I'm looking for solutions, or workarounds, for detecting users accessing my website from within a company network without the need of a user/password login. These users have some unrestricted access to my site.
Came to my mind to check the user's IP against a known IP range or subnetwork, but this does not seems to be the most reliable or secure solution.
We when say safely detect the users ,it means we are authenticating the users in way and then without the need of user/password login makes it tricky.But we can acheive this
All you have to do is enable windows authentication for your website
in IIS.
If we configure windows authentication correctly,you will get following
if the website is browsed using IE, mostly the login will be transparent as there will not be any authentication prompt
For firefox/crhome,if i remember correctly,there is a flag to enable to make automatic kerberos login in firefox and chrome should automatically login .
Normally the windows login prompt works perfectly fine with IE (some settings are needed but those settings can be controlled using domian policies). In case you still get auth prompts ,you just want some kind of authentication,you can have NTLM enabled and no kerberos in IIS settings
If you still get authentication prompt,try enabling just NTLM and check
IIS ->Website->Authentication->Windows Authentication->Providers remove negotiate
For some reason user cannot be authenticated(user comes from different domain or forest),then an authentication prompt is shown.
Related
From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I'm developing an internal app that will leverage our corporate Google Drive accounts and will be used on shared devices (iPads shared among teachers and students at school sites).
Is there a way to force GIDSignIn to require a password with each sign-in attempt? Right now, even after calling GIDSIgnIn.sharedInstance().signOut() (or GIDSignIn.sharedInstacne().disconnect()) the user doesn't need to enter their password the next time they access the app. That means, when the device is taken by the next user, they could very easily access the other user's account.
Am I missing something? Do I need to somehow clear the cookies store in the UIWebView that the GIDSignIn process uses?
Where available, the GIDSignIn login process uses a SFSafariViewController, not a UIWebView. It leverages the cookies (as well as passwords) stored in Safari, for a quicker login.
I don't think you would be able to clear such cookies. You should be able to force a Google log out, though, by opening https://www.google.com/accounts/Logout in an SFSafariViewController, though the interaction with the rest of your app may be a bit weird. See Logout link with return URL (OAuth) for a way to provide a return URL which you may try to use to control the process (you'll need to use an URL scheme to return, though).
Note that iOS may prompt to save login information, and then provide said login information to subsequent users. You'll need to disable that in Settings -> Safari -> AutoFill
There may be other ways of achieving it via configuration of the device, but iOS is not really designed for multiple users at the moment.
I want any client (within a certain domain) be able to open my Asp.net MVC Web Application (which also runs on IIS on a machine withit that domain) provide its default user's name, which is what he has logged into his windows account.
I have tried setting Anon auth off and on, I have also enabled the Windows Auth on IIS and yet I either get no user name at all, or the browser (last stable chrome) asks the user for credentials. But I want the default windows credentials, that's all!
What should I do to get them?
You need to apply configuration at the browser level.
For IE you need the site in the Intranet Zone and ensure the Automatic logon with current user name and password option is set.
For FireFox: http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris
Chrome inherits from the same IE zone settings.
I am working on an iOS app in Monotouch. Part of it is to connect to an exchange server and download a list of emails. I would like to include the ability to open the email in the OWA client as well (so I don't have to recreate a email client to provide features OWA gives me for free).
I don't want the user to have to input credentials again however. Opening OWA in safari would usually present the user with either a form or a pop up asking for username and password.
Say I have a user admin with password password1. Currently what I do is request safari to open a link in the following form:
https://admin:password1#mailserver/exchange
This passes the credentials to safari and bypasses the HTTP basic authentication that OWA would usually pop up, however it is not very safe and safari complains of a possible phishing attack.
What other options are there for performing this kind of bypass of HTTP basic authentication?
I would recommend using HttpWebRequest to download each page and set the UIWebView's text manually. Using HttpWebRequest gives you the flexibility to use whatever cookies, credentials, http headers, etc. you want.
This will be tricky, but probably the only way to safely get the credentials in there. Not sure if your OWA app will be able to handle it either.