The authentication tag has no wiki summary.
0
votes
0answers
16 views
What should my redirect URL be for OAuth2.0 in Azure if my application is a local windows application?
I am setting up OAuth2.0 on Azure. I am at the stage where I have been allowed access to the application and a Code has been returned in my redirect URL. My application is a local windows application. ...
0
votes
0answers
24 views
When are request headers read by ASP.NET code
I've got an issue with my MVC 4 website where iOS Safari is automatically sending the DNT header with the first request to the site. Here's my question on StackOverflow. Even though the iPhone has the ...
2
votes
1answer
47 views
Security Pattern to store SSH Keys
I am writing a simple flask application to submit scientific tasks to remote HPC resources. My application in background talks to remote machines via SSH (because it is widely available on various HPC ...
0
votes
0answers
53 views
How is Devise's secret_key used? [migrated]
I've been using Devise for a while now and have wondered how the secret key is used. I looked through the source for references to secret_key, but it wasn't clear to me exactly what we do with it. It ...
0
votes
2answers
31 views
Separating roles authorization and database
Something really bothers me about the way authorization tends to be done with roles in ASP.NET MVC.
The way it is normally done is that you have a Users table and a Roles table. A User can have many ...
0
votes
0answers
31 views
If OWIN is used on PC and Mac (Mono), then what is the abstraction for claims and authentication?
If the PC implementation of OWIN is Katana, and OWIN doesn't define authentication abstractions, (or authorizations)* then:
What is the abstraction for Authentication (cookies, forms, OAuth, SAML, ...
0
votes
0answers
54 views
Best practice: Secure Android app online authentication
Currently, I develop an Android App needing online authentication for login (and registration).
The main focus is on security. I’m amaing for:
keeping the users’ passwords safe and
preventing MITM ...
1
vote
1answer
65 views
Testing for Authentication loop holes / bugs
We've got a web application which is 99% complete prior to public beta, were currenlty securing the site from security perspective, locking down the server, db etc, one thing I'm concerned about but ...
1
vote
1answer
49 views
Authentication strategy for mobile app with backend app using bcrypt [closed]
I have a backend app in node.js which implements user management, and it uses bcrypt to handle the password. So the password is stored in a single field using a format like ...
1
vote
2answers
115 views
Should all HTTP requests including credentials be made using a POST even if it is actually just a request for data?
Assume there is a request which is going to look up a list of items from a service which requires authorisation (e.g. it's behind a Basic Authentication domain). If the service didn't require ...
0
votes
0answers
48 views
Token based autorization for a web game
I am lead developer for a multiplayer game in a small startup company. I would like to present here my solution for token based authentication and hear your opinions about possible weak spots. I am ...
0
votes
0answers
12 views
Mobile application: What should be the server authentication strategies?
I am developing an mobile application for the first time and have some confusions around it
What I plan to do?
The iPhone application will have Sign in with Google where user will authenticate on ...
1
vote
1answer
69 views
Is OAuth suitable for this scenario?
I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, ...
1
vote
0answers
196 views
ASP.NET MVC WebService - Security for Industrial Android Clients [closed]
I'm trying to design a system that will allow a bunch of Android devices to securely log into an ASP.NET MVC REST Web service.
At present neither side are implemented. However there is an ASP.NET ...
1
vote
0answers
115 views
How to authenticate user on php and Node.js
I´m currently developing a little chat page. The main page and user management is written in php and also all the authentication stuff with sessions.
Now I´m planning to run the messaging stuff on a ...
1
vote
0answers
136 views
Authorization and Authentication using multiple types of authentication in MVC
Currently I am managing a team where we're building a new SaaS application.
The way it is currently structured is that we have a solution that has our business logic and data, and a solution that ...
0
votes
1answer
104 views
Is it a good practice to decouple the membership system?
Currently I'm developing a project that basically is built with ASP.NET Web API. The membership system I'm using is ASP.NET Identity. The only problem I'm seeing with this is that the membership ...
