I'm developing a small app, I have an asp.net web application with a WCF data service. On my app, the data service is exposed to Android, and I want to authenticate the users.
The user's credentials will be stored in a database.
Is it possible to use membership and role provider to authenticate the users?
If not, what is the best authentication method, so that I can give permissions to some operations and deny it for other operations?
The option I've seen used often is to use HTTPS and pass through your user credentials on each call using a RESTful service. Obviously keep your security layer at the server side and return failure codes when the credentials aren't valid.
There are tonnes of examples on the web, including this SO answer.
Related
I am creating a native Android app which currently uses Firebase Auth to handle user authentication. I have a MySQL database behind a PHP site and I'm building a RESTful API to access those services. I would like users who are authorized to be able to access limited features and data.
In this scenario, what would be the approach to handling the permissions on the backend server? I'm new to Auth techniques such as OAuth etc, but I get the feeling that might be part of this solution, so feel free to talk to me like I'm an idiot. :)
[edit]
My backend has similar permissions to Facebook; such as content is visible as either private, friends or public.
Regards
It depends on your security design.
The easiest way is to have a role-based security - use OAuth2/OpenID Connect just for authentication (ask for an ID token, not access token). Then you must get a list of roles for an authenticated user. The roles could be part of the ID token or the API server could get them from another source (e.g. its database). If the role retrieval is an expensive operation, you could consider issuing your own token (JWT) containing all the info you need.
If you wanted to delegate just some of user's permissions to the mobile app, you could register the API scopes (permissions) to the OAuth2 server and the app could ask the user for some of them. As an example, if your application wants to access Google services on behalf of its user, the application asks for an access token with specific scopes (e.g. reading GMail inbox). But this is probably not what you want.
Edit:
If the objects you deal with have access rights defined on themselves (private, public, friends visible), then just get a user identity (ID token) from the OAuth2 server and check the permissions when someone requests such an object by your API. OAuth2 itself cannot help you with that.
And for your Android app, use the Authorization Code Grant Flow as described in the OAuth2 for native apps RFC.
So I have this ASP.NET MVC 4 web app that behaves pretty much like a web service. The client sends a request, the web service returns a JSON object. Now I'm to the point in which I have to authenticate my users from an Android app. What is the proper way to do this on the client side since I no longer have a web browser to store cookies for me to authenticate with the server. SSL is already taken care of.
I have been thinking of several straight forward ways to authenticate but I'm concerned about having some security vulnerability that I might not be aware of.
Is it OK for me to store the user credentials (username and password) in a SQLite database on the Android phone where the app is installed, and then send those credentials along with every request to the server to authenticate? (I'm thinking of hashing the password before storing it in the database, of course).
Is this approach not safe? How do other apps usually authenticate with their services: like eBay, Facebook and such?
Data saved in the private storage are relatively secure (on a non rooted device at least). This include :
sqlite databases (if not made worldreadable)
SharedPreferences
If you want a better integration with the account manager (e.g. to have the account listed in the device's settings), you can write an AccountAuthenticator. See Creating a Custom Account Type or Write your own Android Authenticator. Not sure about eBay and Facebook, but that's what Firefox Sync and Evernote for example do.
You can use OAuth 2 - many tutorials and implementations are readily available.
How do all these mobile apps login users? I did a lot of research and read tutorials but I can't find a definitive answer...
I created an API for my Codeigniter web app using Phil Sturgeon's REST server. Now I need to create a mobile app (for Android and ios) that works with remote data from my web server. (I decided to build my app with Appcelerator.)
My goal is to allow users to log in from my mobile app and make CRUD operations via the REST server API. The API uses HTTP digest access authentication but I'm concerned about security because it sends a username and password over HTTP. Is there a more secure way to authenticated users?
After a user is logged in how will they perform CRUD operations without logging in again?
Security is a matter of trade-offs. You need to answer several question.
How much pain can I put the user through to protect the content?
How valuable is the protected content?
What are the consequences of breached security?
Unless you are storing banking information, confidential/personal information, or the content can be irrevocably altered/deleted, HTTPS with digest authentication are fine.
NOTE: digest does not transmit passwords.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….
I'm developing an android app that consumes a webservice that I will develop too (I'm thinking in using a RESTFul webservice)..
and I want to secure the connection between the app and the server but I need to authenticate users too..
My problem is in the last part, to secure the connection I think the best way to do it is to use SSL (https), am I wrong?
I don't know what's "the best way" to authenticate users, to make sure that a user cannot consume the webservice as another user..
I have some ideas, like using a authenticate(login,pass) method on the webservice that returns a token.. And for any operation that requires authentication the user would need to pass that token as a parameter.. The thing is, is this a good way to do this? whats the most common technique used to auth users in a situation like this?
If a token based auth is a good idea how should I generate the token?
Sorry for this long text..
Any help will be usefull
Thanks
Make sure you understand a trendy standard like OAuth before you go down that path. Most OAuth flows are centered around a user logging in to your server through a web browser. This can lead to pretty bad user experience for a mobile app. The standard does allow for alternatives. Here's a decent introduction.
You could also use an existing identity provider like Google, Facebook, Twitter, etc. instead of implementing your own authN/authZ. On Android, you can ask for a Google auth token using the AccountManager. This usually works because the user needs to be logged in to their Google account to access the Android Market. Anyway, this will prompt the user to grant authorization to your app. You could then use the Google auth token to login your user to your service with your own token. The login would essentially be your server verifying the Google token is valid (by contacting Google's servers) and then issuing its own token to be used for calls to your web services. If you don't like Google, you could use the Facebook SDK, etc.
As for what to use for tokens... The OAuth spec has stuff on that as well. You could do something as simple as a random string or something as complex as encrypted SAML assertions.
You should implement a token based OAuth, which will require the users to log in once, and then permanently have access.
You can use Google App Engine which already provides user authentication services for you (your Android users most likely already have google accounts) But this is only one of many options.
You can also look into Amazon's Identity Access Management (IAM) which will allow you to manage the users who have access to your web service, and authorize them accordingly.
I think the best way to do it is to use SSL (https), am I wrong?
This only prevents certain types of malicious use, but not everything. There is still nothing to prevent people from accessing your database on the phone, and retrieving credentials that way.