Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Lily Romano
    @Lilyheart
    What's everybody working on tonight?
    Robert Marcy
    @Ryzilynt
    Maybe stuffed peppers
    Then later after that , prolly FCC
    I'll also login to black board and see if any of my classes are available , and attempt to complete any inevitable syllabus quizzes that read their ugly heads
    Possibly an intro post or 2.
    Or 3
    Lily Romano
    @Lilyheart
    I have two of four syllabi available at this point.
    I think imma go through www.commandlinepoweruser.com
    Lily Romano
    @Lilyheart
    What other classes are you taking @Ryzilynt ?
    James Peruggia
    @bereachad
    I am doing a code deployment right now, how thrilling
    Lily Romano
    @Lilyheart
    Welcome @bereachad . That is always a thrilling time :laughing:
    James Peruggia
    @bereachad
    And while this is building, im trying to understand how we can move away from our authorization and authentication in one spot for applications to a more "proper" flow
    We use openID but I don't think we are doing it correclty
    Lily Romano
    @Lilyheart
    I've had a battle any time I've dealt with openID. @davidjcastner might have had better experience.
    James Peruggia
    @bereachad
    Well I think the issue is we are using openID for authorization of users, and using it to store the security for teh application as well, which is where I think we are going wrong. In general though it works, but once we start adding more clients to this server it will become an unmaintanable mess
    David Castner
    @davidjcastner
    I just got home from work but I can explain what the recommended practices are in a couple minutes
    James Peruggia
    @bereachad
    otehr than that, thanks for hosting this group!
    Lily Romano
    @Lilyheart
    no problem :grin:
    @bereachad I sent you a PM here with some information.
    David Castner
    @davidjcastner
    @bereachad What do you mean that you are using openID for the security of the application?
    David Castner
    @davidjcastner
    The general practice is that you store your users in the database and give them a role. You can use openID for authentication but the authorization of what each role or individual user has access to should be controlled by the server.
    James Peruggia
    @bereachad
    so the way we have it setup right now is that we have the traditional work process of : user navigates to app -> clicks login - redirect to openId server w/ client_id -> they login with provider -> redirect back to application w/ openId token
    issue is that step where we have "login with provider" we also query for roles into a database that is specific to the application they loged into, but i feel as that needs to be decoupled
    And when you say store users in the database, you are talking about the database for the actual client application I assume
    David Castner
    @davidjcastner
    correct for the client application, where is the query taking place?
    Lily Romano
    @Lilyheart
    :thumbsup:
    James Peruggia
    @bereachad
    well we decouple our clients from the api as well
    sso we have say DataAccessAPI (WebAPI 2 C# backend) that several clients(applications) connect to
    but I am trying to get the [Authorize] tags to not use just claims, but security for the application they logged into, the thing is we didn't specify the data structure for how they handle security , it was an old legacy system that we are trying to make fit
    which is causing a headache
    Right now we have our openID server authenticate the user, and then once authenticated, we look them up in a table for users on the API that will be using that openID server for authentication, and then return associated roles in teh claims for the user
    David Castner
    @davidjcastner
    as long as the query is taking place on your servers you should be fine. But all API calls requesting data that requires authorization should send the openId token in the request to your server, then your server verifies the token before doing anything else
    one sec I'll put together some pseudo code
    David Castner
    @davidjcastner
    What is the openID server providing you? As in what does it return to you (the user, the role?)
    James Peruggia
    @bereachad
    well right now it returns say, claims info about the user, such as firstName, lastName and userName and email
    David Castner
    @davidjcastner
    okay and you can only call those methods from your server?
    this is the basic structure to any api
    // client code
    
    actionThatRequiresAuthorization() {
      // a function
      token = getTokenFromOpenID(); // uses openId (via redirect) to get the token
      makeRequestToAPI(token, otherData);
    }
    
    
    
    // server code
    
    // the function for your API
    doSomethingImportant(token, otherData) {
      try {
    
        userIdOrRole = getUserOrRoleFromOpenId(token);
    
        if (isAllowed(userIdOrRole)) {
          // do important stuff with otherData and return a value if necessary
        } else {
          // throw 403 
        }
    
      } catch (error) {
        // throw 401
      }
    }
    Robert Marcy
    @Ryzilynt
    @Lilyheart taking CIS 112, ENG 222, and MAT162
    James Peruggia
    @bereachad
    yea that makes sense then, my question i guess is more for the line where you have userIdOrRole = getUserOrRoleFromOpenId(token);
    that is going to run a query on every request
    David Castner
    @davidjcastner
    So by the sounds of it you should be storing the userId or role on the openId server
    James Peruggia
    @bereachad
    unless we use some memory cache or something
    sure something to unique identify the user, say userName is unique instead of userId it provides the same general purpose
    David Castner
    @davidjcastner
    I may be wrong on this, but I believe you have to run authentication on every call because someone could spoof the information
    James Peruggia
    @bereachad
    yes, that is what i am trying to exaplin to my coworkers and some of them think I am crazy
    David Castner
    @davidjcastner
    yea that is security 101
    at my old company, I hacked into there client application when I started worked because they didn't check on every call
    Lily Romano
    @Lilyheart
    xD I think I remember when you did that.
    @Ryzilynt bummer! I'm taking ENG221! Who do you have for 162? Do you already have your book?
    Robert Marcy
    @Ryzilynt
    Yeah I have all my books. Muscatell