I am creating a Windows Phone 8.1 app that will run on devices that we supply to our customers. We want to associate the device with a customer during provisioning. As the customer employees use the device, they also have to log in to identify themselves. This will drive the authorization process. So really, I want to transparently authenticate the device with no user interaction and then authenticate each user using the usual username/password combination.
For authenticating the device, I am trying to decide whether to:
Use Azure Active Directory, setting up the device as a user, storing
the password on the device and then add the customer information I need to
the device Identity claims during provisioning.
Create an Azure storage table or blob and secure it with keys which
are stored on the phone, and rotated occasionally.
Once the device knows which customer it belongs to, the rest of the process of authenticating the user seems (relatively) straightforward. I do have some concerns about multiple authentication headers in the HTTP call, but I haven't gotten that far, yet.
I'm looking for opinions on the best way to do this, or any experiences anyone might have had in attempting something similar.
Thanks in advance.
Related
The Microsoft docs state:
Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around.
What exactly is meant by "trust" here and how does the app registration establish said trust?
The way I understand it the registration basically makes the app known to the AD, but how does that make the AD, the app is redirecting to for interactive logins, more trust-worthy to the app? Couldn't a malicious AD just pretend to know any app that's using it for logins? Wouldn't it need some kind of shared secret to assure the app that the AD really is the AD? And isn't HTTPS establishing that trust already?
It makes more sense to me the other way around: the AD receives a login request along with a redirect URI set by the app. But if the redirect URI is not known to the AD then the request is not trust-worthy and will be rejected.
I'm probably misunderstanding something, so could someone please explain the idea behind this?
In authentication world trust is a complicated word. In my opinion, the easiest way to approach this thing is taking the Google Sign-In -button as an example. You can use it to log in with your Google account on almost every website out there. Does this mean Google trusts every website out there using it? No, of course not. Do those websites trust Google? Sure they do, they have no visibility if Google returns the correct information about the users to them.
The case is very similar here as in most cases you will be using the same protocol to implement it (OAuth2 OIDC).
You are correct, you need to configure secrets & returnUrls to make sure that the App Registration is not used for malicious purposes, however, this does not create trust between the identity provider and the application. It's just technical measures to protect the client.
However, you can of course trust the application if you want to. The most common way is to grant it access to scopes so the application can do actions on behalf of the user. Usually this is done by those consent screens you probably know ("grant access to your email and phone number"). In enterprise setting, they are often omitted and access is granted with admin constent.
TL;DR; There is no inherit trust just because there is an App Registration, however you can trust an app to access user data.
Is it possible to create more API endpoints on servers to share a different set of user data?
If yes, what type of user-specific Authorization can be used to protect these APIs (without adding any new admin API keys or another authorization method)?
Is it possible to connect the client application to multiple Server applications? How?
Is it possible to connect one more (or 2nd) client application to the Server for login?
If yes, please list down the detailed steps for the changes you will have to make in the Server application to support multiple clients.
Also, list down if any changes need to be made in the client applications.
Is it possible to share complete data for few client applications and limited data for the rest of the application? How do you achieve this?
e.g. client 1 only needs email & phone, but client 2 needs email, phone, birth date and address of the user.
Yes You can create more API endpoint, you can use JWT verification for each client Users.
what is the purpose of multiple server application? can you elaborate more !
As i mention in 1st answer, search more about 'jwt authentication in nodejs' for multiple users, so every user can use same API for login.
Yes it's possible based on client's role, or if client/user don't have specific role, but client 1 need only email,phone and client 2 needs all the data. Then best solution is to implement 'GraphQL in nodejs' it will solve your problem
I am using amazon MWS service but getting throttling because i'm using the same key for entire application. Can we create multiple access and secret key to handle this throttling issue?
Please anyone can help me... what can be the best solution for this?
In principle Yes BUT it's not as simple as that, and I suspect that Amazon's certification process would not authorise your 2nd app if you supply the same developer info (address etc...).
To recap, when you want to write an app that accesses MWS info, you need to submit your app's details for authorisation by Amazon. eg what kind of security do you implement to protect buyer sales order details etc and if granted, you are then able to "attach" your app to a seller's account via Manage Third Party Apps, and, with your Apps credentials, get the auth token - but you knew this already...
And if you're getting throttling issues, then I'd revisit the help page and digest what they say.
I have been working on IBM Maximo Anywhere apps such as Work Approval and Work Execution for sometime now have few queries regarding the login mechanism used by these apps. To be specific as per my understanding anyone having access to maximo on that particular environment can login into the anywhere apps - is that a correct statement? and if yes then how does it work in a disconnected state? If for any reason maximo is down will it mean that the app will not be able to authenticate a user and hence unable to login as well? And alongwith that is there any other kind of authentication done for example LDAP etc? Are there any different kinds of login failure messages that are displayed depending on why the app isnt able to let the user login? or is it a common one saying "Login Failed"
The first time the user ever logs into the application, they do have to have a connection to the Maximo server to authenticate. We also validate that the user is authorized to use this particular mobile app. We have a security group for each mobile app that the user must be a member of. After the authentication and authorization finishes, we download, store, and sign the locally stored data with the username/password combination, so that on subsequent login attempts, if the server is down, we can fail over to the locally stored data. This also guarantees that the locally stored data is protected.
We support all of the types of authentication configuration that base Maximo supports.
More information here:
http://www-01.ibm.com/support/knowledgecenter/SSPJLC_7.5.0/com.ibm.si.mpl.doc_7.5.0/security/c_authentication.html
Hi and thanks in advance,
I am looking for industry best practice or a ready made app to store and share passwords for for network resources.
My current situation is that I have a number of people that need to access applications as a specific superuser in order to access some features of these applications. The applications are third party build and cannot be changes to grant access to the required features for anyone but the superuser account. Normal admin accounts have elevated rights but things like creating accounts have to be done via the superuser account.
For security reasons I would like to periodically change the superuser accounts' password. Because of the number of people that need to be able to log in as superuser changing the password would be problematic and a logistical nightmare.
I'm looking to purchase or create an application that would:
Track who is looking up the password and to what resource
Allow me to specify what passwords a user can retrieve
The data should be stored and transmitted ultra securely
Preferable this would be an on-line application (I have Mac and Windows clients)
Keypass is great for this kind of thing. It provides a strong encrypted database of passwords and secure information. This can be accessed share via svn/dropbox/fileshare implementations using a master password.
This is more for a master database of secure data you can set up additional databases, maybe per user, but it starts to get a little away from what it's deigned for.
I would do a C# app that checks with a web service if the user can run the app and with what permissions, it would then be sent the encrypted credentials for a 1 time run, the service would log the request. This would all have to be done securely, so the service would use SSL and preferably certs between the systems. You have a good bit of research here to figure this all out, and you might have to use Java if you want mac... but I dont know how well that can launch apps as other users.
Solution #2 would be to use KeePass. You will have to be creative.