Authentication is the act of one entity proving its identity to another entity. Common examples involve public key cryptography. For example, proving that a banking web site actually belongs to the bank you think it does.
1
vote
3answers
175 views
How to authenticate against an API?
In a enterprise distributed system, a user of a web portal can sign into one site, be redirected to a federation provider. Once they log in with, for example, a facebook account, that user is ...
1
vote
2answers
41 views
JWT based webservice authentication
I'm currently writing a web service that will be consumed by an android app.
To access user specific content, one must authenticate against the service.
Since I'm not (primarily) using a ...
5
votes
1answer
94 views
Best practice to authenticate third party to a website?
I've a website built with ASP.NET, and uses Cookie based Forms Authentication to protect it self from unauthorized access.
It also has a REST based API which uses API key based Authentication. (Key ...
2
votes
2answers
109 views
Restful User/Password Authentication
I'm currently designing a REST-API with the following properties:
Backend for a single page application (Later Apps)
Integrated user database for each instance
HTTPS/TLS only
Authentication with ...
-1
votes
2answers
188 views
The best shard key for user authentication
For access to my API user should send login and password and get generated token for access.
Account
login
password
Suppose the size of account's table is very large. So large - so needs ...
0
votes
0answers
21 views
MVC OAuth with keeping user logged in
I am creating a news site where one can add some news. User will be registering with theirs facebook accounts like on this site. There will not be other type of users, just facebook users. And I wish ...
5
votes
2answers
121 views
Auth options for distributed systems
I am in the process of designing 3 components that will work in symphony with one another:
A RESTful web service which requires BasicAuth over HTTPS on all calls, and which is what actually does all ...
2
votes
2answers
73 views
Authenticate in the Services? Or in an Endpoint that exposes the Services?
When I'm in charge, I typically model services separate from endpoints. For example: Company.Project.Domain.dll has all of the logic required to complete the services for that domain. In order to ...
1
vote
0answers
25 views
Global Accounts in Multi-Tenant Authorization System
Our system is fundamentally a multi-tenant setup, where each client maintains a separate database with its own data and users. The authentication system on login issues an authentication token which ...
3
votes
1answer
349 views
How would one go about creating a “Licence Key” for a distributable source-available Software project?
It has been a while since I have seen anything you can download which has to connect to license server in order to monetize a piece of software (and the last time I saw it, it went very wrong when the ...
0
votes
0answers
13 views
Authentication structure for public area within admin dashboard?
I'm looking for input on how to organize the authentication scheme for a SaaS app where the application users offer a questionnaire to their customers.
The paying SaaS user needs to login in order ...
4
votes
2answers
1k views
What .NET objects should I use to create a cookie based session in MVC?
I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions.
Namely I need to invoke a workflow ...
0
votes
0answers
163 views
SPA + Web API + Azure active directory: authenticating with graph API
I have an angular client app which talks to an ASP.NET Web API backend. I am using Azure Active Directory to authenticate users, and I have registered my Web API with my Azure AD tenant. I am using ...
1
vote
0answers
196 views
LDAP Authentication with RESTFUL API
I am developping a RestFul API with Symfony2. (v2.6)
The front-end application is build with AngularJs. (v1.3.16)
I would like to install SingleSignOn Authentication with an Active Directory.
Both ...
72
votes
8answers
32k views
Is browser fingerprinting a viable technique for identifying anonymous users?
Is browser fingerprinting a sufficient method for uniquely identifying anonymous users? What if you incorporate biometric data like mouse gestures or typing patterns?
The other day I ran into the ...
0
votes
3answers
278 views
How can I reinforce that security questions answers should not be the same and how to encrypt?
When my users are creating an account they need to fill and set several security questions pertaining to their account. I am wondering, how can I make sure that the answer the user enters for each ...
0
votes
0answers
181 views
Single sign-on flow using ASP.NET MVC + Active Directory
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified ...
1
vote
1answer
220 views
Token based authentication and multiple sessions
I've a token based authentication system (REST) that I inherited for an iOS app (can't change), and I've to re-use the same authentication web api system (that I can change to adapt for the web ...
4
votes
1answer
615 views
How do you get the usernames/passwords onto a STUN or TURN server for long-term credential authentication?
The STUN and TURN specifications allow for client authentication using usernames and passwords, and call this authentication via long-term credentials. In fact, TURN requires that clients authenticate ...
1
vote
1answer
291 views
What OpenID Connect flow is right for me?
Here's the deal. I have a .NET MVC5 web application that I'm moving up to the OpenID Connect standard.
I also would like to be able to access controller methods from a mobile app (much like an API) ...
3
votes
1answer
180 views
JSON Web Token - why is the payload public?
I can't understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it.
Why?
It seems like it'd be much more useful to have it encrypted with the secret.
...
5
votes
3answers
187 views
Multi platform password storage with retrieval for applications with authorization?
I'm working on a development tool that requires knowing one or more api passwords for a user to operate. Currently it works on Mac, and uses keychain to store the credentials for later re-use.
Are ...
4
votes
5answers
572 views
Is restricting sessions to an absolute IP likely to have a wide impact on mobile networks?
Our website currently restricts a cookie-based session to the IP address that was originally sent the Set-Cookie HTTP header. In the past a user's IP would rarely change, so this didn't present much ...
0
votes
0answers
67 views
Authenticating users of a chrome extension against a ASP.NET MVC web application
I have a chrome extension which is supported by a ASP.NET MVC web app as the back end. I want the chrome extension user to login through my web application and once he is logged in, the chrome ...
1
vote
1answer
79 views
oauth 2 authenticate with other authorization server
Let's assume i have a mobile app backed up by a Server. the server is both an Authorization and Resource Server.
Now i want to enable users to register / login to the app using Facebook API. After ...
