Enforce two-factor authentication on all controllers / actions - identity

I've built an authenticated .net core (5.0) web application using Identity (2.2) and set up two factor authentication using a smartphone authenticator app. This is all working fine. I'm now trying to configure the application to enforce the two-factor authentication so that in order to reach any controller / action (apart from those needed for the authentication process), a user MUST be two-factor authenticated, by which I mean they must have enabled 2FA, set up the smartphone authenticator app and then gone through the two-factor authentication process. I'm sure there must be an easy way to do this, but I'm unable to find any posts anywhere on how to do it. Can anyone help? Thanks in advance.

Related

how to implement sso for openshift

I'd like to implement kind of SSO for openshift, what I mean: from my webapp a user can open openshift console in a new window without giving his credentials. I've configured Basic Authentication Remote and it's working, can open new window and post username/password but it's looks that openshift is protected with crsf token. Thus not sure if it's possible at all. It seems that developing custom identity provider is not supported either. Any idea ?
PS I'm aware of Request Header Identity Provider but that solution requires my webapp to provide idp functionality (not even sure if it's feasible), also apache (we use nginx), a lot of issues for dev to install it all on a single computer due to port conflicts, valid ssl etc etc
Best option will be to use oauth proxy. See if this helps in your case.
https://github.com/openshift/oauth-proxy
Finally I've implemented SSO using js postMessage to send user/token data and Basic Authentication Remote.

Should multiple Spring Boot App instances running behind a load balancer work with spring CAS user authentication?

I have a Spring Boot Application I am working on that uses CAS authentication. I have CAS working fine however once I start more than 1 copy of the application behind a load balancer the app fails to authenticate.
The app takes the user off to CAS and returns to the home page where once authenticated the user should see the main interface. But instead when it returns from CAS the spring security authenticated check still thinks the user isn't authenticated.
If I reduce my instances down to 1 it starts working fine again.
I am running this app behind an F5 load balancer so I am trying to figure out if there is some missing configuration on the F5 or if there is something I need to do in my app to deal with the switch from one server to another etc. I assume this is causing the issue but I want to keep my app stateless and not rely on making the F5 sticky for a given user. Actually I even tried setting the feature on the F5 but still get the same behavior so not sure what is really happening once more than 1 app instance is running.
My understanding was that this should just work because I have server.use-forward-headers=true configured.
Am I missing some other CAS, Spring Boot Server, or Spring Boot Security settings that are necessary to make this work?
Should this be working with CAS authentication.
I am using Spring Book 2.0.4.RELEASE
I am using spring-security-cas-client 3.0.8.RELEASE
I found the solution to this issue. It seems the Spring Boot Security defaults to a session based security so you need to implement your own Stateless Security to get this working in a stateless manner.
Thanks to this blog post and some additional help from the blog post author I was able to get this working perfectly in Spring Boot 2.x
Checkout the post, it's interesting and works perfectly.
https://www.dedicatedcode.com/posts/stateless-authentication/
Thanks to others who provide answers that sent me in the correct direction to find this solution.
I believe the problem is with multiple cas server cluster. When your spring boot application is looking for a valid ticket it fails to authenticate.
CAS has a support for these kind of situation try reading the link below
https://apereo.github.io/cas/5.2.x/installation/Hazelcast-Ticket-Registry.html
If the above solution works you have to add a dependency for the support and update your property files
Hope this helps
If you are using OAuth / SAML / Delegated Authentication, then you might need to set your F5 load balancer (or any load balancer) to enable "session persistence" in order for CAS server to function normally.

What is the difference between a Native Application & Server Application when talking about ADFS Application Groups?

I'm new to Federation Services and I'm trying to understand how ADFS works as a whole and I've started to get down into the details. I followed along with creating an app using OIDC to authenticate a user, however, within the tutorial, they specified using a "Server Application" when setting up an Application Group. This ended up not working for me so I tried setting up a "Native Application" application group for kicks and was able to successfully login.
The thing that threw me off is, I ended up hosting ADFS on a server outside of the domain in which I had my application running, so I'm confused as to how that is "native" in terms of ADFS.
I went looking for this answer within microsoft's documentation but I didn't find the information very clear.
Native Application:
"Sometimes called a public client, this is intended to be a client app that runs on a pc or device and with which the user interacts."
Server Application:
"A web application that runs on a server and is generally accessible to users via a browser. Because it is capable of maintaining its own client 'secret' or credential, it is sometimes called a confidential client."
This may seem simple to some, but I'm trying to really get a grip on what would be used when. To me it sounds like a native application is used when you're running the application natively on a pc in which the user is also using the same pc, and the server application is run remotely in which the user would not be using the same machine. Is it really that simple or am I misunderstanding?
A native application (in Microsoft speak) is something that is not browser based e.g. mobile. The code runs client side. It may use JavaScript in which case the secret key is publicly accessible. (The secret key is one of the OAuth parameters). You use ADAL / MSAL to access it.
A server application runs server side e.g a web API. The secret key is not publicly accessible. You use OWIN to access it.
These terms have no relevance to where ADFS is actually installed. Native applications typically are not domain joined.

Is there a way to connect with EWS without user credentials if I'm not using Office 365?

Original jamesiarmes/php-ews offers authentication only by username / password. Fork by Garethp has some OAuth function but it requires Office365 and registering application in Azure. Is there any possibility to connect to Outlook by web browser just relying on user logged to Windows System? I know how to read which user is logged using kerberos, but don't know if it's right tool to make it.
There's no way with either of those tools. I looked in to trying to use Network Authentication as method of Auth, since my fork uses NTLM any way, but I couldn't find any resources on passing the NTLM Authentication over SOAP calls. That being said, if you can find some examples, I'd be happy to build it in as a method of authentication for you
In the EWS service object, you can select the flag to use default credentials, meaning whatever user context the code is running under. Would that help?

Connect Xamarin.forms with MySQL

I know about xamarin connection with SQLite but it is locally
I need to connect my remotely MySQL database with xamarin.forms (I know about the security issue of this without using web services layer, but i will only use it for my own work)
This plugin is for xamarin.iOS and Xamarin.Android
I cannot add it using dependency service because i cannot add this component to the shared project
So is there any example of connecting MySQL database with xamarin.forms
You can't add references to your shared library. Shared libraries act like a list of files that are directly included in the project. The advantage of shared projects is just, that you do not have to maintain these included files for each project that uses code of the contained files. See the Xamarin documentation for further explanation.
What you have to do, if you want to consume a 3rd party libray within a shared library: Add the library to each project that uses the shared library (e.g. your iOS and Android project)
2ct to the mentioned security issue
You are right about the security issue. That's why I'd advice against, using mysql directly from your app. (I'll explain it for other readers that aren't aware of this problem and stumble over this question)
You should tunnel it through HTTPS because:
Some networks just block certain ports (HTTP and HTTPS are usually not blocked)
You publish your credentials with your app either statically or dynamically, but the credentials to your database are interceptable either way. You should authenticate a user and not an app. So there should be some kind of authentication / authorization that is revokeable. There was a nice talk from Kerry Lothrop on the Xamarin Evolve 2016 on this topic. https://www.youtube.com/watch?v=uLFtQHNxGaI