Authentication is the act of one entity proving its identity to another entity. Common examples involve public key cryptography. For example, proving that a banking web site actually belongs to the bank you think it does.
0
votes
0answers
28 views
Designing a greenfield HTTP/Web API - basics, authentication and sesson handling?
Disclaimer: There's some similar questions around, but so far none have really helped me get a clearer picture. And. Yeah. Already read about OAuth, Token-Based, etc. but I'm not able to fit this ...
1
vote
0answers
56 views
Implementing software licensing
I have an unpoliced piece of software and I must implement some control over who can install it via licensing.
I already have an authentication server that implements OAuth 2.0 and OpenId that's used ...
0
votes
0answers
16 views
Authenticate to a SQL Server with Active Directory credentials from a UWP app
I've been tasked to design an application and a database to store information our company's electricians have measured on-site. We need to save in our database who exactly did which measurement.
...
3
votes
3answers
236 views
Modern recommendations for password recovery
I'm going to implements password recovery in my authentication. I haven't put this together in a while and wondering if there is anything I ought to be aware of.
My idea at the moment is:
User ...
0
votes
0answers
92 views
How to implement authentication between asp.net MVC application and Web API?
For an upcoming project, we have to build a secured web application with ASP.NET MVC. This web application will communicate with an ASP.NET Web API for all the CRUD actions.
The user will have an ...
0
votes
2answers
35 views
Handling delay in entry of OTP for log in validation
There's an application, which accepts a user id and password to login. Validation of the id and password is processed by another system. Now after password validation, the application generates a One ...
0
votes
0answers
28 views
“remember me” functionality but user database on another app on another sub-domain
I'm considering how to add remember me functionality to our app. However we have our app, and a separate app that handles authentication on another sub-domain. When authenticating from one of our ...
0
votes
2answers
25 views
Secure authentication using JWT
I read about JWT and how they can provide secure authentication for calling api routes over http. I naively implemented it and here is how it goes :
a client posts username and password to a login ...
0
votes
0answers
50 views
Is Shiro's use of Auth Exceptions an example of control flow? [duplicate]
In Java/OOP-land, it is a well established anti-pattern to use exceptions for control flow.
Apache Shiro is one of the standard Java security frameworks. When using Shiro, especially when ...
2
votes
0answers
35 views
Client Browser, Node Server, Web API auth structure
I have a web API that accepts Authorization headers to allow access. It responds with the requested data in addition to setting a session cookie. Subsequent requests can be made with no auth headers ...
4
votes
1answer
136 views
Filtering request and responses in RESTful MEAN stack
I have a very basic RESTful service written using the MEAN stack (MongoDb, Express.js, Angular.js, Node.js) and utilizing the Mongoose ODM.
Product schema
var productSchema = new mongoose.Schema({
...
2
votes
1answer
86 views
Tracking online users with a stateless architecture
I own a stateless architecture, exchanging a JWT token between client and server at authentication time.
I want to store in database (once per day) a timestamp related to the user access.
Indeed, I ...
2
votes
1answer
51 views
Social auth from mobile app connected to API server
I have a Node.js server using PassportJS that uses social login via Google, Facebook, and Twitter.
The Node.js server hosts an API that uses the PassportJS middleware to authenticate routes and ...
0
votes
1answer
45 views
Where should I log in the user based on http session: service or controller?
I know that best practice is to let everything about authentication/authorization to the service layer.
Controller should not be aware of that.
But how to let a service (from service layer so) to ...
0
votes
0answers
11 views
Proxied server requests + forwarding authentication info in a secure fashion
We are using PassportJS with a couple of Node.js servers - but we have some questions about how to use Passport with "proxy" requests. My main question is how do we (and should we at all) forward the ...
2
votes
2answers
46 views
Customer Authentication in a website
Just to be clear, by authentication I don't mean user-authentication, but I want to make sure that my app is running on the customer's server and in a defined time-span.
Some of our customers use our ...
2
votes
0answers
87 views
Caching authenticated requests for all users
I am working on a web app that must deal with very large impulses of simultaneous users, who need to be authorised, to request identical content. In it's current state, it's totally crippling to even ...
0
votes
0answers
56 views
Understanding SSO flows
I m actually studying SSO using OAuth2 and I m having some questions working with real architecture.
I understand the way how we connect to a tier server, getting an access token and making requests ...
0
votes
0answers
29 views
Modeling token generation on OAuth2 for two different users
I have an OAuth2 implementation that works with the authorization_code flow. As per an implicit relationship, one kind of user (Alice) is able to retrieve tokens for the other (Bob). On the RFC it ...
1
vote
0answers
47 views
'HMAC style' design example for a shared secret
I'm looking to secure an API based on a shared key and a given username and datetime. The API gives access to trusted third parties and does not require the input from a user in order to access their ...
1
vote
1answer
45 views
Preventing unauthorized writing to parts of server [closed]
Say I have two members which share a server. Both members have a game that is accessible to anyone and after playing, it records high scores by sending a request to write to a file on the server. ...
3
votes
1answer
217 views
How should I pass login data from client to server using REST API
I want to create a new session, the new session will be created by logging in (naturally).
Should I pass the username and password:
via URL (POST request to ...
3
votes
1answer
94 views
Hide authentication information on Github
When your creating a project that has some sort of information that needs to be private (authentication details, etc), but you want to use some public repo like Github, are there anything that can be ...
2
votes
0answers
30 views
Architecting an account system for oauth that bridges a new and legacy system
So this question is specific to implementing auth in our system but I'm looking for high-level (just the architecture) solution or advice on which direction to head towards.
Overview (TL;DR)
Our ...