0
votes
1answer
64 views
Authenticating users across multiple web services
User details (name, address, etc) are stored across multiple sites that are vendor specific. For example, vendor A holds information concerning room bookings while vendor B holds information specific ...
0
votes
1answer
85 views
Personal Digital Signatures in Web Applications [closed]
In order to sign data with personal digital signature in a web application, server side languages like PHP can do the whole job, but that would require that the user uploads his private key, lets say ...
0
votes
2answers
111 views
Should a “secret access code” use the same security as a normal password? [closed]
Obviously, when you store a password, you should use something similar to bcrypt before you store it in in the database.
But I have a client who wants to add the ability to add a "secret code" to ...
1
vote
2answers
97 views
Should I specify the userId in the REST URL structure?
Basically, one feature of my app is to retrieve the logged user's friends.
Actually, I hesitate between both kind of endpoints:
GET /api/users/friends
GET /api/users/:userId/friends
Using 1, ...
1
vote
1answer
259 views
Should I store my user claims in the JWT token?
I am using JWT tokens in HTTP headers to authenticate requests to a resource server. The resource server and auth server are two separate worker roles on Azure.
I cannot makeup my mind as to whether ...
3
votes
2answers
124 views
Using Facebook to authenticate, how to link to user record in my app? Email?
I'm using Facebook to authenticate users. We also have conventional username/ password login and registration form too. Anyway, when a user chooses to login with Facebook, we use the following ...
2
votes
0answers
158 views
Oauth 2 store access token vs verifying on each call
Let's say my Server is both Authorization Server and Resource server
My Client (for example mobile app) can authenticate in 2 matters:
via Resource Owner Password Credentials Grant
via ...
1
vote
1answer
81 views
Purpose of authentication on API's?
After asking this question I found that I have a different question. What's the purpose of authenticating an API anyway?
Take Twitter for instance. If you want to use this link to load some user's ...
0
votes
4answers
334 views
Identifying user of a webapp
For a small webapp I want to be able to identify a user.
The issue is, if the user cheats in some manner, I want to be able
to forbid him the usage of my application.
I already have done extensive ...
3
votes
0answers
76 views
Adding new service to authenticated website
So I've created an API that I want to leverage to add some functionality to an existing web app. My current website authenticates users using SAML. What I'm looking to do is instead of moving the code ...
3
votes
1answer
100 views
How do you implement an active sessions system like LinkedIn? [closed]
With some platforms, like LinkedIn, you can see a list of all sessions where you are logged in, and you can even log them out on a distance.
How would you implement something like that? I'm not ...
1
vote
2answers
330 views
Common techniques to integrate social media login to a website that requires account registration
I have developed websites where users would register with a username of their choice and an entry would be created in a database table that holds their username and some sort of salted password. They ...
2
votes
1answer
894 views
In what situations will Windows-based authentication for my ASP.NET MVC web application fail to allow users from accessing the web application?
My requirements are:
To build an ASP.NET MVC web application to use Windows-based authentication, since all the users which will be accessing the application are our internal employees, and they ...
0
votes
2answers
115 views
REST backend restricted access only for humans
I will design a REST backend that will work with my database. I want users to access this data by viewing my webpage (I will work with an MVC JS framework) without logging in.
At the same time, I ...
4
votes
2answers
579 views
How to prevent third party misuse of what is intended to be a private api (avoiding what happened to Snapchat)?
I have never used Snapchat and do not intend to but I have been reading up about what happened to them with respect to the recent media coverage about pictures being leaked especially because I am ...
1
vote
1answer
591 views
Implicit OAuth2 endpoint vs. cookies
I currently have an app which basically runs two halves of an API - a restful API for the web app, and a synchronisation API for the native clients (all over SSL).
The web app is completely ...
1
vote
2answers
660 views
Is this a secure solution for RESTful authentication?
I need to quickly implement a RESTful authentication system for my JavaScript application to use. I think I understand how it should work, but I just want to double check. Here's what I'm thinking -- ...
0
votes
2answers
2k views
Can one determine the creation date of an email account?
Is it possible to determine the creation date of the email supplied with the authentication process flow; Or at least determine that the email was/was not created the same day as signup (or ...
1
vote
0answers
127 views
Mutual Authentication in JSON or AJAX only?
AFAIK we must install the client-certificate into the users browser to connect with https-sites using server-certificates to have a mutual authentication.
What about AJAX and JSON, can we connect to ...
1
vote
2answers
149 views
When should I implement authentication in a database?
I'm currently embarking on a MongoDB project (a simple user login system), and I notice that there is an option for authentication. Here is the server string, with the userinfo shown as optional ...
1
vote
0answers
40 views
Reliable way to generate a token in a SOAP webservice
Legacy SOAP service here at work use a token authentication. The flow is:
As first step I call the startSession method passing username (say myUser) and password (say myPWD) as parameter. At this ...
3
votes
1answer
231 views
Is my websocket session idea practical?
In a situation where all communication (including logging in) between a client (web browser) and server is done over a persistent TLS encrypted websocket, would there be anything inadvisable about ...
3
votes
1answer
94 views
Is “friendly fire” session replay a valid concern?
I've been reading a lot about sessions and security, trying to learn as much as possible before writing too much code. I've read about limiting session replay by including a timestamp within the ...
0
votes
1answer
396 views
Knowing who is the user in every request (every action, every view, every time)
I have many model classes that are mapped from/to tables using EF. Two of them are User and UserCookie, which are stored in tables Users and UserCookies.
public class User
{
public long UserId { ...
0
votes
2answers
435 views
How does Facebook manage to allow a user unlimited sessions?
I could login through the website, android app, iOS app, the browsers on mobile, and when I log out from one, it doesn't log me out of all of them. Traditionally, you would log out of all the services ...
