Single Sign On Html Page with Restful Service - javascript

Let me explain what's my plan.
Actually I write a website in HTML5 with Javascript.
This website do an ajax call to a c# RESTful service.
Both, the website and the service, are located on a windows server 2012 at the iis 8.
The website is located in an virtual directory of the default web site.
The service is added as an application to the server.
The server is running inside our intranet including AD.
I access the website by the url: http://example/Auth.
My goal is that the user didn't have to login manually, because it's already done at windows login.
This should be done by using windows authentication i guess, but when i activate it, i'm prompted to enter my credentials.
After entering them everything works fine. If they were correct i can use the website, otherwise i get 401 as expected.
First question: what do i have to do, to be logged in automatically if i'm a valid user of the AD?
Wheter logged in automatically or manually i'm not able to get the username of the logged in user and pass it to the service.
Second question: how to get the username and pass it to the server?

In my case it was finally quite simple to solve my problem.
All i had to do, was to add the domain to the url and get a full qualified url like: example.mydomain.com/Auth.
If i try toaccess this site now, there is no prompt shown and even the credentials get passed to auth following services etc.

Related

How to use currently logged in Windows Active Directory user to login to a web app?

I want to use the current logged in Windows AD account to authenticate with my web app. It's fine (desired, actually) to have the front end pass the authentication token (or whatever form that takes in AD) to the back end for validation with our SSO provider. But how do I get the AD information into the front end, so that it can be passed the back end? What does this info look like, how is it acquired, etc? I can't find any tutorials or guidance on the topic.
I know this is possible because I see it being done on other web apps, but I don't know how to do it myself and am having a very hard time finding a solution.
If you want seamless login (so the user doesn't have to type in their username/password) then you will want Windows Authentication. You can read about how it works here.
To make this work with Node.js Express you can use the NodeSSPI package. The documentation has examples on how to use it.
The browser will also have to trust your site before it will send credentials automatically. For IE and Chrome, that means adding the site to the list of Trusted Sites in the Internet Options. Firefox keeps its own list in the network.automatic-ntlm-auth.trusted-uris setting in about:config

Dropbox redirect URI does not redirect for login, instead returns code of last user

I am using Dropbox Code API version 2 from NodeJS application. I am using OAuth 2.0 with code grant approach. It seems to behave randomly. The use case is as follows:
My server generates a redirect uri and sends to my client.
User clicks on redirect uri from client.
Application redirects to Dropbox URI. (User has already linked my app to their Dropbox. My app has full Dropbox permission.)
Dropbox asks to sign in with google or email. I used gmail.
Dropbox calls the registered callback with the code. I use the code to retrieve bearer token.
Problem: now i try to register another user and require a different code from Dropbox. The problem occurs in step 3. After
user clicks on step 3, Dropbox does not show the sign-in with
google or email page, instead, calls back application with the
same code as for user 1.
I'm using the same machine for testing this scenario and two different gmail addresses. My server runs on localhost. It was working before but stopped working without any intentional changes from me. I have tried debugging but I am not sure why this is happening, trying restarting client, server, even restarted my computer. But it doesn't show me the sign-in with google or email page.
My question is how does Dropbox know that it should show the sign-in page when the redirect link is clicked. I generated the redirect link using core API functions.
Maybe there is an error in my workflow, I am new to web development and have tried everything I know, any insight would be greatly appreciated.
Thanks!

