These are chat archives for MontCode/GeneralChat

17th
Jan 2017
Lily Romano
@Lilyheart
Jan 17 2017 21:53
What's everybody working on tonight?
Robert Marcy
@Ryzilynt
Jan 17 2017 21:54
Maybe stuffed peppers
Then later after that , prolly FCC
I'll also login to black board and see if any of my classes are available , and attempt to complete any inevitable syllabus quizzes that read their ugly heads
Possibly an intro post or 2.
Or 3
Lily Romano
@Lilyheart
Jan 17 2017 21:58
I have two of four syllabi available at this point.
I think imma go through www.commandlinepoweruser.com
Lily Romano
@Lilyheart
Jan 17 2017 22:15
What other classes are you taking @Ryzilynt ?
James Peruggia
@bereachad
Jan 17 2017 22:39
I am doing a code deployment right now, how thrilling
Lily Romano
@Lilyheart
Jan 17 2017 22:39
Welcome @bereachad . That is always a thrilling time :laughing:
James Peruggia
@bereachad
Jan 17 2017 22:40
And while this is building, im trying to understand how we can move away from our authorization and authentication in one spot for applications to a more "proper" flow
We use openID but I don't think we are doing it correclty
Lily Romano
@Lilyheart
Jan 17 2017 22:41
I've had a battle any time I've dealt with openID. @davidjcastner might have had better experience.
James Peruggia
@bereachad
Jan 17 2017 22:43
Well I think the issue is we are using openID for authorization of users, and using it to store the security for teh application as well, which is where I think we are going wrong. In general though it works, but once we start adding more clients to this server it will become an unmaintanable mess
David Castner
@davidjcastner
Jan 17 2017 22:44
I just got home from work but I can explain what the recommended practices are in a couple minutes
James Peruggia
@bereachad
Jan 17 2017 22:44
otehr than that, thanks for hosting this group!
Lily Romano
@Lilyheart
Jan 17 2017 22:46
no problem :grin:
@bereachad I sent you a PM here with some information.
David Castner
@davidjcastner
Jan 17 2017 22:52
@bereachad What do you mean that you are using openID for the security of the application?
David Castner
@davidjcastner
Jan 17 2017 22:57
The general practice is that you store your users in the database and give them a role. You can use openID for authentication but the authorization of what each role or individual user has access to should be controlled by the server.
James Peruggia
@bereachad
Jan 17 2017 23:01
so the way we have it setup right now is that we have the traditional work process of : user navigates to app -> clicks login - redirect to openId server w/ client_id -> they login with provider -> redirect back to application w/ openId token
issue is that step where we have "login with provider" we also query for roles into a database that is specific to the application they loged into, but i feel as that needs to be decoupled
And when you say store users in the database, you are talking about the database for the actual client application I assume
David Castner
@davidjcastner
Jan 17 2017 23:03
correct for the client application, where is the query taking place?
Lily Romano
@Lilyheart
Jan 17 2017 23:04
:thumbsup:
James Peruggia
@bereachad
Jan 17 2017 23:04
well we decouple our clients from the api as well
sso we have say DataAccessAPI (WebAPI 2 C# backend) that several clients(applications) connect to
but I am trying to get the [Authorize] tags to not use just claims, but security for the application they logged into, the thing is we didn't specify the data structure for how they handle security , it was an old legacy system that we are trying to make fit
which is causing a headache
Right now we have our openID server authenticate the user, and then once authenticated, we look them up in a table for users on the API that will be using that openID server for authentication, and then return associated roles in teh claims for the user
David Castner
@davidjcastner
Jan 17 2017 23:09
as long as the query is taking place on your servers you should be fine. But all API calls requesting data that requires authorization should send the openId token in the request to your server, then your server verifies the token before doing anything else
one sec I'll put together some pseudo code
David Castner
@davidjcastner
Jan 17 2017 23:17
What is the openID server providing you? As in what does it return to you (the user, the role?)
James Peruggia
@bereachad
Jan 17 2017 23:20
well right now it returns say, claims info about the user, such as firstName, lastName and userName and email
David Castner
@davidjcastner
Jan 17 2017 23:21
okay and you can only call those methods from your server?
this is the basic structure to any api
// client code

actionThatRequiresAuthorization() {
  // a function
  token = getTokenFromOpenID(); // uses openId (via redirect) to get the token
  makeRequestToAPI(token, otherData);
}



