I can't seem to logon to the FogBugz v8 API with my credentials. Our system is setup to use Active Directory.
Does it not allow this?
Finally figured this one out!
When calling the API YOU MUST URL ENCODE ALL THE URL PARAMETERS!!
In my case I wasn't encoding the username (my email) and password (lots of goofy characters)
ONE MORE NOTE: You must URL Encode the API Token as well.
Related
To be clear this question relates to v2.0 of the Azure AD API.
I've configured an allowed redirect url in the Application Registration Portal as http://localhost:3000 (I've also tried http://localhost:3000/_oauth/azureAd).
Yet, when requesting an authorization code, providing a redirect_uri containing a query string causes authentication to fail with the error:
The reply address 'http://localhost:3000/_oauth/azureAd?close' does not match the reply addresses configured for the application.
It appears as though query strings are not ignored when matching a valid redirect URL. This is a problem as the Application Registration Portal won't allow you to enter redirect URL's with query strings!
I am in the process of writing an accounts package for Meteor to support v2.0 of Azure AD and this is a requirement for Meteor OAuth packages to function correctly.
The ideal solution I imagine is that query strings are ignored when validating redirect URL's
The Application Registration Portal doesn't support the a query string and invalid special characters.
As a workaround, you may create several redirect URL instead of using the query string. But would you mind sharing the reason why you need to use the query string in URLs?
You can avoid Meteor appending ?close to the redirect_uri by specifying a loginStyle configuration option. See: http://docs.meteor.com/api/accounts.html#Meteor-loginWith
Explained here (snippet below): https://github.com/meteor/meteor/blob/abd574f38008b45f5e2a6bc322b10bcdde44763a/packages/oauth/oauth_common.js#L3-L8
// XXX COMPAT WITH 0.9.0
// The redirect URI used to have a "?close" query argument. We
// detect whether we need to be backwards compatible by checking for
// the absence of the `loginStyle` field, which wasn't used in the
// code which had the "?close" argument.
My team are coding a web app, which include a server and a client, I think it's obviously not advisable to send user's uid and password to server every request from client.
I am looking for a good choice to deal with this, maybe something like Oauth, is there any efficient approach?
For example, a user with username lyj and password 123456 request login from my client app, the server should check if it is permissible, after login success, the client can send more request to get other resource from server.
My problem is that, except userid and password, is there a way between server and client to make sure who is this guy, is there any suggest to transmit a access token between server and client?
Without much information on your platform and technologies I can only attempt a generic answer. There are several ways in which you can generate a token depending on how you want to use it. MD5 is a well established algorithm and you can use it to generate a oth token using something like username and email etc. Remember that you cannot decrypt MD5 string. So to do any kind of verification you will have to recreate the string using original parameters and then perform a check. If you want a hash that you can reverse you can look at something like base-64.
Both MD6 and base-64 are easily available as libraries in any back end you may be using.
* UPDATE
Looking at your comments that you are working with a stateless client, here is a possible approach to using tokens.
Client performs login for first time. (preferably HTTPS)
Server performs validation and generates a token using MD5(or any other of your choice) using (username+email+ip_address+time_stamp) and sends it back to client
Server creates a new session for this client in the table in the database using userID , ip_address and, time_stamp
Client passes this token back for any future requests.
When client passes the token , server retrieves the session from the database and generates the MD5 hash and compares it with the token client sent. If its the same you are good.
You can also use the time-stamp value a validity window for your tokens so they are not valid forever. Also its impossible to recreate this token unless someone can create the same MD5 hash at the same time down to milliseconds
Modern web application containers have embedded the session tracking functionality. Of course there is always the choice of cookies. Its up to you what to implement...
I have to implement a web site (MVC4/Single Page Application + knockout + Web.API) and I've been reading tons of articles and forums but I still can't figure out about some points in security/authentication and the way to go forward when securing the login page and the Web.API.
The site will run totally under SSL. Once the user logs on the first time, he/she will get an email with a link to confirm the register process. Password and a “salt” value will be stored encrypted in database, with no possibility to get password decrypted back. The API will be used just for this application.
I have some questions that I need to answer before to go any further:
Which method will be the best for my application in terms of security: Basic/ SimpleMembership? Any other possibilities?
