I have an API in node js that i use as source of a mobile app.
Is there some way to keep the data available only to my app and not for other apps?
Thanks!
Take a look at this. See if you can use the user agent to restrict the access to your app only.
Of course it is easy for someone to modify the user agent and make a request. If you are concerned about this you might need better form of authentication.
Related
So my project has got a two asp.net projects. One is for showing date(User Interface) and the another one is API(for background processes like login, database calls and etc.). Right now my app has Username and Password feature to login. I have setup a startup class in my API which authenticates the user and pass the user token. Now I want to add a feature to login through Azure portal.
Can anyone suggest me a good practice in this situation? Like I don't want to change my code and just add a feature. Should I make changes in API or Web or Both? Meanwhile I was reading about expose api in app registration. Will it be appropriate to use it just for login purposes?
Azure AD supports OAuth2, OIDC and SAML. See more information here. It is probably best to introduce the mechanism through the API first, since it would apply to the frontend as well (though slight modifications may be required there as well).
I'm making an iOS/Android app using Xamarin (not Xamarin.Forms, just regular Xamarin). I'm using the shared library set up rather than PCL. I want my app to call an Azure function but I'm unsure of the safest/best way to handle this. I have it set to "Function" for the "Authorization level". The test URL includes the "?code=..." portion in it. I was under the impression that if I put that in my C# code with the "code" value exposed that it was considered a bad idea from a security perspective.
I'm lost as to the safest/best way to deal with this. I've read that setting it in app.config is also a bad idea. I found some references for a web app that suggest using the connection strings that are available in the azure portal, but since this isn't a web app, I'm unsure of how I'd actually retrieve those values in my code (or if that's even possible).
So how would you suggest I handle setting the value for "code" so that I can call my function and avoid a security problem?
UPDATE: Providing more info as per request:
I'm using MSAL to authenticate my users with a B2C active directory. I already have that part working and have received a token authenticating the user.
I also just now enabled authentication in my functions.
I was under the impression that to call my function from my mobile client I had to make a new HttpRequestMessage. I'm unsure of then what I'd place in it to pass my token along.
Just to make sure I understand, your concern is about embedding secrets (the ?code=XXX value) in your iOS/Android app, correct? If so, yes, this is generally considered bad security practice. It's best to assume that anyone who can download your app will have the ability to discover these secrets and use them any way they want.
The recommended way to authenticate with a backend service, such as Azure Functions, from a mobile device is to use interactive authentication - i.e. some kind of OAuth flow. You can build it yourself, or you can use the built-in functionality of Azure Functions and Azure App Service to help you (Azure Functions is built on top of App Service). Here is a resource which might be useful:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://contos.io/working-with-identity-in-an-azure-function-1a981e10b900#.vcjit3ntw
The API Key (code) is indeed not meant to be used by clients you distribute externally, so it shouldn't be used by your mobile app.
The most straight forward option here would be to use the built in App Service Authentication features with Azure Functions and implement an authentication flow in your app, which would allow you to securely authenticate the user.
Sharing more information about your scenario may help identify alternatives.
I would like to develop a system that can help any developer to create an application based to my API.
My problem is authentication.
I have see (for example) as work google with your services; I would like create an system of oauth (private) such as google (concept) that an developer, after sign to my portal, get APP ID and APP SECRET.
When developer self create these credentials, can use for call API based to https.
My API are developed by nodejs and express system.
I say which way is more stable for create an system robust for this scenario.
Thanks for any support. Any idea is appreciate
You can try http://passportjs.org/, it can work as a middleware with express.
Any option available to authenticate users accessing my app on bluemix URL?
I want to make a set of audience to use my bluemix URL?Any leads how to implement this?
You can go to your app overview page and click on edit routes. You would see enable app authentication property which by default is OFF. Make that to "ON". After that you need to add member to your organisation who would have access to your app.
Attaching a sample screenshot for your help :
The SSO service is the way to go if all the users accessing your application have an IBM ID. In some cases we have used a more custom api key approach or even pre-exchanged certificates for which you would need to add some code for.
In bluemix you can add people to your organization, once you do that they will be able to manage your app, delete, restart, stop, etc.
Take in mind that you are the one who pay for the app so if they add memory or instances you will be charged for those expenses.
In order to add people to your organization:
Login to https://ace.ng.bluemix.net
Click on 'MANAGE ORGANIZATIONS'
Add/invite a bluemix user to manage your app
Complete documentation on using the OAuth authentication service with the SSO service in BLuemix is available here: https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
Examples and client code also:
https://hub.jazz.net/project/bluemixsso/SingleSignOnSampleClient/overview. The sample application can help you write your own client application to leverage the IBM Single Sign On for Bluemix service's capabilities. You can create your own copy of the code in your own DevOps JazzHub account as well, and then build it and then deploy it to your own IBM Bluemix space.
You need to try single sign on authentication provided by bluemix.
Below is the getting started link with this:
https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
You can get various option to authenticate users(via fb,google) etc and apply in your app.
Please review this link, about Single Sign On.
https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
I hope this help you.
Good luck!
I'm creating a web service with create/update/delete calls. But for now I'd like to restrict use of it on my own web app and no other clients. How can I have clear text javascript code that makes these calls but still be confident the credentials won't be used elsewhere?
My idea is to use server side generated nonces for each request. But I am open to different ideas you guys may have. Thanks.
Do the users of your web-app have a loginid/password? If yes, then ask them to login, and use standard session management approaches to achieve what you want.
If your users don't have unique account, and you only want your javascript code to make the web-service calls - then it cannot be achieved. Its trivial to sniff the traffic / extract password from javascript.
You could use the firewall on front of your webserver to filter out based on MAC
Yet simpler, collect the credentials (authentication token) with a dynamic dialog box (javascript is very rich on creating UI dynamically)