I have written an API for my latest project. Written entirely in PHP, it currently supports web and mobile applications. We would like to expand that to desktop applications as well, but I'm not exactly sure how to enable to user to login through the desktop application, while still protecting the username and password from said application.
There are many brilliant developers on Stackoverflow, so shoot me some brilliant answers!
The application will be developed by 3rd parties, so I want to ensure they aren't able to store usernames and passwords
If the application has to send usernames and passwords, then it has to be able to have access to them, so don't use them inside the application at all.
Use OAuth. This is the solution used by quite a lot of large organisations, including Twitter.
There are many possibilities. What comes to mind:
Issue a Certificate signed by your CA and verify later, eg via the OpenSSL lib or Apache.
Use Public key encryption, eg via GnuPG lib, and grant access only to known pub keys.
Use any kind of Token based authentication or any other two factor authentication..
Just give them another set of API credentials (Secret Key, API Key)
its a desktop application, it has full access to the users keyboard and memory. if the application should have a login form where end users type in their usernames and passwords, the application has this data by definition.
the only solution would be to distribute the login-application yourself which does some sort of toked based authentication and provide the 3rd party applications a login token via your api.
oauth and other singe-sign-on systems on the web usually use an iframe or popup which comes from the system-to-login-to itself. no 3rd party website or application should be allowed to provide this input fields.
Related
I have a scenario, we have an PHP based website through which the users login using credentials stored in a database. Now we have another SPA website with .NET CORE as API layer.We don't have an option of having a central authentication server like Azure. If I want to let the users of SPA to access the website since they have already been authenticated in PHP, What should I do? Can PHP generate a JWT to pass it to API? How does that JWT then gets to SPA and how do I validate it? Please be kind as I am a newbie to website programming.
Json Web Tokens are a very specific format for a Bearer token. There are protocols like OpenID Connect that provide more structure around the login and trust process but at their heart, JWTs are just BASE64 encoded json with a verification hash.
You can roll your own SSO with JWT but as with everything in security, rolling your own comes with significant risks of making a bone head mistake and compromising your security. So research research and research some more if you take this route.
I did a very similar thing but stayed purely in the .net world. I used a .net library to build the JWT (https://learn.microsoft.com/en-us/previous-versions/visualstudio/dn464181(v%3Dvs.114)) and ASP.NET Core Identity to handle verification of the JWT (https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer) so I didn't write the code to actually generate the JWT. There is also only SSL connections made between the servers so some of the risk of the token getting sniffed is mitigated.
There are libraries for PHP to generate JWT or you could stand up your own JWT token provider in any language.
There also may be the possiblility of finding an OpenId Connect provider that could hook into your existing database. Identity Server 4 is one for .net but there may be one to be found in the PHP world. This introduces some overhead but does solve the problem of not having the ability to have a third party OpenId Connect provider.
Its not too terrible but security is one place where you wnat to be absolutely sure you get things right.
Authenticating from another server is SSO. There are lots of ways you could do this, but SSO protocols like OpenID Connect and SAML are specifically designed for what you're trying to do.
However, those protocols are anything but simple. You should try to see if you can find existing libraries to have your PHP application act as an Identity Provider (IdP), and your SPA to act as a Service Provider (SP) using the same protocol.
An idea that's a stretch - you didn't explain WHY you can't use a central authentication server. You might consider something like Keycloak (there are other options - that's the one I've used), which you can self-host, and can serve as either an IdP or an SP using OpenID-Connect or SAML 2.0.
You definitely shouldn't build this from scratch on your own (unless this is a hobby project). Authentication is full of security pitfalls that can trip up even the most experienced programmers.
I have two websites, one is Wordpress and other is PHP. How to login Wordpress and my PHP app with the same credentials.
I need that when a user registers on my WordPress site he automatically appears registered on the PHP site.
I would suggest using OAuth 2.0 Server , a package by thephpleague.
It will allow you to turn one of your applications into an oauth-server, the second one being the client.
The oauth-server application would grant an api key to the client so that its users can login from the client application.
The same thing happens when for instance you login to Stackoverflow using your google/facebook account : google/facebook is the server, and stackoverflow the client.
I think using oauth would be cleaner, more secure and standard compliant than duplicating your users datas accross two web apps for the following reasons :
you would need to replicate each new user on any of your website;
compromising any of your websites would give the attacker your users credentials(login, password) for the two web apps, whereas with oauth he can't get the passwords of the oauth-server users while being on the client;
etc;
There are many other reasons but there a more experienced developers able to give you deeper explanations.
