Trust between 2 web applications - asp.net-mvc

We develop a web application that needs to integrate with another third party web application.
Let's call them MainApp and ThirdPartyApp.
There is a trust between our company and the third party app owning company, meaning we know and trust each other. Both apps will be administered by the same client.
Both applications have their own database of users and login mechanism.
Both applications are hosted on different servers.
We need both apps to be able to call each other (web pages and rest APIs).
All the communication between both apps must be seamless without interaction from the user.
So once a user is logged into one application, it shouldn't prompt another login to access the other application.
When a request is made to the other application, it should be able to map to a user in its own database.
So the request isn't made on behalf of the calling application, but on behalf on the user currently logged into the calling application.
If it can help, we agreed on using the same UserCode in both applications.
My question, what are the best practices to implement this kind of trust between 2 applications?
Is there an OAuth grant flow that fits this scenario?

You'll find examples of Single Sign On approaches online; one such example:
https://www.codeproject.com/Articles/1140228/Implementation-of-Single-Sign-On-SSO-in-ASP-NET-MV
In this approach, by having a common configuration in both applications, you can achieve what you are looking for. One of the requirements is to have the same machine key in the config (example from article):
<machineKey validationKey="E4451576F51E0562D91A1748DF7AB3027FEF3C2CCAC46D756C833E1AF20C7BAEFFACF97C7081ADA4648918E0B56BF27D1699A6EB2D9B6967A562CAD14767F163"
decryptionKey="6159C46C9E288028ED26F5A65CED7317A83CB3485DE8C592"
validation="HMACSHA256" decryption="AES" />
Obviously it goes without saying forms authentication is required. if users are on the same domain, potentially you could use windows/Forms Active Directory?

Related

Gmail API OAUTH2 verify Desktop application

At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.

SSO WPF and SPA

I have a WPF application who uses the azure AD with open id to authenticate users and the WPF application then uses the refresh_token to renew the access_token and use that access_token to call our protected API.
I now want to create a SPA, is it possible to get SSO working between these two applications - so if the user is signed in on the WPF application they will automatically be signed in on the SPA application as well without the need to re-enter any credentials?
Absolutely, it will work, you just have to configure 2 applications. Actually it's what OAuth is used for.
The answer depends a little on how you have implemented things. In both cases the 2 apps will each do a redirect to sign the user in, and you need 2 different OAuth client registrations, as agua from mars says ...
OPTION 1 (PREFERRED) - DESKTOP APP USES SYSTEM BROWSER
This will enable SSO to work due to a shared Identity Provider cookie. Also, password autofill for one app will also work for the other app, so that re-logging in is not too painful. However, the Login UX is a little strange, since the user has to switch to the browser to sign in.
OPTION 2 - DESKTOP APP USES WEB VIEW
This is easier to code but can be more problematic in Login UX terms, since the web view acts as a private browser session, which may require the user to sign in again. Also password autofill may work less well.
ONLINE DEMO
To see both cases working together you could run both samples from my Online Quick Start Page. You can run the SPA from an online URL, but the desktop app is NodeJS based and needs to be run from your PC.
You will see that after logging into one of them, there is a redirect when starting the other, but authentication will be automatic.

User Authentication with Rails App

I have two Rails apps, and I would like to accept user login credentials from one app (say App A) in another (say App B). For the app that's accepting login credentials (App B), I think the best option is to use OAuth. But for the app whose user credentials are being used (App A), how do I allow the user's login information to be used by another site? Do I use OAuth as well, or something like Doorkeeper? As you can tell, I'm very new to user authentication, so any advice would be helpful!
One possible way to solve the problem is to create a doorkeeper-based standalone app that would contain all of a user's credentials. Then your client apps would actually connect with this "auth app" (using Oauth.) Then when the client is authenticated on the Auth App, they get returned to the Client app. Of course, from a UI perspective, you make this seamless, so your login page would actually be on this Auth app, but it would look seamless to the user. This way, you can add as many apps as you want and the credentials would all be in one place. To answer your specific question, you would use Oauth2 on your Client apps and Doorkeeper on your Auth App.
You'll need to tweak the doorkeeper configurations to make this process "clean" to the user. For example for internal apps, you can safely use the skip_authorization method in doorkeeper. Learn more about that here
This doorkeeper/oauth system has the added benefit of decoupling your authentication logic from your main application, which is fundamental to good Service Oriented Design. There are certainly other ways to approach this problem, but given the context of your question, yes, Doorkeeper and Oauth2 would solve your problem.

Using google/twitter/linkedIn authentication in iOS/Node application

I'm trying to work out the best architecture for a couple of apps I'm developing.
In both apps I want to utilise google/twitter/LinkedIn/etc to provide authentication of a users identity. The app is composed of an iOS app which has an option to send data to a server which I'm writing in node.js.
I want to utilise either OAuth or OpenId to handle identifying a user against the above servers so that I don't have to put in an authentication system of my own. In other words, allowing users to re-use their ids when choosing to upload data.
I should also note that apart from identifying a user, obtaining a name and email address, I have not intention of using any of their APIs at this time.
I think I have two options:
Place the Authorisation code in the iOS client and transmit some sort of key to the server with the data which it can then verify.
Keep the iOS client fairly dumb, and handle authorisation from the node server.
I'd probably prefer the second option because it means I could centralise authentication and be able to support a web site as well. That's my current theory.
Can anyone who has done something like this give me some pointers as to the pros and cons, OAuth or OpenId, or links to some examples?
In our previous app we opted for a combination of the two approaches. We wanted to centralize our user data on our server in the event we needed to make future API calls on those services. We also wanted the native oAuth experience for the user on the client. Ie: on Android and iOS, the developer can have single sign-on / authorization run through the native Facebook app (if available), vs. popping-up a webview that serves the 'Approve' dialog. It's a better user experience in my opinion. Also for Twitter, the oAuth process may require a PIN code to be entered in the callback which should probably be handled on the client side.
You can pass the access token retrieved by the client to the server for storage and later use if you intend on making additional API calls on these services, provided you expect the token to be long-lived (ie: offline-access permission on FB).
In any case this is mostly a user experience decision.

Securing JSON posts from PhoneGap

I am trying to develop my first PhoneGap application, using MVC.NET to serve the JSON to the application. I am though in doubt how I can secure the controllers on my MVC.NET application so only PhoneGap applications can post to my server.
I e.g. have a settings controller where the user can update his/her settings, but how would I make sure that no one tampers with it?
I had plans to use the deviceID as the userid, so the user doesn't have to create an account to login, but does this rule out the possibility to make it secure, since I don't Authenticate the user?
You need to use the same sort of authentication/authorization/security mechanisms that you would for any other web site. This means that authorization information shouldn't be passed in the clear (use SSL, encrypted cookies). You should choose authentication information that is difficult to guess or impersonate (user id/reasonable password; I'm guessing device id might be less secure if it's broadcast regularly). You could store this information on the phone, but with varying levels of security, i.e., if someone gets physical access to the phone it's likely that they would be able to access the credentials you store.
You might want to look at the security wiki for more detail/information: http://wiki.phonegap.com/w/page/43660891/Security

Resources