I have a web application with Angular front-end and a back-end developed using the Nest.JS framework.
The back-end RESTful API endpoints are secured with an SSO and JWT authentication.
Using the same web application I created a desktop application with the help of the NW.JS.
The application setup is successful and can run on the desktop OS.
Now I need to use the same back-end RESTful API endpoints without the SSO but with JWT for the desktop application.
In some situations (ex. checking for updates), I only need to use the SSO login.
How can I use the Nest.JS server endpoints for this kind of use cases.
Is there a conditional way to write annotations/middleware that we can use to check the app is running on WEB or Desktop and bypass the SSO login?
Also this should be a much secure way to protect the endpoint in both situations.
NOTE: Identifying the running environment is also has configured and running well in the application.
Thank you very much
Related
I want to develop a "responsive mobile web application (iOS / Android)" with JavaScript to interact with Smart Contract and blockchain.
I decided to develop a hybrid mobile web application. However, the question is how to store the App Secret safe in case of developing a mobile web application with JavaScript ? Since, we do not want to store it in the mobile and blockchain because of security.
I want to develop a "responsive mobile web application (iOS / Android)" with JavaScript to interact with Smart Contract and blockchain.
Is not clear for me if you are referring to write the Mobile Application as a web site that is full responsive in mobile or if you are considering to write it using a framework like Ionic, React Native or others.
If is a responsive website than please ignore the rest of my answer once there is no secure way of securing secrets on them, as far as I am aware.
Now if is a cross platform Mobile App done with any of the many available frameworks, than keep reading because a possible solution exists to solve the problem of secrets on them.
However, the question is how to store the App Secret safe in case of developing a mobile web application with JavaScript ?
Anything running on the client side will be vulnerable to reverse engineering with tools like Xposed or Frida.
Since, we do not want to store it in the mobile and blockchain because of security.
As already pointed out by you the Mobile or Blockchain are not good places to store the App Secret.
A Possible Solution
To harden the communication between your Mobile App and the API server you should use a Mobile App Attestation service, that will guarantee at run-time that your App was not modified or is not running in a jail broken or rooted device, by using an SDK integrated in you App and a service running in the cloud.
The cloud service on successful attestation of the App integrity issues a JWT token that is signed with a secret that only the API server and the cloud service are aware and on failure the JWT token is signed with a fake secret that the API server does not know. This approach will allow for the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the cloud attestation service is not known by the Mobile App it is not possible to reverse engineer it at run-time, even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack.
On this article you can walk through example of how a Mobile App Attestation service in the cloud is used to authenticate a React Native App.
Disclaimer: I work at Approov
Xposed
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That's great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It's also easy to undo. As all changes are done in the memory, you just need to deactivate the module and reboot to get your original system back. There are many other advantages, but here is just one more: Multiple modules can do changes to the same part of the system or app. With modified APKs, you to decide for one. No way to combine them, unless the author builds multiple APKs with different combinations.
Frida
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
JWT Token
Token Based Authentication
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
How would you call the secured REST api from the Javascript script application that doesn't have the login?
I have a Javascript application (React) that doesn't have a user login. It needs to call some REST api services that uses Oauth (Azure Ad -
WindowsAzureActiveDirectoryBearerAuthentication).
Those REST services have CORS enabled.
I also registered my web application in Azure Ad.
The issue is that the javascript application needs to call https://login.microsoftonline.com/{{tenantId}}/oauth2/token to get the access token. I found no way to enable the CORS for that URL. My JS application doens't have any login so I can't show the login screen in popup or use adal js.
The solution that I come up with is that I put my Javascript application in NodeJS (Express). The JS call the NodeJS that calls the login.microsoftonline.com to get the token and pass it when calling other secured REST services.
It works great but I think there might be some security issues around that.
Is there any better way to design this kind of application?
What you are doing is the proper approach. It keeps all the Oauth tokens secure on your server without having to expose them client side.
