I've created a Node.js WebApp and placed it on Azure. This hosts a Socket.io WebSocket and Website that I want to protect behind a form of authentication. My initial plan was to use ActiveDirectory, but I can't find any information on connecting a WebSocket using that kind of authentication.
Is there a way to use Active Directory or another similar and easy to setup authentication to protect both the website and the WebSocket?
I am planning on connecting to this server-side web app from a local machine using a socket.io-client.
I would look for an HTTP-based solution which allows you to interact with the active directory environment. You can then wire together this integration with your existing WebSocket solution.
This library looks promising: https://github.com/gheeres/node-activedirectory
It also looks like Azure provides a REST API for Active Directory: https://msdn.microsoft.com/en-us/library/azure/hh974476.aspx
I work at Stormpath, we also have an Active Directory feature that allows you to connect your Node.JS application to a data store that is synced with Active Directory. See Integrating Stormpath with Active Directory and LDAP
Hope this helps!
After much consideration on simplicity, I decided to drop the traditional Azure provided ActiveDirectory Authentication all together. (It blocks WebSocket traffic so that I could not do any manual authentication over the sockets)
I instead handle the website authentication myself using Passport and whichever authentication I choose Active Directory, Facebook, Google, Twitter, Github.
For the Socket.io authentication, I used socketio-auth to protect the connections with a custom layer of security and authentication.
Related
I have implemented the OIDC in the backend express app using express-openid-connect
with the provider as ADFS and on successful authentication the express app saves the info into session and the backend APIs are protected.
What mechanism/library I can use to protect my react app using OIDC and can also hit the protected APIs at the same time?
React and Node are on different domain basically they are independent and deployed on different server.
WEBSITE MODEL
The express library is for scenarios where you are using a Node.js website that serves your React app's static content. Requests for your index.html file will trigger a redirect if there is no secure cookie yet.
After user sign in, an HTTP only encrypted cookie is written, and you can then call APIs via other routes in the website, as explained in this section of the docs. The web back end decrypts the cookie, then makes an access token available that can be forwarded from the website to APIs.
SPA STATIC CONTENT HOST
If you want to serve the SPA as just static content, similar to development web servers like webpack, the express solution is not the right architectural choice and you need a different option. You can't just throw these things together.
However, current security best practices mean you should only use secure cookies in the browser, so you need to solve this problem, and it is far from easy. The simplest option in the short term may be to serve static content via express.
FURTHER INFO
We have plenty of info on SPA architectures at Curity, starting with SPA Best Practices and a React Code Example, but it is very architectural, and SPA security is a tough topic. So you need to discuss requirements with your stakeholders, based on costs and benefits.
I need a solution for authenticating azure function endpoints with node js and javascript without using azure active directory and to know what are the possible ways to authenticate the azure function endpoints..
Microsoft provided multiple security options to fully secure our function endpoints along with the Azure Active Directory Authentication but we can use one of the following options:
App Service Authentication Authentication/Authorization using AAD
Azure API Management provides a different API security options for incoming requests that you can configure your function app to accept requests only from the IP address of your APIM instance or specify the required access level IPs.
You can deploy your function app in an isolated app service environment which lets you configure the private DNS Zone and an application gateway acts as Firewall.
Azure Front Door is also one of the option to secure the endpoint of HTTP requests.
To know more information on the above options, refer these Microsoft Documentation and MS Doc2.
I am creating a desktop application that using Spotify's oauth api. I am using the implicit grant flow described here: https://developer.spotify.com/web-api/authorization-guide/#implicit_grant_flow
My idea is to have an "Authenticate" button, that you click and it opens your browser. You login/approve the connection with Spotify. Then it sends you to a redirect url.
I want to set this redirect url to 127.0.0.1:58212 or some port on the loopback device.
My question is, should I use https for this?
I am leaning towards yes. One because the access token needs to be secure, and I believe other users on the system could potentially read the message when it is sent, and two because in the time it took the user to log in, someone could have taken over the port.
So I want SSL for encryption of the message, and I want to ensure I am actually talking to my app.
How do I generate certificates in this situation? I think each instance of the application needs to have its own certificate, and I need to somehow inform the computer to trust that certificate during the lifetime of the application.
I could also generate the certificate during installation, and do some step during installation that makes the system trust that certificate.
Am I thinking about this the correct way, or am I going about this all wrong?
I am using electron and express in JavaScript to write my application.
Thanks for any advice.
The best way to securely use Oauth with installed applications such as desktop applications is to use the Oauth 2 flow for installed applications. But this option would have to be implemented by the service provider. Google provides for this option.
https://developers.google.com/api-client-library/python/auth/installed-app
Unfortunately, many services do not implement OAuth2.
To use Oauth 1.0 with installed applications, instead of returning to a callback_url, the service provider displays the auth code to the user which the user can then copy and paste to the desktop application. Check out Trello Ouath integration which allows for this.
The Web Api flow that you are trying to achieve will not work in the case of desktop apps. The redirect uri 127.0.0.1:port is your local uri. The service provider will need, at the very least, your public ip to redirect the flow back to your system.
AFAIK, for a Desktop or a native app it is much better to implement the Oauth authorization code flow. The implicit grant is intended to be used on a device browser and not on a Web View.
If your app uses a Web Service to connect, your Web Service needs a redirect URL that uses https. Luckily most hosting platforms like Heroku provide this to you for free (otherwise you need to buy an SSL certificate which might be a lot of work).
On the authorization code flow, a token doesn't need to see the client, it is all stored in the backend.
Most services allow you to test on localhost with http.
I wrote a tutorial that could give you some guidance on the flow.
I want to add a chat app to my e-commerce website which offers one-to-one chat between the buyers and the sellers. After searching ,web sockets seems to be right for this but it requires node.js server and the rest of my website is in php with apache server. I have read that it is not good to run both apache and node server at the same time. For video chat I'm using appear.in's javascript api which has no such limitations.
How can I run the node.js app under this scenario?
There are plenty of web socket libraries for PHP, e.g. Ratchet.
If this is the only reason for you to move parts of you application to Node.js, you shouldn't necessarily do it.
I am attempting to write a plugin for a webapp that integrates it with facebook using the Javascript API. The application is installed by our customers on their own servers each with their own site names. This poses a problem to me as Facebook wants me to specify a site url for the application. This url is going to be different for every customer. Creating a new application for each customer is not an option.
In my research of this problem it seems that I have to pretend to be a desktop app and follow that authentication path. I cannot figure out how to do this.
Anyone have any idea how this can be done?
Are you going to host the app as a canvas app or outside facebook?
Is the url important to you? There is a strict one-to-one relation between base-url and application.
What many apps do is host the apps as directories in their domain. For example http://crazy-fb-app.com/customername
That's your options basically if you want to use Javascript SDK.
If you're going to be using server side technology you could have the user authorize the application while requesting permission to access user's data while he's offline. in that case you will receive a non-expiring (or long-expiring) authentication token which you can use from the server to make Graph API calls on behalf of the user. For some stuff you can obtain an Application Auth token (which is shorter and non-user-specific) to make calls to the graph.
Rotem