I wanted to start a thread to understand practices people currently use to serialize user data in a Facebook (canvas) application running on .NET with the Facebook C# SDK.
Security: Has anyone exposed data endpoints that can be accessed in an AJAX-mechanism from a FB app? If so, how did you protect them? Seems like it would be simpler to access the data when doing a full postback in terms of security, but even there I'm not entirely sure about the security implications. I'm used to doing things with forms authentication so I'm pretty unsure of how to secure data in the FB context. Obviously not having passwords is nice but I still thought this was a worthwhile topic.
Thanks...
-Ben
If you are relying on Facebook authentication, the best thing you can do is make sure the signed_request is valid, the Facebook C# SDK does this for you. (By valid, I mean that it originally came from Facebook) However, you cannot ensure it came from the person that the cookie says is the user. The signed_request could be intercepted since it is frequently sent over non SSL connections. This question contains two answers that are worth reading and should answer your question. Facebook JS SDK: access_token in plain text and security
Regarding exposing the ajax endpoint. Just make sure you pass the signed_request to the endpoint and use the FacebookApp class to read the session. This will ensure that it is valid. Here is more information on that topic: Facebook C# SDK, AJAX in iFrame app
Related
So, this is kind of related to the question here: How to enable CORS in an Azure App Registration when used in an OAuth Authorization Flow with PKCE?
I want to implement OAuth 2 for our single page JavaScript applications written in ExtJS.
The server-side is written in .NET (4.6.2 currently) and has both JSON services used by the UI (implementing Ext.Direct) and SOAP services used for client integration.
We currently handle our own authentication which works quite similarly to the authorization code flow really. We login with a client id, username and password to get a token generation token (TGT), and then use this to request a short-lived product service token (PST). Requesting a PST extends the life of the TGT. When the TGT expires the user has to re-authenticate.
For the OAuth 2 route I obviously would like the user interface to direct people at the login page for Azure, the user to login there, with whatever MFA they may require, and then come back to the UI as a known user.
I'm not bothered where I go for the product service token, although I think it makes sense to go to Azure if possible, since ultimately we'd like to move everyone in that direction I suspect.
So, I have wrapped some of the code above in an ExtJS class, and managed to retrieve a valid authorization token. So far so good.
When I then attempt to request an access token I hit the same issue with CORS that the poster of that question did.
I just cannot see how anyone can be using the Authorization Code with PKCE flow with Azure at the moment, since your application will never be hosted on the same domain used for login surely?!
Anyway. I'm wondering about my options.
I'm wondering now if I can post the authorization code that gets passed back to the UI (with the PKCE code perhaps) up to the web services and get the web services to handle the communication with Azure for the access tokens.
Does that stand more chance of success, or am I just going to hit the same problem there?
Implicit Flow is not an option. None of our clients will accept that.
What other options are there?
Is there a purely server-side to Azure option that I should be using, and worry about the UI afterwards?
Struggling to see a way forward!
Would appreciate any insights you may have.
Cheers,
Westy
Okay, after days of banging my head against the stupidity of Azure's implementation I stumbled upon a little hidden nugget of information here: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser#prerequisites
If you change the type of the redirectUri in the manifest from 'Web' to 'Spa' it gives me back an access token! We're in business!
It breaks the UI in Azure, but so be it.
I hope this helps someone else going through similar pain.
I'll also post on the linked thread :)
I'm creating a REST API server with Node.js and Express + MongoDB.
This API will have different mobile clients (iOS, Android) and possibly a web app later on.
I need users to login in order to perform some API requests. There are no 3rd party apps I want to connect with (no Facebook, Google etc). I also don't want to force the users to visit a webpage or anything like that in order for them to login.
From what I've seen on my many searches on SO, the best approach would be to let users login with full credentials once, send them a token in return, and use that token to verify future requests until it expires.
However, I'm not sure how to implement this.
I'm very confused with all of the different strategies. Is this done with basic authentication over HTTPS, with OAuth, OAuth 2.0, ... ? I just don't know what to use.
Also, I really don't want to reinvent the wheel here, not because I'm lazy, but mainly because of security concerns. Is there a library I could use to implement this? I've heard of Passport, but I couldn't understand if this is doable or not. This sounds like such a generic thing I'm sure there's a simple solution out there.
Thanks!
Now you can use Passport.js with JWT (JSON Web Tokens) with Passport-JWT. It's pretty easy to use.
Once a user is logged in, you send a token to the user. The token contains data about the user, like an id (encoded, of course). On the subsequent requests (at least where authentication is required) you make sure, that the client sends the token. On the server, you can see who sent the request (and e.g. check the user's authorization), just by looking at the token. For more info on how JWT work check this out.
There are different ways to send the token. Just have a look at the docs and it'll be clear. If not, this also helped me.
I feel you need to setup a Token Based Authentication process in your server, so you can make requests from different types of clients (Android, iOS, Web, etc.). Unfortunately, Passport documentation (and Passport-based tutorials) seems to be aimed for "web applications" only, so I do not think you should be using it for those purposes.
I did something similar following this great tutorial: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543
The client part in this tutorial is based on AngularJS, but can easily apply the same principles in a mobile client (it is just a matter of making HTTP requests including a token retrieved when you post in "/signin" or "/authenticate").
Good luck!
There is an example of RESTful service with oauth2 authentication: https://github.com/vedi/restifizer-example. I hope it will help.
I built an AngularJS application calling some REST API's belonging to my own backend (using Play! 2.2).
I'm using Facebook OAuth client in order to authenticate my users.
As being a Javascript App, my Facebook App Token cannot be "hidden".
