How do you implement FIDO U2F using Webauthn APIs? - fido-u2f

I am currently using the window.u2f APIs to implement U2F two-factor authentication with my website. These are natively available in Firefox (when the about:config flag is enabled) and through Chromium with the u2f-api.js library.
My implementation uses window.u2f.register(...) during key setup and window.u2f.sign(...) during logins.
I have read that the new Web Authentication API is backwards compatible and supports FIDO U2F as well, however, I cannot find any information on how to implement it. All the samples only seem to demonstrate FIDO2 passwordless login, which is not what I want to do.
How do I implement FIDO U2F with the equivalent window.u2f.register and window.u2f.sign functions using the Web Authentication APIs?

Great question. Some incredible examples of U2F implementation can be found from Yubico's Github Account. More specifically, if you want a working example of registering a key and authenticating it using javascript on the client-side, implementation of the crypto on the backend with a Flask API, that example is located here. It supports both FIDO2 and the legacy U2F. Additionally, if you want a video of someone walking through the example step-by-step of how the implementation works, that is located here. I hope this helps :)

You can read this to understand what they mean by backward compatibility
Thing to be highlighted for you
CTAP1/U2F authenticator returns a command error or improperly
formatted CBOR response. For any failure, platform may fall back to
CTAP1/U2F protocol.
WebAuthn communicates with authenticator by CBOR messages. If authenticator doesn't support FIDO2, authenticator will return error code, then WebAuthn will talk with authenticator by U2F raw messages.
You can just implement WebAuthn like what you have read. Web Authentication API
You can refer this for your implementation

#kspearrin, here is the solution I got working.
I have users who were registered using U2F (u2f-api.js). Moving over to WebAuthn is actually straightforward. All the new registrations will use WebAuthn and all the verifications will use WebAuthn with extension parameter.
U2F
Registration - window.u2f.register
Verification - window.u2f.sign
WebAuthn
Registration - navigator.credentials.create
Verification - navigator.credentials.get
Compatibility for U2F registered users:
When using the navigator.credentials.get(), make sure to set the extensions.appid to the U2F appId parameter. In my case I use the origins.json URL.
https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/extensions
Lastly, you will need to implement WebAuthn functions on both client and server side. There are many libraries available depending on your platform. The responses out of WebAuthn contains data in ArrayBuffer format. The only thing I had to figure out was properly transferring the ArrayBuffer data between client and server. I had to convert them to base64 before posting it to server and back. Basically you have to massage the data format to make it work.

Related

Link a website (kraken.com) using API on Android Studio

I was wondering how I could link my application to kraken.com server.
For example, making a login activity that sends the username and password to the server and if it's correct, open another activity.
The kraken's API is given by the following link: https://www.kraken.com/help/api
The problem is that I don't know how this API exactly works. How can I make HTTP Request and what is json? Consider I'm new in this area (API).
So firstly, JSON stand for Javascript Object Notation, it's a syntax for exchanging or storing data.
I'm assuming you're using Java since you're using Android Studio.
Looking at Kraken's API page: https://www.kraken.com/help/api#example-api-code
They don't currently have support a 3rd party Java Library for API access. So you would be looking a using a RESTful approach.
Here is an example of how to use that approach in Java: https://www.mkyong.com/webservices/jax-rs/restfull-java-client-with-java-net-url/

Use token from Outlook web add-in for EWS write operations

Is it possible to use any tokens from an Outlook add-in for use with authenticating EWS Managed API operations that create or update items?
Apparently the token returned from mailbox.getCallbackTokenAsync can only be used in read operations. I can indeed verify that is a problem because attempts to send emails or call UserConfiguration.Update result in an error:
The requested web method is unavailable to this caller or application.
I have been testing these methods from an ASP.NET Web API App Service in Azure, called from JavaScript in the Outlook add-in.
Apparently mailbox.getUserIdentityTokenAsync can be used to validate a user, but it is not clear if that can be used in conjunction with OAuthCredentials for ExchangeService.Credentials.
Are there any options here? I cannot ask the user for their username and password to authenticate with Exchange. I am certainly willing to use Graph or the Mail API, but AFAIK there are no ways to update user configuration items with those APIs.
You're looking for makeEwsRequestAsync(). Both CreateItem and UpdateItem operations are supported makeEwsRequestAsync.
You can find the full list of supported EWS operations in the documentation under EWS operations that add-ins support.
There is also support for calling into Microsoft Graph via the add-in but as you noted, Microsoft Graph supports a very limited number mailbox configuration options.