There's also a wordpress plugin that would fit your needs that you can find here for JSON Web Token Authentication.
I have a html5 Web View Android application which uses php website . How do I enable the use of website only for people who have purchased the application .I was thinking of a combination of getting the users android device id in combination with php mysql generated id and preventing php site access by using a php library that checks if client is a mobile phone .Perhaps even Google application licensing - I don't know how easy is to get around this by recompiling of application ?Maybe even a good way to hide the url inside Android application.
Where do users purchase the application? How do they get access to your website?
If they purchase your app from Google Play, then you should use some form of authentication/authorization that forces them to sign into your website and establish credentials there and on the device.
Please don't use the device id. That's not particularly friendly, and it opens up a security hole. In addition, it's an inconvenience to users who upgrade (or lose) a device.
A username and password should be sufficient security for most situations. If it isn't in your case, then you could also consider establishing an encrypted key on the device after the user first logs into your site. The key could be based on various values that the user would have difficulty reproducing on a different device.
One must consider the tradeoff of securing against undesired access versus the effort involved. How likely is it that users will give away their username and passwords to allow others to use your site? If you secure something too much, nobody will use it.
I have 2 sites:
SITE A - an asp.net site
SITE B - a php site
We have all the user information in an asp.net site (which is actually a Kentico site).
Now, there is a business requirement that users should be able to log-in with the same credentials in Site B. Ideally, we would need that users who log-in Site A, and navigate to Site B, the authentication would be automatic.
Is there a way to achieve this form of authentication. Or is it not possible?
This is not an authentication problem, but an authorization one. Once you have authenticated your user, in whichever way you want, with whichever technology you want, you probably will grant them some sort of token that you will then use to grant authorization to the different resources in your sites.
In your case you have two different technologies, which only means that you won't be able to use the out of the box asp.net or php session management, but all you need to do is have a common place to check that the session tokens are valid, they belong to a legitimate user and that user has permissions to access this resource.
If the above is trivial, sorry, maybe your question is more oriented to the sites being in two different domains, and therefore not being able to use a domain cookie to store the session information. is that the case?
The canonical solution to this is to use a protocol like OpenID. OpenID allows a website to ask a user to authenticate themselves using a different site, and then honour those credentials; using a protocol called "attribute Exchange", the authentication provider can provide additional data about the user.
OpenID is how StackExchange manages to log you in with your Google account (or whatever you're using), and how sites in the SO network recognize your identity without you logging in everywhere.
The benefit for OpenID is that it's a widely used protocol, so it's likely to be highly secure and well-tested; you don't risk weaving your own solution and accidentally exposing your users to security risks. It's well-documented, and widely supported.
There's an OpenID framework for .Net which allows you to create your own OpenID provider; it appears Kentico supports OpenID as an authentication mechanism. There are several OpenID libraries for PHP (Google is your friend here).
Exactly how you implement this depends on how your Kentico authentication works right now, but in principle it should be fairly easy to glue the Kentico user database to an OpenID provider you write; getting Kentico to use that for authentication appears to be a configuration setting. You'd have to re-write the PHP site to use OpenID; again, not clear how that currently works, but I can't imagine it would be harder than any other solution you might try.
I had a similar issue on a .net platform where I didn't have the option to put them on one subdomain. In that case you could pass the username and a token (that signified the user was already authenticated by site B) and perhaps the encrypted password to re-authenticate against an external DB, then redirect them to the site. In my case I needed to do this as I was redirecting to the corresponding site CMS for site admins.
I am planning on creating a number of web applications that allows the user to share an account between these applications. I am using apache, php and mysql.
My question is, is it possible for the user to login on one server and then be able to use all the applications with these login details. I was thinking of using some kind of web service/api that can be accessed by the other applications but I am not entirely sure that this is the best way.
Thanks in advance.
You might want to go for the popular OpenID:
OpenID is an open standard that
describes how users can be
authenticated in a decentralized
manner, obviating the need for
services to provide their own ad hoc
systems and allowing users to
consolidate their digital identities.
There is also OAuth authentication system:
OAuth (Open Authorization) is an open
standard for authorization. It allows
users to share their private resources
(e.g. photos, videos, contact lists)
stored on one site with another site
without having to hand out their
credentials, typically username and
password.
Yes I would build an authentication service. Then I would register within that service which applications the user can use.