Thus, anybody who picked up the Facebook App Token, by just reading the Javascript code could grab a user access token in a "legally" way and therefore use my REST API's.
How could I prevent it?
What is the best practice?
One way would be, I think, to use the server side Facebook's OAuth mechanism, rather than the Facebook Javascript SDK.
In this case, the Facebook app secret would be stored on my server and unreachable from the outside.
But as being a Single Page Application on client-side, I really want to avoid page redirection and benefit of the "popup" feature that comes with Facebook Javascript SDK.
There are a couple of things you can do.
Using the server side ("code") OAuth flow for facebook auth is much more secure. You can still avoid redirects by opening your own popup to initiate the login sequence, similar to what the Facebook JS does (only it goes to your server first).
Enabling HTTPS on your application is usually a good practice...
And if you're worried about cross site forgeries you can implement something like an anti forgery state token. See http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ and also google's instructions here https://developers.google.com/accounts/docs/OAuth2Login#createxsrftoken .
To use google drive api, I have to play with the authentication using OAuth2.0. And I got a few question about this.
Client id and client secret are used to identify what my app is. But they must be hardcoded if it is a client application. So, everyone can decompile my app and extract them from source code. Does it mean that a bad app can pretend to be a good app by using the good app's client id and secret? So user would be showing a screen that asking for granting permission to a good app even though it is actually asked by a bad app? If yes, what should I do? Or actually I should not worry about this?
In mobile application, we can embedded a webview to our app. And it is easy to extract the password field in the webview because the app that asking for permission is actually a "browser". So, OAuth in mobile application does not have the benefit that client application has not access to the user credential of service provider?
I had the same question as the question 1 here, and did some research myself recently, and my conclusion is that it is ok to not keep "client secret" a secret.
The type of clients that do not keep confidentiality of client secret is called "public client" in the OAuth2 spec.
The possibility of someone malicious being able to get authorization code, and then access token, is prevented by the following facts.
1. Client need to get authorization code directly from the user, not from the service
Even if user indicates the service that he/she trusts the client, the client cannot get authorization code from the service just by showing client id and client secret.
Instead, the client has to get the authorization code directly from the user. (This is usually done by URL redirection, which I will talk about later.)
So, for the malicious client, it is not enough to know client id/secret trusted by the user. It has to somehow involve or spoof user to give it the authorization code,
which should be harder than just knowing client id/secret.
2. Redirect URL is registered with client id/secret
Let’s assume that the malicious client somehow managed to involve the user and make her/him click "Authorize this app" button on the service page.
This will trigger the URL redirect response from the service to user’s browser with the authorization code with it.
Then the authorization code will be sent from user’s browser to the redirect URL, and the client is supposed to be listening at the redirect URL to receive the authorization code.
(The redirect URL can be localhost too, and I figured that this is a typical way that a “public client” receives authorization code.)
Since this redirect URL is registered at the service with the client id/secret, the malicious client does not have a way to control where the authorization code is given to.
This means the malicious client with your client id/secret has another obstacle to obtain the user’s authorization code.
I started writing a comment to your question but then found out there is too much to say so here are my views on the subject in the answer.
Yes there is a real possibility for this and there were some exploits based on this. Suggestion is not to keep the app secret in your app, there is even part in the spec that distributed apps should not use this token. Now you might ask, but XYZ requires it in order to work. In that case they are not implementing the spec properly and you should A not use that service (not likely) or B try to secure token using some obfuscating methods to make it harder to find or use your server as a proxy.
For example there were some bugs in Facebook library for Android where it was leaking tokens to Logs, you can find out more about it here
http://attack-secure.com/all-your-facebook-access-tokens-are-belong-to-us
and here https://www.youtube.com/watch?v=twyL7Uxe6sk.
All in all be extra cautious of your usage of third party libraries (common sense actually but if token hijacking is your big concern add another extra to cautious).
I have been ranting about the point 2 for quite some time. I have even done some workarounds in my apps in order to modify the consent pages (for example changing zoom and design to fit the app) but there was nothing stopping me from reading values from fields inside the web view with username and password. Therefore I totally agree with your second point and find it a big "bug" in OAuth spec. Point being "App doesn't get access to users credentials" in the spec is just a dream and gives users false sense of security… Also I guess people are usually suspicions when app asks them for their Facebook, Twitter, Dropbox or other credentials. I doubt many ordinary people read OAuth spec and say "Now I am safe" but instead use common sense and generally not use apps they don't trust.
Answering to 2nd question: Google APIs for security reason mandate that authentication/sign-in cannot be done within App itself (like webviews are not allowed) and needs to be done outside app using Browser for better security which is further explained below:
https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
Reading on some of the answers on here, people suggest doing userless access by calling Foursquare by:
https://api.foursquare.com/v2/venues/search?ll=40.7,-74&client_id=XXXXXXXXXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYY&v=20111109
This means I have to include my client_secret key? Is this safe?
Clarification, I'm working on an iOS app using Foursquare search without the user logging in.
You should probably route the search requests via your server, which can add the client_id/client_secret information before passing it to foursquare. This will also be useful if you ever need to change your id/secret information, want to add caching, etc.
(That being said, it's perfectly common to put your client id / secret into your iOS app, but I would avoid explicitly publishing it anywhere, e.g. in any public source code)
Yes, it means that you need to include the client_id and client_secret.
Define safe :)
For facebook server-side application access, you include the app id and app secret as well (id|secret constructs the access token)
I think that the main idea behind this kind of access is to allow server-side access from the application and if the api access is done via a server script/code/web-service (and not via client-side javascript), this information remains a secret.
I guess it would be true to say that leaving this information somehow in the javascript code is not the best idea (= not safe!).