise in implementing your system instead of using a black box library that you have no idea how it works under the hood.
I am using Aacotroneo/Laravel-Saml2 and have successfully setup a login system using ADFS. In another system I am using simpleSAMLphp elsewhere on the same domain successfully with WIA so I know ADFS is setup for that and that everything is setup correctly except the laravel application.
I have installed a browser addon to check the SAML logs for responses and requests. The only thing I can think of is that there is no client request ID sent through from laravel.
&client-request-id=d1ccbbdd-d55e-4828-eb24-0080000000b4
Any suggestions are appreciated. If I have missed a saml2 setting I am more than happy to try them, a lot of them don't seem to work or make any difference whether set to true or false.
Is it possible I need to setup encryption certificates and certain true/false combinations?
Thanks
Check this article
ADFS has non-standard SAML2 Authentication Context Class urn:federation:authentication:windows
By default this class has lower priority than urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
I would suggest making the following changes to AuthNRequest:
<samlp:RequestedAuthnContext Comparison=”minimum”
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</samlp:AuthnContextClassRef>
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</samlp:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
I have created a REST API for an android application. There are certain req.session variables that I set at certain points and use them in the policies for further steps. Everything works fine when I access the API from a REST client like POSTMAN.
However, when it is accessed from a native android app, the req.session values that I set in one step are lost in the next step.
Any idea why this might be happening and what might be the workaround ?
Session does not work with request sent from untrusted client (in this case the Android device).
You should consider using the OAuth strategy to accomplish your target. It's a bit complicated.
Or just simply generate an accessToken for each successful login then return it to the client. For further requests, the client must attach this accessToken (usually to the header) of the requests.
This is a good SO question for the same issue: How to implement a secure REST API with node.js
Since the Google Search API has been deprecated, I'd like to use the Bing Search API (now a Windows Azure API) in my Ruby apps.
However, Azure has a strange authentication pattern where you build a query URI, paste it into a browser, pass the key into the password box of the standard HTTP authentication box, and make POST to see the results. I assume this generates a signature and passes it in the header somehow. I'd like to do the complete process in Ruby and skip the browser portion if possible.
I found one example in the source of an obscure Windows Azure storage gem, but I can't figure out how tthey're building the signature and make the call. Is there a simple way to do basic HTTP auth in Ruby?
I went ahead and used Faraday's built in basic authentication scheme like so:
connection = Faraday.new "http://api.something.com/1/dudez"
connection.basic_auth "username" "password"
connection.get
I want to recommend the RestClient gem for this. I've used it with great success for GET'ing and POST'ing across domains. If you really have to act like a browser to implement the API, you can always use Capybara.
I'm sorry I haven't tried the Azure API myself, or I would give an example. :)
I recall doing this previously with another Azure API but am unable to find the code.
Look here for the details of the signature process:
http://msdn.microsoft.com/en-us/library/windowsazure/ee395415.aspx
I'm unable to find immediately if the Azure API uses the SharedSignature method
The way to sign a request to Windows Azure blob storage thru the REST API is described here: http://msdn.microsoft.com/en-us/library/dd179428.aspx.
Basically, you don't authenticate by simply adding some credentials in a HTTP header, you have to sign your request with the secret key that is associated to your storage account.
Following from my previous question regarding OpenRasta authentication, I'd like to know if NTLM authentication can be configured for OpenRasta service that is running as executable outside IIS.
Cheers.
Sorry, I didn't read the question carefully enough. Unfortunately, I don't believe you can do this out-of-the-box. There is an HttpListenerHost provided by OpenRasta which encapsulates a System.Net.HttpListener instance as a private variable. See the code in this forum thread to see how to use the HttpListenerHost in a Console app. If the HttpListener variable were public or at least protected it should be a simple matter of setting the AuthenticationSchemes property along the lines of this code:
var host = new HttpListenerHost();
host.Listener.AuthenticationSchemes = AuthenticationSchemes.Ntlm;
If you really need this capability, you can get the source for OpenRasta and update it to expose the underlying HttpListener variable so you can configure it to your heart's content.
===================>>
ORIGINAL ANSWER FOR IIS:
First you create a standard WebForms or MVC project configured for OpenRasta as shown in the Getting Start wiki page. Next, configure the project as described in this Wrox article to support Windows authentication. Supporting Windows authentication will enable both NTLM & Kerberos authentication.