How do i implement unique alphanum auth in my ios mobile app using azure, i sort of did this by inserting a unique alphanum value in one of the SQLServer database user tables and when the user enters the unique code in the UI i check in the backend if the value is valid and let him in, but how can i really restrict the tables to only Authenticated users in the database? I am also not able to make my app build using username and password in Azure Auth since it only supports AD,Microsoft,FB and Twitter. Can anyone help me in this regard?
unique-code-screenshot
permissions_screenshot
Be able to make my app build using username and password in Azure Auth
By default, as you said above, it only supports AD, Microsoft, FireBase and Twitter. So we need to do this by ourselves. We need to add authentication feature via writing code in backend project. There are two type of backend we can use: .NET and Node.js, for more information about backend SDK, we can refer to:
.NET Backend SDK
Azure Mobile Apps - Node SDK
how can i really restrict the tables to only Authenticated users in the database
We need to do this at Backend: Restrict permissions to authenticated users
Lee Liu just provided some common tutorials about Azure Mobile Apps. Based on my experience, you could build your custom provider instead of the build-in identity providers to implement your requirement.
I am also not able to make my app build using username and password in Azure Auth since it only supports AD,Microsoft,FB and Twitter. Can anyone help me in this regard?
Based on your description, I assumed that you are using the Authentication and authorization in Azure App Service. If the build-in identity providers could not meet your requirement, you could also build your own custom identity provider (e.g. username/password against your database,etc) and you could also leverage the features provided by App Service Authentication /Authorization (Easy Auth).
For achieving this approach, you could follow How to: Use custom authentication for your application for .NET backend. Moreover, you could follow adrian hall's blog about Custom Authentication for detailed tutorial. For NodeJS backend, you could follow 30 DAYS OF AZURE MOBILE APPS.
Related
I'm trying to implement security to a backoffice CLI tool (NodeJS) that calls a REST api (Java/JAX-RS) for performing database operations etc.
As we're using Azure AD for all our user accounts I'd like to use it for authenticating our users and also for authorization.
The authorization is needed since not all members of the AD is supposed to use the CLI, and there are two types of users of the CLI with a different set of available commands, meaning that even if you are able to use it, some features might be locked out depending if you are an operator or administrator.
I've managed to create two applications in Azure AD, one for the CLI and one for the API. I can login using our AD credentials, fetch Access tokens for the CLI app id requesting the REST API resouce. On the client side I'm using https://www.npmjs.com/package/simple-oauth2 .
On the Java side the tokens are validated against Microsoft public keys, so everything seems to work out fine.
But, how should I lock down the users to either operator or admin roles? One naive way I can think of is to have the user/role correlation in the REST API and only use the OAuth flow for authenticating the user. But I guess that's what the AD is there for... Could OAuth scopes help me in this case?
Or should the REST API call the AD to query for users group memberships, once it receives the access tokens and knows the end user identity?
Thanks in advance!
Use the Application Roles.
Here you will find good description what application roles are and how to handle them:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
The recommended resources at the end and also very helpful and will guide you through the process.
Also, when developing CLI it is recommended to use the Device Flow - described here with sample code (.net core) here.
I am building an iOS application with swift and this application has a web client that's using Microsoft Azure services. I want to add sign in and login functionality to the application using Microsoft Azure. I am not using any cloud applications or services. I will just have simple forms for signing up and logging in. I want to be able to save user credentials to authenticate and authorize them when they are using the application. I tried reading over their documentation and It seems to me that I need to use Azure Active Directory but I am not clear on that.
I am fairly new to Microsoft Azure, Can anyone clarify to me if I can use it and provide resources of how to do that.. ?
The simplest way to implement that is to use Azure Mobile Apps - it is the backend-as-a-service. You are able to connect your backend with the authentication providers of a choice - Facebook, Azure Active Directory, custom provider, etc. Then, when user will try to authenticate, all of the authentication code will be handled by a cloud platform - user will enter his credentials, these will be sent to the auth provider and if they are valid it will send the auth token that you will be able to use in your app to get his information, etc.
Here is the tutorial for Mobile Apps for iOS.
Or, you may use Azure Active Directory directly as a provider (it will serve as a catalogue of your users). Using that tutorial or the samples from the official library. But i would highly recommend to look at Mobile Apps as it is the fast and simple way to implement what you need.
We are trying to build an ASP.NET MVC 5 web application where two types of users can log in. We have some clients who use Google apps and others use Office 365. Here we already know which client use what service.
The way users login to our website should be as follows:
User sees a page where user has to select their company name from a drop-down.
Depending on company name the user choose, s/he should be redirected to that particular SSO login page.
After authentication, the user shall return to our website, and be considered as authenticated.
Depending on the service they use, we are also planning to leverage their apis, like Calender, Notes, etc.
I searched a lot but found nothing/irrelevant in this regard. Please help.
If you want to implement this on your own, here are some tips from my experience:
Office365 (which is based on Windows Azure Active Directory): speaks a protocol called Ws-Federation with SAML tokens. To this moment, there are libraries for various platforms and languages.
Google Apps, is easier to Office365 since you have to use plain Google OAuth. One thing that might help you is that you can force the domain of Google Apps when doing the authentication by using the querystring parameter "hd" like "?hd=x.com". See this answer and the comments.
What you are trying to do it is not impossible but it requires some work and understanding all the protocols.