1
vote
1answer
74 views
Implicit OAuth2 endpoint vs. cookies
I currently have an app which basically runs two halves of an API - a restful API for the web app, and a synchronisation API for the native clients (all over SSL).
The web app is completely ...
1
vote
1answer
553 views
Most Appropriate Authentication Type for MVC5 project
I am about to start a new ASP.NET MVC5 project and I am planning the authentication / authorization requirements at present.
The client wants Windows authentication, to prevent their users having to ...
0
votes
1answer
60 views
Flexible authorization design in ASP.NET pages?
I'm developing an ASP.NET webforms application with pages which displays information based on the authorization level of the authenticated user (very typical). I will write a simple example of the ...
1
vote
1answer
81 views
How to make sure that reported issues are not caused by wrong credentials or typos of the client? [duplicate]
I have found myself a few times in the situation where a client reports an issue like 'I can no longer login to my account'.
Sure enough when trying to login with the client's credentials myself ...
1
vote
3answers
238 views
Authentication with If/Else
For keeping the "Administration Panel" secure to those who are logged in, for my web application, is the best practice to use an If/Else Statement?
if($_SESSION['logged_in'] == true) {
include ...
1
vote
6answers
427 views
How to distribute, one virtual token to each person in this world, and make sure nobody gets more than one? [closed]
How to distribute, one virtual token to each person in this world, and make sure nobody gets more than one?
In other words, how to prevent a user from creating more than one user account in a site?
...
4
votes
1answer
113 views
Can someone explain the behind-the-scenes process of connecting an app account to a Facebook account?
I am developing an app that will use the Twitter and Facebook login APIs exclusively.
Suppose a new user downloads the apps and is presented with the option to log in through Facebook or Twitter. The ...
-3
votes
1answer
146 views
Can one determine the creation date of an email account?
Is it possible to determine the creation date of the email supplied with the authentication process flow; Or at least determine that the email was/was not created the same day as signup (or ...
1
vote
0answers
48 views
How to handle static-ish content from a CDN with authentication?
I have a website that allows user uploads of content. Part of the design, to date, involves storing the user content on a NAS that has been configured with a separate app pool in IIS that has ...
0
votes
1answer
123 views
How to manage multiple database credentials across multiple projects
We have 10 separate projects that all access the same database. Initially, all 10 projects had database credentials hardcoded into them. I decided to move the credentials into a utility method and ...
0
votes
0answers
59 views
How to have my callbacks authenticated in a REST app?
I'm developing a REST application and I allow my clients to authenticate in several ways (typically using Authorization: Token ... as in OAuth 2.0, but also there's session-based auth option for the ...
1
vote
0answers
51 views
How do I authenticate users from facebook/twitter?
I need to build a site for a mobile app that allows users to sign in with facebook/twitter or sign up as a new user (traditional username/password).
No matter which method the user chooses, they ...
6
votes
2answers
1k views
Best way to hide API key in source code
I need some ideas on how to protect a private API key in an application, specifically in a c# .NET application.
Firstly, I understand that it is theoretically impossible to hide anything in the ...
-2
votes
3answers
111 views
Why speaks basic http authentication always of a username
In RFC 2617 HTTP Authentication: Basic and Digest Access Authentication they speak always of username and password for the authentication.
Why should I choose to take a username as identifier for a ...
0
votes
1answer
173 views
Why can't we use unique identifier as combination of email and password? [closed]
For prevent email conflicts for authentication system we can surely choose email and password combination as unique identifier.
What can prevent me to built authentication system by treating unique ...
4
votes
3answers
162 views
Kerberos web authentication
I'v developed an internal singe-page web-app (unix, apache & postgresql) protected by a simple login page. Currently, the users have their own login role with a password.
This is starting to get ...
