We're getting ready to rewrite an old native windows mobile application that accesses data through a VPN. We'd like the new version (.NET Windows 10 mobile application) to access data through web services that are protected by Okta. What is the best way to do this?
Thanks!
The best way to do this depends on how the web services are protected.
The main thing to keep in mind is that you don't want to store any secrets on the mobile application.
In an ideal world, these web services would be secured with something like OpenID Connect (OIDC), allowing you to authenticate against Okta (the "IDP") to get access to the web services (the "Relying Parties").
However, the real world is messy, where some web services are protected via SAML, OIDC, OAuth, custom headers, etc.
Without knowing more about your setup, my recommendation would be to build against OIDC, using a proxy server (or "API Gateway") as needed to secure your web services using OIDC.
One of my co-workers at Okta has written a sample iOS application in Xamarin that implements OIDC, I suggest taking a look at the ViewController.cs file in that repository.
Related
I currently have an application running on our Windows Intranet consisting of a backend (Golang) and multiple frontends. Currently frontend users must authenticate to the backend using a password but we want to move to SSO (single sign-on) for improved security and user convenience. The frontend can use SPNEGO to negotiate IAW (Integrated Windows Authentication) which would allow the backend to know the Windows login ID of the frontend user.
I know how to configure the frontend (web browsers) for this and it would be handled automatically in the backend if I was using IIS for the web server. I just need the equivalent code for a Go web server.
https://github.com/jcmturner/gokrb5/v8 appears to support this but I have been unable to get it to work. There is some example code such as https://github.com/jcmturner/gokrb5/blob/master/examples/example-AD.go but I have not been able to understand how to adapt it to my needs. Does anyone have a working example?
I'm trying to create a simple Xamarin application that would need to use a local ADFS to identity the user. Indeed, I wrote an internal web application in ASP.NET Core but the client would like to have a light version as a mobile app, therefore, I need to authenticate the user the same way I do it for the web application: using ADFS 2019 + OAuth/OpenIdConnect.
However, I did some researches on Google and I find nothing talking about that specific case. Most articles concern Azure but I don't want to use Azure, I want to use a local ADFS.
Can anyone provide me with a link or some idea about the way to achieve this?
There's a set of good articles here that cover ADFS and OIDC.
The libraries are the same as the Azure ones - just the parameters are different.
I have developed a web app that does its own user authentication and session management. I keep some data in Elasticsearch and now want to access it with Kibana.
Elasticsearch offers a RESTful web API without any authentication and Kibana is a purely browser side Javascript application that accesses Elasticsearch by direct AJAX calls. That is, there is no "Kibana server", just static HTML and Javascript.
My question is: How do I best implement common user sign on between the existing web app and Elasticsearch?
I am interested in specific Elasticsearch/Kibana solutions, but also in generic designs for single sign on to web apps and the external web APIs they use.
It seems the recommended way to secure Elasticsearch/Kibana is to have an Apache or Nginx reverse proxy in front that does SSL termination and user authentication (Basic auth). However, this doesn't play too well with the HTML form user authentication in my existing web app. Ideally I would like the user to sign on using the web app, and then be allowed direct access to the Elasticsearch API as well.
Solutions I've thought of so far:
Proxy everything in the web app: Have all calls go to the web app (server) which does the authentication, and have the web app issue the same request to the Elasticsearch web API and forward the response back to the browser.
Have the web app (server) store session info that Apache or Nginx somehow can look up and use to authorize access to the reverse proxy.
Ditch web app sign on and use basic auth for everything.
Note that this is a single installation, so I don't really need any federated SSO solutions.
My feeling is that the proxy within web app (#1) is a common generic solution, but it seems a bit heavyweight to have everything pass through the possibly slow web app, considering that Kibana uses the Elasticsearch API directly.
I haven't found an out of the box solution designed for the proxy authentication setup (#2). My idea is to have the web app store session info in memcache or the like and use some facility in the web server (Apache or Nginx) to look up the session based on a cookie and allow proxy access if authenticated.
The issue seems similar to serving static files directly using the web server (Apache or Nginx) while authenticating using a slow web app. Recommendations I've found for that are however very specific to that issue, like X-Sendfile.
You could use a sessionToken. This is a quite generic solution. Let me explain this. When the user logs in, you store a random string an pass him back to him. Each time the user tries to interact with your api you ask for the session Token you gave him. If it matches, you provide the service he is asking for, else, you just ignore his call. You should make session token expire in a certain interval of time and make a new one each time the user logs back in.
Hope this helps you.
I have several Web PI endpoints currently secured with an access key. I'm not opposed to abandoning this security model.
Now, we're building a web app that will consume the services. The front end will have a login screen to secure portions of the application. I also want to make the Web API services available for use by applications other than our own (think public API).
How should I secure my services and allow access from our own web UI and as a service?
There are many ways to secure Web API 2.0 endpoints.
It seems like you already secured your endpoint with an access key, no idea how your clients know the access key.
For your web app I would ask:
How is the user logging in as you described? What authority are they providing their credentials to? Can you use that authority to attach a token to the requests of your web service?
You mention you also want to provide a public access through a public api. What credentials will they have? What authority will they request access from? You could set this up many ways with different types of credentials e.g. user name and password/client certificate/access key.
Microsoft has some really good resources about this including:
http://channel9.msdn.com/Shows/Web+Camps+TV/Securing-ASPNET-Web-APIs
http://www.asp.net/web-api/overview/security
I can think of:
HTTP Basic Authentication
OAuth/OpenID Connect
Client and Server Certificates
I am developing an App for iphone,android using PhoneGap for the client side. On the server side, i have a Restful API with Sinatra/Ruby(Not Rails). The App is free and anyone can access the services but i need to make sure the minimal level of security is implemented so my API is available 24/7.
I heard about oAuth but i am not sure if that is the way to go.
oAuth is a standard for authorization across different authorization domains (e.g. between services) and is probably not what you want.
The easiest way to secure a REST API is the usage of HTTPS. To secure Sinatra have a look at How to make Sinatra work over HTTPS/SSL?