automatic login to a website

I have got a 3rd party website, which my customer wants to me to login into in order to download some data periodicaly.
The data is customer specific, and password protected.
I have the username/password, and I have searched for ways to do the login automatically so that I can pull data, but so far with no success.
This is a method that I have tried:
http://crunchify.com/automatic-html-login-using-post-method-autologin-a-website-on-double-click/
When I look into the login page of the website which I am trying to login to (view source), I don't see the login form, but if I click on "inspect element" in chrome on the fields of the page it does show that there is a login form hiding in there.
Any suggestions
Edit:
Here is the website which I need to autologin to: http://portal.dorad.co.il/#/Login unfortunatlly it's not in english. The first field is the username, the second field is the password and the button is the login
Edit2:
Taking pomeh's advice, I was able to find the jQuery code that is being triggerted when the text boxes are being modified. Now I want to run this script manually using element.DomContainer.Eval
(function(n,t){function vi(n){var t=n.length,r=i.type(n);return i.isWindow(n)?!1:1===n.nodeType&&t?!0:"array"===r||"function"!==r&&(0===t||"number"==typeof t&&t>0&&t-1 in n)}function ne(n){var t=li[n]={};return i.each(n.match(s)||[],function(n,i){t[i]=!0}),t}function uu(n,r,u,f){if(i.acceptData(n)){var s,h,c=i.expando,a="string"==typeof r,l=n.nodeType,o=l?i.cache:n,e=l?n[c]:n[c]&&c;if(e&&o[e]&&(f||o[e].data)||!a||u!==t)return e||(l?n[c]=e=tt.pop()||i.guid++:e=c),o[e]||(o[e]={},l||(o[e].toJSON=i.noop)),("object"==typeof r||"function"==typeof r)&&
...
(t=n(this);r=r.not(t),t.removeData(f),r.length||clearTimeout(c)},add:function(t){function s(t,u,e){var s=n(this),o=n.data(this,f);o.w=u!==i?u:s.width(),o.h=e!==i?e:s.height(),r.apply(this,arguments)}if(!u[o]&&this[e])return!1;var r;if(n.isFunction(t))return r=t,s;r=t.handler,t.handler=s}}}(jQuery,this)
I am not sure how to activate it and give it the relevant data.
If you have the right mix of technical requirements then you want Single-Site-Sign-On (SSSO).
Not all of my clients have SSL and I don't want my user name and password on all of their sites. They are however all on the same server. Since my site supports SSL I can log in to my own site securely.
What you need to do conceptually speaking is log the IP of the administrator account along with the data/time stamp. Then if you visit your client's website (again, on the same server) from that same IP you can have your scripting language check the file. I require a short time-span (anywhere between 30 seconds to two minutes tops) and the same IP address. You can add additional technical requirements to strengthen security of course though your options will be limited as the domain name will be different. If the IP matches the criteria emulate the user being authenticated (static obviously since you likely won't/shouldn't have your administrative account information on their site) and you can be automatically signed in.
Maybe you could do this using a web scraping framework like:
Goutte for PHP (https://github.com/fabpot/goutte)
Scrapy for Python (http://scrapy.org/)
node.io for Node.js (https://github.com/chriso/node.io)
request for Node.js (https://github.com/mikeal/request)
WatiN for .Net (http://watin.org/)
In any case, I think a client side solutions will bring a lot of problems to do this. Maybe you can login into it using a form tag which points to the page, but you won't be able to manipulate the page afterwards. Also, you may not be able to use AJAX due to CORS restriction. You could embed the target page as an iframe but you can't either manipulate the page because of differents domains used (you can do that under certains conditions but it's hard to achieve this imho). So a server side solutions sounds better to me.

Redirect URL using phonegap

I'm building a phonegap app in which I need to link to facebook, instagram and twitter. I need to allow users to login to each of these with their credentials and return an access token which I will be saving on the device using local storage. I can login the users perfectly fine when working on an actual site (which is a test site I have setup). The way it works is I have to redirect the user to a login page for each brand where they can login. This I can do fine from a phonegap app, but the issue is that each of them require a redirect url which I must supply for them to basically send the access token to once the user logs in. On the internet this works perfect, but I need to redirect url to somehow point back to the mobile device it originated from. I can do this using a proxy but I don't want to employ the use of a server as this comes with way to much overhead. So all that to actually ask my question:
How the heck do I redirect the user back to the mobile app after they have successfully logged in? I'm hoping this is something very simple that I'm missing, but I'm just not seeing it. :/
This is oAuth authentication which logs the user in and then tells the user's browser to go to the second URL. Typically, if you write an iOS app, you can always open it by doing something like this: ://. it should also be able to ready parameters passed this way.
For example: open safari on your iPhone and put "Skype://" as the address and it should open your skype app if you have it installed.
Try setting the return URL similar to what I mention above and see if that works.

