I recently switched to a new company where my manager wants me to develop entirely new cloud based project in MVC. I have never worked on a project from the start and I think this is a good opportunity for me to lead.
However, I think the requirements of the clients are bit confusing.
Here is what he wants:
Client should be able to access the cloud hosted application from his network with single sign on. He wants to use his active directory for that.
There are different users in active directory, they will have different roles (I think we can handle this on database side. Create different roles and assign roles to users).
Client has to add vendor info in the application. But for this, system should send an email to vendor with the url of the cloud application. He wants user to login to the application using 2 Factor Authentication. So, send dummy password with url, and send OTP to his mobile number. Just like registering to any system.
Now my questions are:
Is it possible to have 2 different types of login mechanisms in the same application? SSO for client and 2FA for outside vendors?
If yes, could you please guide me in the right direction?
what things I need? Which framework, design pattern should I prefer?
How do I proceed ?
Related
I'm looking for guidance as to how I should introduce authentication and authorization into my Rails application. I apologize if this gets long, but I'm trying to provide the context necessary to help me understand what roads I should go down to achieve this.
First off, my technologies:
Rails API BE
React FE
Business Requirements:
Invite only (Invite from root admin user)
Multiple types of users
Root Admin (invite users and assign types)
Users
Attorney, Paralegal, Client (each has different roles / capabilities)
Walkthrough
Root Admin User creates accounts for attorneys and paralegals. These accounts go out via an invitation to join.
Paralegals can create clients. When created, an invite goes out to the client to join the application. Paralegal assigns attorneys to be responsible for the clients.
Different Roles
Clients manage their own data
Paralegals can 'validate' client data
Attorneys can 'Approve' Paralegal changes
Bottom line:
We need each type of user to log into the application
Each user gets a role specific to their capabilities
These capabilities will involve different UI capabilities in React
React will need to know that
The user is authenticated
The user is authorized only for certain actions
These capabilities will involve REST calls to Rails
Rails will need to validate that
The user is authenticated
The user is authorized only for certain actions
I've done this in the past using Devise but am looking to move authentication and authorization to the cloud to allow for future app development ideas. That's where I'm not sure what to do. I've been reading a lot of different possibilities and at this point I'm just not sure which path I should choose. So I'm looking for advice how to pull authn/authz out of Rails and into the cloud.
After all this, I think my question is just -- could someone point me down which road I should go? AWS Cognito? Auth0? Stick with Devise? How does Rails work with cloud auth providers?
Really, just anything helps.
Any advice would be appreciated.
I'm writing an application that will be the backend for a react website. The website is to be used by our customers, but we will fully control the permissions of the user. We have decided to use Azure AD to secure requests, but will also be exposing the API for end users to use directly if desired.
My understanding is in Azure AD I will have to create an application that will allow web based implicit authentication (for the react site), as well as a native application that will allow a dameon based application to authenticate to the API.
This I believe means I will have two audience ids in my application.
I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.
I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.
Sorry I'm just totally lost and the documentation is beyond confusing given how frequently this appears to change!
TLDR: Do I need two applicaitons configured in azure ad, and if so whats the best way to set permissions (claims). Also is oAuth 2 the right choice here, or should I look at open id?
Right away I gotta fix one misunderstanding.
Daemon apps usually have to be registered as Web/API, i.e. publicClient: false.
That's because a native app can't have client secrets.
Of course the daemon can't run on a user's device then.
Since that's what a native app. An app that runs on a user's device.
This I believe means I will have two audience ids in my application.
You will have two applications, at least. If you want, the back-end and React front can share one app (with implicit flow enabled). And the daemon will need another registration.
I'm trying to get claims to include groups, and I can see if I edit the meta data of both applicaitons in azure AD to include "groupMembershipClaims": "SecurityGroup" I can get claims with the group IDs in, but no names.
Yes, ids are included only. If you need names, you go to Graph API to get them. But why do you need them? For display? Otherwise, you need to be using the ids to setup permissions. Names always change and then your code breaks.
I think I can also use appRoles to set roles the application uses, but I've yet to get that to come through as claims in the JWT, but I'm assuming it can be done, however I'd need to setup the roles on each applicaiton, then add the user twice which isn't really ideal. I also think that because my app is multi-teanated that external users could use this to set their own permissions, which isn't what I want to do.
Your thoughts for multi-tenant scenarios are correct. If you did want to implement these though, I made an article on it: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
Why would you need to setup the roles in multiple apps though? Wouldn't they only apply in the web app?
If the native app is a daemon, there is no user.
Overall, I can see your problem. You have people from other orgs, who want access to your app, but you want to control their access rights.
Honestly, the best way might be to make the app single-tenant in some tenant which you control. Then invite the external users there as guests (there's an API for this). Then you can assign them roles by using groups or appRoles.
If I misunderstood something, drop a comment and I'll fix up my answer.
Azure AD is of course a powerful system, though I also find the OAuth aspects confusing since these aspects are very mixed up:
Standards Based OAuth 2.0 and Open Id Connect
Microsoft Vendor Specific Behaviour
ROLE RELATED ANSWERS
This is not an area I know much about - Juunas seems like a great guy to help you with this.
