I am making a Rails site that lets people sign in, only using Omniauth authentication with Facebook. No passwords are entered into my site. Is it still beneficial to have SSL on my site? Or does the Facebook authentication route pretty much take care of that? I know SSL is required for Facebook apps/sites that appear in FB, and that is NOT my case.
I know it will work, just like I can have a login screen with email/password without SSL. It will work, but it's not exactly secure. I'm looking for a recommendation... if I don't have SSL on my site, what info is passed that would not be secure? And is that info worth having my own SSL certificate to hide it from anyone watching?
Partial answer: It will work fine without SSL even if your app user has secure browsing enabled.
its an ipage, when browsed via HTTPS it displays an error
Related
From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth
Let's say I have the following sites: ClientSiteA.com, ClientSiteB.com, ClientSiteC.com, MainServer.com
I am distributing a software to client sites. Anyone will be able to install the software so a site can not be considered trusted. MainServer.com will contain user information.
Users will interact with the software on client sites. A user will be able to click a login link on any client site which will bring up a popup. The popup can reside on MainServer.com. When a user logs in on any client, they will be logged in on ALL client sites as well as the MainServer.com. Remember, MainServer.com contains all user information.
I've done a lot of reading on SAML and OAuth2. Can someone tell me what is possible? If it is possible, which tools/workflows should I use? If this isn't possible, can someone tell me something I can accomplish that is similar to this?
FYI - I am trying to accomplish something like what Disqus does. If you login to Disqus on any site, you are logged into all the sites.
You can accomplish this with SAML, although it will involve browser redirects not popups.
The first time use hits a protected site (ClientA) it redirects to MainServer.com. The user logs in, MainServer gives them a session and redirects them back to the service provider with a SAML authentication statement which then lets them in.
When the user then visits ClientB.com, it also redirects to MainServer.com for authentication. Because the user is already logged at MainServer it can invisibly bounce them straight back to ClientB.com with a new authentication statement. The user barely if at all notices.
The problem with the pop-up window approach is that users have to give their credentials for site A to site B. This is a big security hole if site B isn't owned and controlled by Site A. Users should only give their credentials to the site that is authenticating them to prevent them being compromised. SAML and other federated/distributed auth mechanisms were designed with that in mind. I wouldn't want to give the keys to my email account to random sites on the internet but with this method I can log into stackoverflow with my gmail account.
My team has developed an app using RoR. We're using devise gem for authorization. The problem is that the user session remains https even after a user signs out. This is causing some problems with varnish.
Could someone please point out how can I change it so that the session is http instead of https after logging out.
Thanks
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.