5
votes
1answer
919 views
REST API security: HMAC/key hashing vs JWT
I just read this article that is a few years old but describes a clever way of securing your REST APIs. Essentially:
Each client has a unique public/private key pair
Only the client and the server ...
1
vote
1answer
59 views
OAuthv2 access tokens and resource servers
In the OAuthv2 authorization grant, a “client app” authenticates itself against an “auth server”, and receives an “access token” for accessing resources living on a “resource server”.
My concerns:
...
1
vote
1answer
90 views
OAuthv2 for distributed applications
Please note: Months ago I asked this question that received a truly amazing answer and introduction to OAuthv2. I’m now knee deep in the implementation of such a system and have similar (but notably ...
1
vote
2answers
161 views
JWT based webservice authentication
I'm currently writing a web service that will be consumed by an android app.
To access user specific content, one must authenticate against the service.
Since I'm not (primarily) using a ...
2
votes
2answers
247 views
Restful User/Password Authentication
I'm currently designing a REST-API with the following properties:
Backend for a single page application (Later Apps)
Integrated user database for each instance
HTTPS/TLS only
Authentication with ...
0
votes
0answers
75 views
MVC OAuth with keeping user logged in
I am creating a news site where one can add some news. User will be registering with theirs facebook accounts like on this site. There will not be other type of users, just facebook users. And I wish ...
5
votes
2answers
288 views
Auth options for distributed systems
I am in the process of designing 3 components that will work in symphony with one another:
A RESTful web service which requires BasicAuth over HTTPS on all calls, and which is what actually does all ...
2
votes
2answers
99 views
Authenticate in the Services? Or in an Endpoint that exposes the Services?
When I'm in charge, I typically model services separate from endpoints. For example: Company.Project.Domain.dll has all of the logic required to complete the services for that domain. In order to ...
2
votes
0answers
57 views
Global Accounts in Multi-Tenant Authorization System
Our system is fundamentally a multi-tenant setup, where each client maintains a separate database with its own data and users. The authentication system on login issues an authentication token which ...
6
votes
1answer
212 views
Best practice to authenticate third party to a website?
I've a website built with ASP.NET, and uses Cookie based Forms Authentication to protect it self from unauthorized access.
It also has a REST based API which uses API key based Authentication. (Key ...
1
vote
3answers
267 views
How to authenticate against an API?
In a enterprise distributed system, a user of a web portal can sign into one site, be redirected to a federation provider. Once they log in with, for example, a facebook account, that user is ...
0
votes
0answers
26 views
Authentication structure for public area within admin dashboard?
I'm looking for input on how to organize the authentication scheme for a SaaS app where the application users offer a questionnaire to their customers.
The paying SaaS user needs to login in order ...
0
votes
0answers
336 views
SPA + Web API + Azure active directory: authenticating with graph API
I have an angular client app which talks to an ASP.NET Web API backend. I am using Azure Active Directory to authenticate users, and I have registered my Web API with my Azure AD tenant. I am using ...
0
votes
3answers
471 views
How can I reinforce that security questions answers should not be the same and how to encrypt?
When my users are creating an account they need to fill and set several security questions pertaining to their account. I am wondering, how can I make sure that the answer the user enters for each ...
1
vote
0answers
318 views
Single sign-on flow using ASP.NET MVC + Active Directory
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified ...
-1
votes
2answers
204 views
The best shard key for user authentication
For access to my API user should send login and password and get generated token for access.
Account
login
password
Suppose the size of account's table is very large. So large - so needs ...
1
vote
1answer
576 views
Token based authentication and multiple sessions
I've a token based authentication system (REST) that I inherited for an iOS app (can't change), and I've to re-use the same authentication web api system (that I can change to adapt for the web ...
6
votes
1answer
614 views
JSON Web Token - why is the payload public?
I can't understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it.
Why?
It seems like it'd be much more useful to have it encrypted with the secret.
...
2
votes
1answer
751 views
What OpenID Connect flow is right for me?
Here's the deal. I have a .NET MVC5 web application that I'm moving up to the OpenID Connect standard.
I also would like to be able to access controller methods from a mobile app (much like an API) ...
5
votes
3answers
207 views
Multi platform password storage with retrieval for applications with authorization?
I'm working on a development tool that requires knowing one or more api passwords for a user to operate. Currently it works on Mac, and uses keychain to store the credentials for later re-use.
Are ...
0
votes
0answers
101 views
Authenticating users of a chrome extension against a ASP.NET MVC web application
I have a chrome extension which is supported by a ASP.NET MVC web app as the back end. I want the chrome extension user to login through my web application and once he is logged in, the chrome ...
1
vote
1answer
150 views
oauth 2 authenticate with other authorization server
Let's assume i have a mobile app backed up by a Server. the server is both an Authorization and Resource Server.
Now i want to enable users to register / login to the app using Facebook API. After ...
0
votes
1answer
112 views
Personal Digital Signatures in Web Applications [closed]
In order to sign data with personal digital signature in a web application, server side languages like PHP can do the whole job, but that would require that the user uploads his private key, lets say ...
0
votes
1answer
104 views
Authenticating users across multiple web services
User details (name, address, etc) are stored across multiple sites that are vendor specific. For example, vendor A holds information concerning room bookings while vendor B holds information specific ...
0
votes
2answers
112 views
Should a “secret access code” use the same security as a normal password? [closed]
Obviously, when you store a password, you should use something similar to bcrypt before you store it in in the database.
But I have a client who wants to add the ability to add a "secret code" to ...
3
votes
2answers
619 views
Should I store my user claims in the JWT token?
I am using JWT tokens in HTTP headers to authenticate requests to a resource server. The resource server and auth server are two separate worker roles on Azure.
I cannot makeup my mind as to whether ...
