Authenticate username and password (Active Directory - Windows) - node.js

I need to use windows authentication in an App built using Nodejs (Express) on back-end and Reactjs on Front-end and I found some tools for example:
https://www.npmjs.com/package/node-sspi
https://github.com/auth0/passport-windowsauth
https://www.npmjs.com/package/activedirectory
https://www.npmjs.com/package/passport-ldapauth
https://www.npmjs.com/package/LDAP
I would like to know what is the better tool to use since I have to have a login page and validate the user and password to see if the user has access to a directory.
If the user is not under a certain group want not to allow them to access the application.
Thank you in advance!

Related

How to use email authentication in Firebase using Node.js

I'm trying to use the Firebase authentication service by email and password for my App.
I've noticed there are two SDKs, Client and Admin, both of them have methods to create a new user.
I've also noticed that only the client SDK has method to validate the user email and to return the new user's token after creation.
The two SDKs made me confuse regarding the way I should use this service so I have few questions:
Should I create a "signup" route in my server and use the Admin SDK or I should use the client SDK?
If I use the client SDK for signing it should be in the server side or in the client side?
How I can verify the user email using Firebase "Email address verification" template?
If someone can give me some guidelines.
The Firebase Admin SDKs are meant to run in a trusted environment, such as your development machine, a server you control, or Cloud Functions. They run with elevated, administrative privileges, based on a service account that you specify when initializing them. As such, there is no way to sign a user in with an Admin SDK, even though they indeed (as you noted) have the ability to create user accounts.
The client-side Node.js SDK is meant to be used in non-trusted environments, like for example IoT setups. This SDK indeed allows you to sign in as a specific user, and this information is then passed when you call other Firebase APIs from within the Node app.
Which of the two you should use depends on the use-case, which you're unfortunately not describing. Without that, the above is the best guidance we can give: if your code runs in a trusted environment, use the Admin SDK; otherwise use the client-side SDK.

Signing into my Gitlab CE installation with my app's login

I have a nodejs webapp with many users with a custom login process. I would like gitlab to accept that authentication and not force users to create a new app. What is the best way to accomplish this?
I would go for OAuth 2.0 Single Sign On (SSO). Below you can find the architecture diagram taken from here. As you can see the client is redirected to log in in the OAuth2 provider to get a valid token for authentication. The OAuth2 server must be configured for the application requesting access including the secret, the client id and the callback URL.
You can configure GitLab CE to sign in with almost any OAuth2 provider. Only be careful with the limitations:
It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (importing projects or users, etc)
It only supports the Authorization Grant flow (most common for client-server applications, like GitLab)
It is not able to fetch user information from more than one URL
It has not been tested with user information formats other than JSON
You also need to configure your node js web application as an OAuth2 server. There are npm availables with the source code here.
Recommendation
I would install some open source Identity Management to separate the user management from your webapp, provides better integration with other third parties and forget about encryption and other stuff you need to take care in your webapp. There are multiple options such as KeyCloak for instance.
You have to define a dedicated user , and use the private_token of this user to login for ALL users that will use your application.
The restricition would imply all users will have the same rights ....
The other solution is to use the Private Token of the user at login. In this case , only the rights of these particular users will be used.

Flask application authentication using windows logged in user

I am developing flask application and rest services. I have to make that application secure with os logged in user.
My application is running on windows server(Apache). If any user launches the application from any system or trying to access web services from any other application with different domain, I don't want to prompt to enter username and password, I have to authenticate with who ever logged into that system with my ldap and need to use that user details in subsequent requests.
I am using flask,Apache 2.4, Python.
It would be very appreciable for your valuable view or help.
From what I understand, you are trying to make it so that once a user is authenticated through your LDAP server and logged into an account, you do not want to make them have to enter their credentials again on a web application.
I do not think that with your current goal it is possible to do this, but you may find Flask-Login with Python-LDAP as a backend useful. I found this tutorial for using the two together if you need.
Please correct me if I am wrong in my interpretation of your question.

How to handle simple authentication with Azure (with local user accounts)?

I would like to build a very simple Angular 4 app with a WepApi Service as backend.
I would also like to have users register with my app (the basic "create user" - "validate email" - "log in" workflow).
The user/passwords should be stored with my own app (SQL database).
Where would I go for this very basic information? I am highly frustrated with all the "look it's so easy, you can use ANY social media account! Facebook, Twitter, Google, Microsoft! Just three clicks and all is super-secure with OAuth" talk.
Please point me in the right direction - finding this very basic information seems impossible to me.
what i have done is :
Step 1 : call facebook auth from client it returns me id,
profile etc,
Step 2 : then I send fb id to the server (deployed on azure), where it
checks if this fb id already exists in database it redirects to login,
otherwise it creates a new user
you can also authenticate fb token on server side also for more security.
for login with facebook scenario this question might help you.
I would recommend you to use Azure App Service along with Easy Authentication as it allows you to configure your app along with Facebook/Twitter/Google/MSA.
For Starters see this:
How authentication works in App Service
How authorization works in App Service
The following tutorials show how to configure App Service to use different authentication providers:
How to configure your app to use Azure Active Directory login
How to configure your app to use Facebook login
How to configure your app to use Google login
How to configure your app to use Microsoft Account login
How to configure your app to use Twitter login
The above steps do not require you to write any code. However if you need to authorize then you need to handle that in your application.
The above should get you started. Also see this thread where I shared insights on how you can query Facebook: Correct Facebook Graph Api Video Insitghts Request PHP SDK
I also have a blogpost on this here:
Azure App Service: Using Easy Auth to query Facebook information via Graph API

Get authenticated user's groups from Active Directory in Node

We were asked to move our NodeJS app to run under IIS (Windows Server 2012R2) and integrate with an existing Active Directory. We were requested to remove the login page, and instead use Windows Authentication to get the (already authenticated) user's ID, and the use the groups he/she belongs to, to control their authorization level within the app.
I've installed iisnode to run my app under IIS, and figured I'll use either passport-windowsauth, or node-activedirectory to get the group memebership. However, both require user/password to authenticate the user. My user is already authenticated, and I have no access to his password (nor should I).
How do I go about getting an authenticated user's groups from Active Directory?
Here's what I have so far:
Installed and configured iisnode
Enabled Windows Authentication for the web app
Added this to web.config: <iisnode promoteServerVars="AUTH_USER,AUTH_TYPE" />
In my index.js file, I can then console.log(req.headers['x-iisnode-auth_user']); and get the correct user name - but I don't know how to proceed from here to getting his/her groups
Under no circumstances do I want to re-ask the user for his/her password
Well, seems like no one is interested in looking at this question :). I'm assuming IIS + Node.js + Active Directory is an edge case.
Here's how I ended up solving this one:
Add a special user to the Active Directory that can only be logged into from the IIS machine (bonus: limit the IP/process/access of that user).
Add the AD details, user name, and password to config.json file (see snippet).
Make sure you add the file to .gitignore so it won't end up in repo.
Use node-ActiveDirectory to first sign in as the user from step 1, and then ask for the groups of the logged in user (see snippet).

Resources