Facebook Connect help

According to the Facebook API documentation, most of the work is handled through javascript.
That means that all the processing is done, and then the front end checks if the user is connected to Facebook/authorized. right?
My question is:
Suppose a user goes to my site for the first time ever.
He clicks on "facebook connect". The javascript verifies him as authentic, and it "redirects" to another page on my server. From then on, how do I know that the user is actually authenticated to my website, since everything is done on frontend?
I think this is correct, but aren't there some security issues..:
-After user clicks Login, Facebook redirects to a page on my site. AND they also create a cookie with a specific "Facebook ID" that is retrieved only from this user. My backened will "read" the cookie and grab that ID...and then associate it to my userID.
If that is correct...then it doesn't make sense. What if people steal other people's "facebook ID" and then forge the cookie? And then my backend sees the cookie and thinks it's the real user...?
Am I confused? If I am confused, please help me re-organize and tell me how it's like.
Facebook Connect uses a clever (or insane, depending on your point of view) hack to achieve cross-site communication between your site and Facebook's authentication system from within the browser.
The way it works is as follows:
Your site includes a very simple static HTML file, known as the cross-domain communications channel. This file is called xd_receiver.htm in the FB docs, but it can be named anything you like.
Your site's login page includes a reference to the Javascript library hosted on Facebook's server.
When a user logs in via the "Connect" button, it calls a function in Facebook's JS API which pops up a login dialog. This login box has an invisible iframe in which the cross-domain communications file is loaded.
The user fills out the form and submits it, posting the form to Facebook.
Facebook checks the login. If it's successful, it communicates this to your site. Here's where that cross-domain stuff comes in:
Because of cross-domain security policies, Facebook's login window can not inspect the DOM tree for documents hosted on your server. But the login window can update the src element of any iframe within it, and this is used to communicate with the cross-domain communications file hosted on your page.
When the cross-domain communications file receives a communication indicating that the login was successful, it uses Javascript to set some cookies containing the user's ID and session. Since this file lives on your server, those cookies have your domain and your backend can receive them.
Any further communication in Facebook's direction can be accomplished by inserting another nested iframe in the other iframe -- this second-level iframe lives on Facebook's server instead of yours.
The cookies are secure (in theory) because the data is signed with the secret key that Facebook generated for you when you signed up for the developer program. The JS library uses your public key (the "API key") to validate the cookies.
Theoretically, Facebook's Javascript library handles this all automatically once you've set everything up. In practice, I've found it doesn't always work exactly smoothly.
For a more detailed explanation of the mechanics of cross-domain communication using iframes, see this article from MSDN.
Please someone correct me if I'm wrong - as I am also trying to figure all this stuff out myself. My understanding with the security of the cookies is that there is also a cookie which is a special signature cookie. This cookie is created by combining the data of the other cookies, adding your application secret that only you and FB know, and the result MD5-Hashed. You can then test this hash server-side, which could not easily be duplicated by a hacker, to make sure the data can be trusted as coming from FB.
A more charming explaination can be found here - scroll about halfway down the page.
Same issues here, and I think Scott is closer to the solution.
Also Im using "http://developers.facebook.com/docs/?u=facebook.jslib-alpha.FB.init" there open source js framework. So things are a little different.
For me, via the opensource js framework, facebook provides and sets a session on my site with a signature. So what I am thinking is to recreate that signature on my side. - if they both match then the user is who he says he is.
So basically if a user wanted to save something to my database, grab the session signature set up by facebook and recreate that signature with php and validate it against the one facebook gave me?
if($_SESSION['facebookSignature'] == reGeneratedSignature){
// save to database
}else{
// go away I don't trust you
}
But how do you regenerate that signature? preferably without making more calls to Facebook?

Categories