The object Principal/IPrincipal is to be used just with Basic Authentication?
As far as I know, if I use SimpleMembership, because of the use of cookies, is this not breaking the RESTful paradigm? So if I build a REST Web.API, shouldn't I avoid to use SimpleMembership?
I was checking ThinkTecture.IdentityModel, with tokens. Is this a type of authentication like Basic, or Forms, or Auth, or it's something that can be added to the other authentication types?
Thank you.
Most likely this question will be closed as too localized. Even then, I will put in a few pointers. This is not an answer, but the comments section would be too small for this.
What method and how you authenticate is totally up to your subsystem. There is no one way that will work the best for everyone. A SPA is no different that any other application. You still will be giving access to certain resources based on authentication. That could be APIs, with a custom Authorization attribute, could be a header value, token based, who knows! Whatever you think is best.
I suggest you read more on this to understand how this works.
Use of cookies in no way states that it breaks REST. You will find ton of articles on this specific item itself. Cookies will be passed with your request, just the way you pass any specific information that the server needs in order for it to give you data. If sending cookies breaks REST, then sending parameters to your API should break REST too!
Now, a very common approach (and by no means the ONE AND ALL approach), is the use of a token based system for SPA. The reason though many, the easiest to explain would be that, your services (Web API or whatever) could be hosted separately and your client is working as CORS client. In which case, you authenticate in whatever form you choose, create a secure token and send it back to the client and every resource that needs an authenticated user, is checked against the token. The token will be sent as part of your header with every request. No token would result in a simple 401 (Unauthorized) or a invalid token could result in a 403 (Forbidden).
No one says an SPA needs to be all static HTML, with data binding, it could as well be your MVC site returning partials being loaded (something I have done in the past). As far as working with just HTML and JS (Durandal specifically), there are ways to secure even the client app. Ultimately, lock down the data from the server and route the client to the login screen the moment you receive a 401/403.
If your concern is more in the terms of XSS or request forging, there are ways to prevent that even with just HTML and JS (though not as easy as dropping anti-forgery token with MVC).
My two cents.
If you do "direct" authentication - meaning you can validate the passwords directly - you can use Basic Authentication.
I wrote about it here:
http://leastprivilege.com/2013/04/22/web-api-security-basic-authentication-with-thinktecture-identitymodel-authenticationhandler/
In addition you can consider using session tokens to get rid of the password on the client:
http://leastprivilege.com/2012/06/19/session-token-support-for-asp-net-web-api/
I generated my OAuth signature using twitter's own tool at https://dev.twitter.com/docs/api/1/post/statuses/update How do I use the "signature base string" and "authorization header" with CFHTTP to post a new status on my own twitter account. I'm not trying to access anyone else's account, just need to be able to post status updates to my own account. Your help is really appreciated.
Don't bother writing it yourself, use this: http://monkehtweet.riaforge.org/ its great I have used it many times for twitter integration.
If you want to write it yourself, you'll have to follow the instructions documented on https://dev.twitter.com/docs.
A signature is a serialization and encoding of all your request values in combination with a signing key. It's all very well documented at https://dev.twitter.com/docs/auth/creating-signature
You'll need the hmac-sha1 encoding to create a valid signature. If you're not using coldfusion 10, you'll need something like this: HMAC SHA1 ColdFusion
I am trying to write a script that will provide XML data to a third party client. I wish to require that all clients are authenticated in order to make use of the system.
Rather than using a bespoke authentication system, which would be overkill, I want client applications to just pass in their credentials via the url, such as http://myusername:mypassword#mysite.com/. This is not unlike how it is done in FTP.
I think this is possible using .htaccess, but when I do try it, I still get a dialog prompt asking me to login or confirm the credentials that I will be using to login. Is there a way that I can suppress this in the .htaccess or an alternative way of authenticating on the server?
This is probably a security fix of the Internet Explorer, which was introduced by Microsoft some years ago. If you retry it with Firefox, it should work.
If you want to allow the Internet Explorer to login via the given username and password, check out this Microsoft article on the theme, especially the workaround section. And btw, the url is supposed to be http://username:password#example.com (note the double-slash).
Also, please make sure your .htaccess is correct by entering your login-information in the credentials popup - you should be able to login anyways.