// server code

// the function for your API
doSomethingImportant(token, otherData) {
  try {

    userIdOrRole = getUserOrRoleFromOpenId(token);

    if (isAllowed(userIdOrRole)) {
      // do important stuff with otherData and return a value if necessary
    } else {
      // throw 403 
    }

  } catch (error) {
    // throw 401
  }
}
Robert Marcy
@Ryzilynt
Jan 17 2017 23:23
@Lilyheart taking CIS 112, ENG 222, and MAT162
James Peruggia
@bereachad
Jan 17 2017 23:23
yea that makes sense then, my question i guess is more for the line where you have userIdOrRole = getUserOrRoleFromOpenId(token);
that is going to run a query on every request
David Castner
@davidjcastner
Jan 17 2017 23:24
So by the sounds of it you should be storing the userId or role on the openId server
James Peruggia
@bereachad
Jan 17 2017 23:24
unless we use some memory cache or something
sure something to unique identify the user, say userName is unique instead of userId it provides the same general purpose
David Castner
@davidjcastner
Jan 17 2017 23:25
I may be wrong on this, but I believe you have to run authentication on every call because someone could spoof the information
James Peruggia
@bereachad
Jan 17 2017 23:25
yes, that is what i am trying to exaplin to my coworkers and some of them think I am crazy
David Castner
@davidjcastner
Jan 17 2017 23:25
yea that is security 101
at my old company, I hacked into there client application when I started worked because they didn't check on every call
Lily Romano
@Lilyheart
Jan 17 2017 23:27
xD I think I remember when you did that.
@Ryzilynt bummer! I'm taking ENG221! Who do you have for 162? Do you already have your book?
Robert Marcy
@Ryzilynt
Jan 17 2017 23:29
Yeah I have all my books. Muscatell
David Castner
@davidjcastner
Jan 17 2017 23:29
The caching part only helps with users not having to renter their password everytime on the same computer, but then your client send the cached information in the background, and the server still verifies that user
Lily Romano
@Lilyheart
Jan 17 2017 23:29
@Ryzilynt Muscatell online?
Robert Marcy
@Ryzilynt
Jan 17 2017 23:29
Yeah
@Lilyheart yeah, does the at symbol make it private or just identify who I'm talking to ?
David Castner
@davidjcastner
Jan 17 2017 23:31
@Ryzilynt just identifies who you talk to
Lily Romano
@Lilyheart
Jan 17 2017 23:31
id's who you are talking to and depending on their settings, notifies them they have a message.
James Peruggia
@bereachad
Jan 17 2017 23:32
@davidjcastner Well thanks for that clarification to make sure I am not loosing my mind or misunderstanding this
David Castner
@davidjcastner
Jan 17 2017 23:33
@bereachad no problem, people lose jobs over these mistakes and your coworker's that think you are crazy may just be fired when someone hacks into your company
Robert Marcy
@Ryzilynt
Jan 17 2017 23:34
@Lilyheart I hear good things about muscatell, I just wish he posted his lectures on bb
Lily Romano
@Lilyheart
Jan 17 2017 23:35
I took him for exactly the class you are taking. MAT162 ONLN. I've listened in on his actual classes and he sounds awesome. I took my final with one of his classes and he was great. As far as online... I sent you a PM about it.........
David Castner
@davidjcastner
Jan 17 2017 23:35
@bereachad oh and btw, I wouldn't use the name for verifying, at the very least attached a primary key of a unique number to each user. There are many bugs and security holes made by using the name as an identifier
James Peruggia
@bereachad
Jan 17 2017 23:37
oh no we use GUID
its just an example, we don't actually use name
Where do you guys take classes?
David Castner
@davidjcastner
Jan 17 2017 23:37
oh okay perfect, just double checking, I might of made that mistake when I first started
Montgomery County Community College
James Peruggia
@bereachad
Jan 17 2017 23:38
what do they focus on there? Java or C++, where I went to college it was a C++ shop
Lily Romano
@Lilyheart
Jan 17 2017 23:39
Java shop
We have a several MCCC students and some Delaware County Community College students that I'm aware of.
One person finished freeCodeCamp front end and has a job now. One person went through Udacity and has a job now.
It's a wide range of students xD
Lily Romano
@Lilyheart
Jan 17 2017 23:44
I'll be a bit more afk'ish soon. Dinner almost.