Just started to play around yubikey, my question is based on the following assumptions:
Passwordless doesn't need to know the username based on the following demo
Based on this doc the allowedCredentials can be omitted
I registered the yubikey by using the django package django-fido
I am having problem using navigator.credentials.get(publicKey) to get the credential from yubikey, the publicKey parameter I am passing in as below:
{challenge: Uint8Array(32), rpId: 'localhost'}
It says the yubikey is not registered with this website, but I am pretty sure I did because if I don't use the passwordless approach, by specifying the allowedCredentials, I can find the key:
{challenge: Uint8Array(32), rpId: 'localhost', allowCredentials: Array(1)}
OK, digging into the django-fido package views.py found that I need to specify resident_key=True to store the credential on the key
def create_fido2_request(self) -> Tuple[Dict, Dict]:
"""Create and return FIDO 2 registration request.
#raise ValueError: If request can't be created.
"""
user = self.get_user()
assert user.is_authenticated, "User must not be anonymous for FIDO 2 requests."
credentials = self.get_credentials(user)
return self.server.register_begin(self.get_user_data(user), credentials, user_verification=self.user_verification, resident_key=True)
Related
I started to use SQLModel that is created by the same person as FastAPI, but I cannot seem to find how to combine authentication/authorization to get the logged-in user and then get current user from that with SQLModel.
I can authenticate a user by just checking it against a database as below, but then how can I keep this session alive so that I can do other stuff with it such as get current user?
I am purely testing with localhost:8000/docs, so I thought maybe I need to create some Jinja2 templates to test it out in a browser, but not sure?
def login_test(input_email: str, input_password: str, session: Session = Depends(get_session)):
# Check if user exists or not
if not check_user_exists(input_email=input_email):
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail="User does not exist, please create an account")
# Check if password is ok
if not check_hashed_password(input_password, session.query(User).filter(User.email == input_email).first().password):
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail="Password is incorrect")
# Login based on email and password if both ok
return {"Message": "Login successful"}```
I am trying to do basic authentication with the help of Python-jira and written the following code
from jira import JIRA
SERVER="https://jira.company.com"
user = user#company.com
apikey='api_token'
class create_issue:
def check_authentication(self):
print("inside the check authentication method#######")
jira = JIRA(options, basic_auth=(user, apikey)) # username is email-ID and apikey is the JIRA api-token
ci= create_issue()
ci.check_authentication()
I am getting following error
WARNING:root:Got recoverable error from GET https://jira.company.com/rest/api/2/serverInfo, will retry [1/3] in 13.772170596345521s. Err: 401
Earlier tried with deprecated username and password, later changed to api_key instead of password. But still getting the issue. Can anybody help on this. When I use the same authentication using the website it is working.
Thanks,
Punith
Their documentation indicates that you should be using a username and password when using basic auth, not an apikey.
https://developer.atlassian.com/server/jira/platform/basic-authentication/
Stick to something simple to make sure it works, before introducing classes.
from jira import JIRA
SERVER="https://jira.company.com"
user = "username"
password = "password"
jira = JIRA(SERVER, basic_auth=(user, password))
I am using the Spring Security Core plugin and can successfully log users in and out of my application. However, when the user successfully signs up, I don't understand how to set that user's security context on the signup postback so that they can be redirected to a secure page without having to log in again. Any help is welcome. Thanks.
The other link you reference is 2 years old. Since then I've added a reauthenticate method to SpringSecurityService. See section "6.2 SpringSecurityService" in the docs:
http://grails-plugins.github.com/grails-spring-security-core/docs/
I eventually came upon this link, which does the trick: https://stackoverflow.com/a/7112838/469106
Here are the contents of that link:
If you don't have the password, you can load the user via
def user = User.findByUsername(username)
and setting the authority array in the 3-parameter constructor. Create the auths via
GrantedAuthority[] auths = user.authorities.collect { new GrantedAuthorityImpl(it.authority) }
Then you can omit the call to authenticate() and use:
SecurityContextHolder.context.authentication = new UsernamePasswordAuthenticationToken(username, 'unknown', auths)
I am developing a custom windows login so that user either can user webcam (face recognition) or username and password. I am able to show a window with all required control at login screen but I don't understand how to authenticate with provided username name and password. Window uses GetSerialize() function for this purpose.
GetSerialization(
__out CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr,
__out CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcs,
__deref_out_opt PWSTR* ppwszOptionalStatusText,
__in CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon
)
above is function signature. As you can see system uses CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* and CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pointer to get info about username and password. How I can call this for authentication. Or is there any alternative method for doing this at the time of login.
I wonder whether you have solved this by now?
You don't call GetSerialization(), that's called by Windows (e.g. by WinLogon to perform an interactive logon). You just have to fill the serialization response and the serialized credential. If you pass back a response saying that you have successfully collected a credential from the user then the serialized data is passed to the Local Security Authority for checking.
If you actually want to get the credentials into your own application you can do so using CredUIPromptForWindowsCredentials.
I'm using the Acegi plugin in my Grails app. After a user registers, he is redirected to an action that is protected. Therefore, he is shown the login form.
However, I would prefer if the user was automatically logged in as soon as he completes registration. It seems like I could achieve this by redirecting to the action that the login form uses
redirect(uri:"/j_acegi_security_check?j_username=${username}&j_password=${passed}")
But this would send a HTTP request to the client (and back to the server) which shows the user's password. Is there a way I can login automatically in a secure fashion?
Thanks,
Don
If you generate the controller classes for the spring security plugin (grails generate-registration) you'll see the following lines in RegisterController which does just what you want:
class RegisterController {
def daoAuthenticationProvider
...
def save = {
...
def auth = new AuthToken(person.username, params.passwd)
def authtoken = daoAuthenticationProvider.authenticate(auth)
SecurityContextHolder.context.authentication = authtoken
redirect uri: '/'
}
Be sure that params.passwd is the plain-text password (i.e. not hashed) and it works like a charm.
I haven't tried this with non-test code, but this is the method that I created to log a user in within my integration tests (after building/saving the appropriate users/roles in my test setup):
import org.codehaus.groovy.grails.plugins.springsecurity.GrailsDaoAuthenticationProvider
import org.springframework.security.providers.UsernamePasswordAuthenticationToken
import org.springframework.security.context.SecurityContextHolder
...
def logInAsUser(username, password) {
daoAuthenticationProvider.getUserCache().removeUserFromCache(username)
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password)
SecurityContextHolder.context.authentication = daoAuthenticationProvider.authenticate(token)
}
I construct and inject the authentication token in the security context. There might be a little more that you need to do to get your user logged in and past security, but this would be the start of whatever that is.
I'll actually need to do exactly what you're asking in a week or two for my current app, post back if you figure it out fully before I do :).
This is Burt Beckwith's answer (not mine)
(It was left as a comment by Burt, but I think it deserves to be more prominent)
If you don't have the password, you can load the user via
def user = User.findByUsername(username)
and setting the authority array in the 3-parameter constructor. Create the auths via
GrantedAuthority[] auths = user.authorities.collect { new GrantedAuthorityImpl(it.authority) }
Then you can omit the call to authenticate() and use:
SecurityContextHolder.context.authentication = new UsernamePasswordAuthenticationToken(username, 'unknown', auths)