OAUTH STANDARDS AND AZURE
I struggled through this a while back for a tutorial based OAuth blog I'm writing. Maybe some of the stuff I learned and wrote up is useful to you.
AZURE SPA AND API CODE SAMPLE
My sample shows how to use the Implicit Flow in an SPA to log the user in via Azure AD, then how to validate received tokens in a custom API:
Code Sample
Write Up
Not sure how much of this is relevant to your use case, but I hope it helps a little on the tech side of things...
I'm working for a non-profit that is trying to create a collection of services that will allow them to do a few things:
Create/Manage Users
Create/Manger Competitions
Create/Manager Events(a Competition is made up of many Events)
Logistics
Etc.
Here are some of the requirements:
Host on Azure
Accounts are created using the user's own email address (can be any domain)
Each service must be independent of each other
System should be accessible from anywhere(browser, mobile app, etc.)
Once a user logs in, access to other systems should be available(if needed or depending on permissions)
-services can talk to each other(we've successfully done a POC on this using Azure Active Directory)
I've spent some time researching the possible ways to tackle this, including looking at articles like this:
http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
It sounds like JWT is the way to go, but I want to make sure that this architecture approach lends itself to flexibility down the road. I'm willing to learn/user any technology as long as it plays along .Net, Web Api, and MVC.
My initial idea was to set each "system" as a Web API, which is pretty straightforward. My concern is authentication/authorization. The million dollar question then becomes:
How can I authenticate a user on a browser/mobile/desktop app and then make use of the other services(APIs), where each service can verify if the user is authenticated independent of other services.
For example, lets say I am using the web app(browser) and register as a user(using User service) in order to register for a competition(Competition service). what kind of technologies/architecture would need to be used for both services to use the same authentication mechanism?
I am not new to MVC or Web API but I am to a scenario like this, so all help or advice is greatly appreciate it. For any that are interested, this is the non-profit: http://worldjumprope.org/
They are doing some cool stuff in terms of outreach and spreading the love for jump rope. Their goal is to be able to help people all around the world and provide a way to for them to come together and compete. They've been doing it for years, growing each year, all for free and out of pure passion for the sport. Help me help them!
Azure Active Directory can help you with your need.
About the security/Auth mechanism, simply put, it is like you get a token from Azure Active Directory to be able to use it to do authentication for a certain Audiences/Tenants.
And in your architecture, when you acquire a Token, you can specify if you are going to use it against a certain audience or it will work for a list of audiences or all audiences in a specific tenant or in a multi tenant scenario.
Here is a link to a video about AAD Single Sign on:
https://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/
You can download the AAD Solutions arcutecture from here:
http://www.microsoft.com/en-us/download/details.aspx?id=45909
Also maybe worth looking at Identity Server - https://github.com/IdentityServer/IdentityServer3.
Same concept as Azure AD in terms of tokens, but perhaps with greater options for what you choose as a data store for your user information.
There are lots of demos and source code on the site, particularly around the different types of authentication flow \ service to service authentication
What are the pros/cons of using .NET Identity 2.1 versus Azure Active Directory (Premium)?
We currently have an MVC 5.x application using Identity 2.1 for registration, sign-in, password resets, etc. A Microsoft consultant is suggesting we should swap to Azure Active Directory to remove the complexity of "maintaining your own security".
What are the reasons to make the swap and why wouldn't you?
I wouldn't say the two are mutually exclusive. Asp Identity has that functionality built in but you don't have to use it. Actually, you could create your own userstores, managers etc. that poll the azure AD for this info. Identity allows you to use it, override it, or skip it entirely.
Why you wouldn't want to do this? Not everyone has AD. Not everyone needs it. The bare-bones approach that the templates use are simply application managed users and claims.
If you are targeting multiple applications and want SSO and have AD then you can take advantage of it. Developing your own at this point is redundant and more work/maintenance as the consultant pointed out.
You will still probably have a Users table and possibly others in your app database because you may have business functions unrelated to AD but boilerplate stuff would all be managed via AD.
Another issue you may run into is the need to authenticate app specific users outside your AD. At that point you may choose to implement a mixed solution. One half polling AD for internal users, and the other falling back on Identity for external users.
I'm building some applications using rails.
All apps using restful auth plugin for User base and declarative authorization plugin for authorization rules.
But I need to merge all site's User accounts to one User base for providing login for all sites.
I.e like 37signals working on. Here is their work ;
http://37signals.com/accounts
How can I archieve this, any suggestions are welcome.
Thanks
A.Karr
From studying how 37signals was doing stuff - I think they're using RubyCAS http://github.com/gunark/rubycas-server
It's perfect for single sign-on, single sign-off and other related stuff - when you have multiple independent applications. Also, because CAS is a generic protocol, it exists for non-ruby/rails applications too. SO you can integrate legacy systems or client applications in Java etc.
I started building a set of how-tos on the subject here:
http://rubyglasses.blogspot.com/2009/12/rails-single-sign-on-with-rubycas.html
Have you thought about using open id?
If all your apps run on the same domain you shouldn't have any problems accessing the authentication cookie in all the apps, but you'll need to store the authentication state somewhere where all the applications can access it.