Using EWS SOAP requests in an Outlook web add-in

I need to use several EWS requests (e.g. GetUserConfiguration, UpdateUserConfiguration) that are not supported using Office.context.mailbox.makeEwsRequestAsync.
I cannot use the EWS Managed API in my own web service as a broker, and must use XML SOAP requests directly from the add-in's JavaScript (those methods are not available in the Graph or Mail APIs).
There are many examples (like this) showing how getUserIdentityTokenAsync can be used to pass that token to your web service (again, which I can't use) to use there in whatever way you need it.
However, I'm guessing the token retrieved from getUserIdentityTokenAsync is different and cannot be used. As a simple and hopefully appropriate test, I obtained an OAUTH token for my O365 account and used that as the token using SOAPe for a test GetUserConfiguration call and it worked. I then tried using the token from getUserIdentityTokenAsync and it didn't work (401 Unauthorized).
I concede that this may be a poor test, and I admit that at this point it is unclear to me how a SOAP EWS request from JavaScript in an Outlook dd-in can be authenticated without requiring an explicit user login (hopefully it can). And if it can, how do I get the token I need and how do I use it for this kind of client-side request?
You may want to use ews-javascript-api helper in this case. here is the example on how to use this with Outlook Add-ins.
https://github.com/gautamsi/ews-js-api-browser#working-with-plain-jsts-no-module-loadersbundlers
you may use any allowed api (available in makeEwsRequestAsync) with this library. with similar api what is available in Ews managed Api.

Is it possible to build web Api application using dotnet core, MySQL with Authentication and Authorization?

I am trying to work out an application using
Dotnet Core 1.0
MySQL as the data store
Authetication and Authorization
Entity Framework
Ubuntu 16 machine
I have succeeded in creating a sample API to fetch data from MySQL database using entity framework. Now I want to introduce Authentication using email as username and Password.
I tried several method from different blogs but unable to achieve this.
What I am trying to achieve is Custom Authentication for the api where user will send username and password to login Api. The login Api will return an access token and refresh token. Using this access token, the user can call other APIs.
Later on I want to add Google and Facebook Authentication too.
Is there a way to do this?
Everything you want to achieve is possible. However there are some caveats.
Yes you can do this. You will need to use the resource owner grant which is turned off in identityserver 4 by default. I suspect the reason for this is because passing user credentials into an application is an anti-pattern, it is there to typically support legacy systems, also it does not authenticate users in the explicit sense because the credentials could come from an un-trusted source (as an example). You can read up about the grant's generic value here. You can find samples here.
The safer pattern is to use something like Implicit Flow which is good practice if you cannot guarantee trust between clients and your API.
As for social logins this is possible. There are tonnes of samples online but here are the official docs.
There is a project on github, https://github.com/diogodamiani/IdentityServer4.MongoDB and a corresponding nuget package that will send you in the right direction. It's obviously MongoDb, but the same premise applies.

Zend2 Web Services Auth and zfcUser

Once I have created my Web App with Zend2 , zfcUser and bjyAuthorize it's time to create the mobile App.
Our approach is to create and app with a json interaction with the Zend2 background.
The problem is that I don't know where to start in order to deal with a jSon Auth. Is possible wit zfcUser? any example out there?
Thanks in advance
ZfcUser module provides support for additional authentication mechanisms via plugins (Google, Facebook, LDAP, etc), but this feature seems to be in development now.
If you need that your mobile application to authenticate through some custom protocol based on JSON format, all you have to do is to create a controller action (say, mobileAuthAction()) which takes a JSON array with user credentials from POST, uses zfcUser API to authenticate the user, and return the response in JSON format. You may also look at view_manager configuration key to adjust the rendering strategy for your action to allow it to return JSON. Alternatively, you may call the $viewModel->setTerminal(false) to disable the layout rendering and echo your JSON to standard output.