Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    James Peruggia
    @bereachad
    otehr than that, thanks for hosting this group!
    Lily Romano
    @Lilyheart
    no problem :grin:
    @bereachad I sent you a PM here with some information.
    David Castner
    @davidjcastner
    @bereachad What do you mean that you are using openID for the security of the application?
    David Castner
    @davidjcastner
    The general practice is that you store your users in the database and give them a role. You can use openID for authentication but the authorization of what each role or individual user has access to should be controlled by the server.
    James Peruggia
    @bereachad
    so the way we have it setup right now is that we have the traditional work process of : user navigates to app -> clicks login - redirect to openId server w/ client_id -> they login with provider -> redirect back to application w/ openId token
    issue is that step where we have "login with provider" we also query for roles into a database that is specific to the application they loged into, but i feel as that needs to be decoupled
    And when you say store users in the database, you are talking about the database for the actual client application I assume
    David Castner
    @davidjcastner
    correct for the client application, where is the query taking place?
    Lily Romano
    @Lilyheart
    :thumbsup:
    James Peruggia
    @bereachad
    well we decouple our clients from the api as well
    sso we have say DataAccessAPI (WebAPI 2 C# backend) that several clients(applications) connect to
    but I am trying to get the [Authorize] tags to not use just claims, but security for the application they logged into, the thing is we didn't specify the data structure for how they handle security , it was an old legacy system that we are trying to make fit
    which is causing a headache
    Right now we have our openID server authenticate the user, and then once authenticated, we look them up in a table for users on the API that will be using that openID server for authentication, and then return associated roles in teh claims for the user
    David Castner
    @davidjcastner
    as long as the query is taking place on your servers you should be fine. But all API calls requesting data that requires authorization should send the openId token in the request to your server, then your server verifies the token before doing anything else
    one sec I'll put together some pseudo code
    David Castner
    @davidjcastner
    What is the openID server providing you? As in what does it return to you (the user, the role?)
    James Peruggia
    @bereachad
    well right now it returns say, claims info about the user, such as firstName, lastName and userName and email
    David Castner
    @davidjcastner
    okay and you can only call those methods from your server?
    this is the basic structure to any api
    // client code

actionThatRequiresAuthorization() {
  // a function
  token = getTokenFromOpenID(); // uses openId (via redirect) to get the token
  makeRequestToAPI(token, otherData);
}



// server code

// the function for your API
doSomethingImportant(token, otherData) {
  try {

    userIdOrRole = getUserOrRoleFromOpenId(token);

    if (isAllowed(userIdOrRole)) {
      // do important stuff with otherData and return a value if necessary
    } else {
      // throw 403 
    }

  } catch (error) {
    // throw 401
  }
}
    Robert Marcy
    @Ryzilynt
    @Lilyheart taking CIS 112, ENG 222, and MAT162
    James Peruggia
    @bereachad
    yea that makes sense then, my question i guess is more for the line where you have userIdOrRole = getUserOrRoleFromOpenId(token);
    that is going to run a query on every request
    David Castner
    @davidjcastner
    So by the sounds of it you should be storing the userId or role on the openId server
    James Peruggia
    @bereachad
    unless we use some memory cache or something
    sure something to unique identify the user, say userName is unique instead of userId it provides the same general purpose
    David Castner
    @davidjcastner
    I may be wrong on this, but I believe you have to run authentication on every call because someone could spoof the information
    James Peruggia
    @bereachad
    yes, that is what i am trying to exaplin to my coworkers and some of them think I am crazy
    David Castner
    @davidjcastner
    yea that is security 101
    at my old company, I hacked into there client application when I started worked because they didn't check on every call
    Lily Romano
    @Lilyheart
    xD I think I remember when you did that.
    @Ryzilynt bummer! I'm taking ENG221! Who do you have for 162? Do you already have your book?
    Robert Marcy
    @Ryzilynt
    Yeah I have all my books. Muscatell
    David Castner
    @davidjcastner
    The caching part only helps with users not having to renter their password everytime on the same computer, but then your client send the cached information in the background, and the server still verifies that user
    Lily Romano
    @Lilyheart
    @Ryzilynt Muscatell online?
    Robert Marcy
    @Ryzilynt
    Yeah
    @Lilyheart yeah, does the at symbol make it private or just identify who I'm talking to ?
    David Castner
    @davidjcastner
    @Ryzilynt just identifies who you talk to
    Lily Romano
    @Lilyheart
    id's who you are talking to and depending on their settings, notifies them they have a message.
    James Peruggia
    @bereachad
    @davidjcastner Well thanks for that clarification to make sure I am not loosing my mind or misunderstanding this
    David Castner
    @davidjcastner
    @bereachad no problem, people lose jobs over these mistakes and your coworker's that think you are crazy may just be fired when someone hacks into your company
    Robert Marcy
    @Ryzilynt
    @Lilyheart I hear good things about muscatell, I just wish he posted his lectures on bb
    Lily Romano
    @Lilyheart
    I took him for exactly the class you are taking. MAT162 ONLN. I've listened in on his actual classes and he sounds awesome. I took my final with one of his classes and he was great. As far as online... I sent you a PM about it.........
    David Castner
    @davidjcastner
    @bereachad oh and btw, I wouldn't use the name for verifying, at the very least attached a primary key of a unique number to each user. There are many bugs and security holes made by using the name as an identifier
    James Peruggia
    @bereachad
    oh no we use GUID
    its just an example, we don't actually use name
    Where do you guys take classes?
    David Castner
    @davidjcastner
    oh okay perfect, just double checking, I might of made that mistake when I first started
    Montgomery County Community College