1
vote
1answer
210 views
What kind of user authentication do I need in for a restful web api
I am doing a restful web api with asp.net Web API 2
I do not want to use any form of cookies or basic authentication (send user/pass in cleartext thus SSL needed)
I do not use/need claims stuff.
I ...
0
votes
2answers
170 views
Limiting certain functionality to development environment only [closed]
I intuitively think that an application should be exactly the same in DEV, QA, and PROD environments. However, I have been asked to add a feature to an application that will only be available in DEV ...
1
vote
2answers
269 views
Is double password protection safe for admin authentication?
I was looking at some of my past codes, and I viewed one of my admin boards I've made. I had it setup so that the admin has to define/enter 2 passwords for his account.
Is this really double-safe or ...
2
votes
0answers
140 views
Facebook authentication with an Authoritative Server for a Flash Game
I'm working on a multiplatform game in Flash. This game utilizes Photon Server for authoritative physics and user statistics tracking. I'm looking to leverage Facebook authentication as an alternative ...
1
vote
1answer
333 views
Is it an implementation of a stateful mechanism for Rest API authentication?
In many articles about Rest API's best practices, it is recommended to not depend upon sessions on server side since it leads to a stateful mechanism.
I currently use Play 2.2 framework, with a ...
0
votes
1answer
53 views
Identifying how server is authenticating users
I'm trying to build a bot that will parse the list of classes offered by my university and let me know when the one I'm looking for is open. The problem is that in order to get to the ...
0
votes
0answers
52 views
Validating time-limited HMACs
I'm exploring using HMAC style secret-key authentication with timestamp expiry, but am struggling to get my head around how you validate the timestamp portion.
On the client side you would do:
...
5
votes
1answer
2k views
Authenticate native mobile app using a REST API
I'm starting a new project soon, which is targeting mobile application for all major mobile platforms (iOS, Android, Windows). It will be a client-server architecture.
The app is both informational ...
2
votes
1answer
229 views
Approach to Authenticate Clients to TCP Server
I'm writing a Server/Client application where clients will connect to the server. What I want to do, is make sure that the client connecting to the server is actually using my protocol and I can ...
0
votes
0answers
307 views
Is this a secure solution for RESTful authentication?
I need to quickly implement a RESTful authentication system for my JavaScript application to use. I think I understand how it should work, but I just want to double check. Here's what I'm thinking -- ...
0
votes
0answers
102 views
Problem with OAuth2 authentication process and session persistance
We're using node-oauth2-provider as an authentication library for our service. The current process for a user to log in is:
POST /oauth2/access_token
Which creates and saves the access_token to the ...
1
vote
2answers
66 views
Authentication at my web site using other credentials
Suppose there are 2 web site: example.com I don't own and example2.com I own. I want to extend the functionality of example.com somehow.
example.com doesn't have any API. I want the users of ...
2
votes
1answer
340 views
Implementing User Authentication on an N-Tier Web Application
I appreciate all help and feedback. Parts bolded are critical parts if this is too verbose. Perhaps it will help to mention I am a green developer. I have found some useful info from related ...
0
votes
0answers
1k views
How secure is this way of authenticating an ASP .NET Web API - creating your own tokens?
http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API#_rating
The above link shows exactly how I want to go about authenticating against an ASP .NET Web API. ...
2
votes
4answers
802 views
Authenticating users for a website
I'm working on a website and I want to validate that an individual is an employee at one of a large number of companies (probably using their company's email address, which I don't know before hand). ...
1
vote
0answers
118 views
How to evaluate Secure Authorization for server to client
I have a customer that wants me to build a web portal (Asp.net 4.0) that will communicate with a desktop client, tablet and/or smart phone (e.g. iOS and/or Android).
I was thinking of using oAuth ...
19
votes
4answers
2k views
How should I architect a RESTful webservice to use 3rd party (i.e. Google, Facebook, Twitter) for authentication?
For my job we have a nice RESTful webservice we've built out that we use to drive a couple websites we have. Basically the webservice lets you create and work with support tickets, and the website is ...