Another option is to use an authentication broker like Auth0. Your application sees auth0 as an OAuth provider and you can connect to your customers Google Apps and Office 365 from the dashboard or from an API which means that you can easily automate on-boarding customers. After you create the connection Auth0 will give you a link that you need to give to your customer so they can grant consent to your app to use their directory. From the client side perspective, you can achieve the combobox UI you describe by using auth0.js as follows:
var auth0 = new Auth0({
//settings provide by auth0
});
var combo = $('#company-combo');
//loads the company combobox directly from auth0
auth0.getConnections(function (err, connections) {
connections.forEach(function (c) {
$('<option>')
.attr('value', c.name)
.text(c.name)
.appendTo(combo);
})
});
//trigger login
$('.login').on('click', function (e) {
auth0.login({
connection: $("option:selected", combo).val()
})
});
Once the user logins, your application will get a profile. This profile has a property that indicates the connection/company.
Auth0 also provides an unified API to query/search users, in these two cases it uses the underlying directory but you get again the same profile representation.
Disclaimer: I work for Auth0.
You can use Windows Azure Active Directory ACS as a broker. From MSDN: Windows Azure Active Directory Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to your web applications and services while allowing the features of authentication and authorization to be factored out of your code. Instead of implementing an authentication system with user accounts that are specific to your application, you can let ACS orchestrate the authentication and much of the authorization of your users. ACS integrates with standards-based identity providers, including enterprise directories such as Active Directory, and web identities such as Windows Live ID (Microsoft account), Google, Yahoo!, and Facebook.
This blog provides details steps on how to set up ACS.
This article explains how to use ACS in ASP.NET MVC.
I'm looking for some guidance on what people think are the best set of technologies to use. We are looking to create a web portal to allow customers to register/login with standard credentials or their social accounts (Google, Twitter etc).
Once they are registered and logged in to the portal they can access our different web apps which will know who they are and what permissions they have based on a token. We will also need to secure a set of web APIs using some sort of OAuth mechanism, so the user would possibly create an account on the web app and then create an application which would give them the keys they need to access the API from their own app.
We have a basic portal app using MVC 4 and DotNetOpenAuth which allows a user to create an account and login with either a username and password or their Google, Facebook account etc.
The APIs would be MVC 4 Web APIs
Ideally the whole set up needs to be as simple as possible, I've briefly looked into using Windows Azure Access Control (ACS) as a way to cut out some of the heavy lifting but its hard to tell where exactly it all fits together.
Currently we run an ADFS 2.0 server and WIF to allow web login to our apps but it doesn't seem like it would be an ideal choice when integrating the social login and for securing the web APIs
I guess it could be two quite seperate parts, once they are logged into the portal, how would we go about providing some sort of claims token to the other apps they then access to understand who the user is and what they are allowed to do. And maybe the web API authentication/authorisation is its own entity?
Thanks for your time
We ended up using the built in MVC 4 login system and also added JWT token support, when a user is logged in a JWT token containing their claims is stored as a cookie. This is then automatically passed around our sites on the same domain by the browser, when the web API is called from javascript it checks for the token in the headers sent by the browser and either validates it and returns the correct data or returns an unauthorised response.
It doesn't cover all the bases, we can't give trusted third parties access to our web services yet
I'm working on an application which allows data entry and display from both a Windows Phone application and an MVC 3 web interface. Data access for the phone client is via authenticated WCF services hosted in the MVC 3 application. Users will be tracking information which is unique to them, so the service will only show me data which I have entered.
What is the simplest way to handle identity in this scenario? I'd thought of using Windows Live ID, since the phone application has access to a Windows Live Anonymous ID property. However, from what I can tell there's no way to get allow for a web-based Windows Live sign-in which gives me the same Windows Live Anonymous ID - Windows Live Messenger Connect login gives me a site-specific unique ID, which would be different from the phone client's Anonymous ID.
Alternatively, I could use Facebook authentication on both client and phone with Facebook SDK. My concern there is in securing the service calls. I'm thinking that the first time a device connects with the service with a Facebook ID, the server issues it a key, and both the Facebook ID and the server issued key are required for service access.
Thoughts on the above? Is there a simpler solution that I'm missing?
Dear Jon,
I have no experience on WP development but I have made a a little search for WCF Auth. for couple of days recently and found out that the apiKey auth is nearly the best way to me. Rob Jacobs has explained how it works on this article;
http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx
An alternative to an API Key is to use claims based identity and security tokens. You could use the Windows Azure Access Control Service as a trusted issuer of security tokens, with the value add that it comes pre-configured to use LiveID, Facebook, Google, any OpenID and any WS-Federation identity provider. Both the web site and the web service would trust ACS.
ACS will give you SAML tokens for the web site (allowing your users to login to it with LiveID, Google or FB).
ACS can also issue Simple Web Tokens (SWT), which are especially neat for REST services (assuming the phone client uses that).
You can't use the LiveID associated with the phone in your app, but you can still use LiveID (or any other identity provider). This is an example of how to do it. It uses the common approach of embedding a web browser in the phone app and use to for all security token negotiation.
Using ACS gives you a lot of flexibility without all the complextity. Making a web site "claims aware" and trust ACS is very straight forward. More samples here: http://claimsid.codeplex.com
If you need to link the Phone to a user on the MVC site you could do what Netflix and Amazon do for Roku and other devices and have some sort of an activation process. To make it easier you could use a QR Code or some other type of barcode generated by the MVC site, have the user take a picture of it, and process the image using the Silverlight ZXing Barcode Scanning Library. Probably a bit convoluted, but it works for all the set top boxes.