That is the main reason most Oauth2 API's don't implement CORS
Working with enterprise cloud systems such as Azure and SCP (SAP Cloud Platform) requires knowing how to exploit and implement SSO (Single Sign-On) authentication. Both cloud systems adopt SAML 2.0 protocol to implement SSO, which is quite easy to configure. However, it is not clear to me how to use this protocol into a JavaScript SPA WebApp to implement the login form. Azure provides the following APIs.
Which is the way to call these APIs? There is a good introductive documentation provided by Azure, but from the development point of view I cannot find any actual usage example. Is it necessary to use a library? Which one? Maybe I have misunderstood the aim of SAML and I should use a different authentication protocol such as OAuth 2.0. Is that right?
I this is a very old question but the answer hasn't changed much.
SAML isn't suitable for SPA apps as it relays on HTTP POST to transfer data and a need to protect keys on the SPA side.
My recommendation is first to try and use a authentication method better suited to SPA. eg OpenID connect.
If your IdP does not support OpenId connect or you have some requirements that you must use SAML. The best method is to use a identity brokering solution.
When using identity broker, you have a software acting as a translator between OpenID connect used by the SPA and SAML used by the IdP. This way you can use a the OpenID connect standard in SPA but still SAML on your IdP.
Keycloak is a good, free, opensource alternative to use a identity broker.
A fem month ago I wrote a blog post on how to set this up for a React SPA, ADFS IdP and Keycloak as identity broker. There is a also a automated demo environment in Vagrant and virtual box where you can use to try it out.
I am creating a desktop application that using Spotify's oauth api. I am using the implicit grant flow described here: https://developer.spotify.com/web-api/authorization-guide/#implicit_grant_flow
My idea is to have an "Authenticate" button, that you click and it opens your browser. You login/approve the connection with Spotify. Then it sends you to a redirect url.
I want to set this redirect url to 127.0.0.1:58212 or some port on the loopback device.
My question is, should I use https for this?
I am leaning towards yes. One because the access token needs to be secure, and I believe other users on the system could potentially read the message when it is sent, and two because in the time it took the user to log in, someone could have taken over the port.
So I want SSL for encryption of the message, and I want to ensure I am actually talking to my app.
How do I generate certificates in this situation? I think each instance of the application needs to have its own certificate, and I need to somehow inform the computer to trust that certificate during the lifetime of the application.
I could also generate the certificate during installation, and do some step during installation that makes the system trust that certificate.
Am I thinking about this the correct way, or am I going about this all wrong?
I am using electron and express in JavaScript to write my application.
Thanks for any advice.
The best way to securely use Oauth with installed applications such as desktop applications is to use the Oauth 2 flow for installed applications. But this option would have to be implemented by the service provider. Google provides for this option.
https://developers.google.com/api-client-library/python/auth/installed-app
Unfortunately, many services do not implement OAuth2.
To use Oauth 1.0 with installed applications, instead of returning to a callback_url, the service provider displays the auth code to the user which the user can then copy and paste to the desktop application. Check out Trello Ouath integration which allows for this.
The Web Api flow that you are trying to achieve will not work in the case of desktop apps. The redirect uri 127.0.0.1:port is your local uri. The service provider will need, at the very least, your public ip to redirect the flow back to your system.
AFAIK, for a Desktop or a native app it is much better to implement the Oauth authorization code flow. The implicit grant is intended to be used on a device browser and not on a Web View.
If your app uses a Web Service to connect, your Web Service needs a redirect URL that uses https. Luckily most hosting platforms like Heroku provide this to you for free (otherwise you need to buy an SSL certificate which might be a lot of work).
On the authorization code flow, a token doesn't need to see the client, it is all stored in the backend.
Most services allow you to test on localhost with http.
I wrote a tutorial that could give you some guidance on the flow.
First time I've begun using firebase with a JavaScript project:
firebaseAuth.signInWithEmailAndPassword(creds.username, creds.password
Since it is connecting to Google via websockets, will the website need to be served over HTTPS to avoid a security vulnerability?
Since Firebase Auth makes a request to Google's backend servers, it does so over HTTPS and no email/password data is unencrypted in flight. You should still strive to use HTTPS on your own system, and if you're using Firebase already Firebase Hosting offers free static web hosting with SSL provisioning on your own domain.