When using CAS Surrogate Authentication as per:
https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html
is it possible to retrieve the identifier of the primary (admin) user in the application which they're being logged into?
This is for the purpose of logging both the identifier of the impersonated user and the admin user who is performing the action on behalf of the user.
Yes, in the final validation response both attributes are returned that represent the impersonated user as well as the "admin/real" user. Both are also sent to the audit log.
Related
How to identify an user with specific information like unique id or reference number in ejabberd API for chat?
I want to chat with someone then user has some information except name which is unique for that specific user. so we can identify the user in chat based on that?
on register user while calling /api/register API, there is no any unique response which is useful to make chat with another user
Even, /api/registered_users given only name of all the registered users, not any unique information
So, what is the solution?
any other APIs is there for the same or what?
A user (that may be a person, or a machine, or an animal) can register an account in ejabberd (or any other server). That account is identified by the account username and host, for example tom#example.com.
The user uses an account, and the account is identified by the account username and host.
There is nothing else. What else could there be?
Is it possible for my server to get credentials for a user without their username and password in order to send it back to the client?
I have another means of authentication and I think this would be easier to do this rather than trying to store tokens in a database where they will expire.
Yes. You can provide alternatives to Username/Password to login a user. Developer Authenticated Identities Authflow let your server take the place of the user pool or other social identity provider.
User Pools are just that, an AWS hosted authentication tool. They let users prove they own a specific login string (email, phone, etc.) by providing a password. Then that user is mapped to an Identity in an Identity Pool.
You can also use Facebook as the "proof" and get an Identity ID that way. If you pass both (User pool and Facebook) tokens to the Identity pool at the same time you will link those two login ID under one Identity ID. Now you can log in using either method and the app will treat you as the same person because you have the same Identity ID.
You can implement a server which will let you act as that same type of provider so that users can prove to your server they are who they say they are then you can signal to the Identity pool that they are "X" person.
The thing to remember is that the User pool is used to store and validate username/password combos (and some other attributes if you want). The Identity pool is used to map 1 or more logins (Facebook, Google, User Pool, etc) to an Identity Id that your app(s) can use to identify/differentiate users.
No you would have to either, at least authenticate once with Cognito (afterwards use refresh tokens to obtain new id/access tokens without having to enter username/password) or federate with another Identity Provider (but you would still have to authenticate with that identity provider).
CAS can push the logged in user attributes to the client when using the SAML ticket validation. But if I use OAuth, is there another way that I can retrieve user attributes through a second call to the CAS server using the received accessToken? I think this should be possible as when a user is authenticated(eg. through facebook) the requested attributes are in CAS memory.
Yes, it's possible as the user's attributes are indeed stored in the CAS server. As explained in the documentation: https://wiki.jasig.org/display/CASUM/Configuration+for+the+OAuth+client+support+in+CAS+server+version+%3E%3D+3.5.1, you can define what OAuth attributes you want to retrieve exactly like for any other attribute repository. You can even recreate the user's profile on the CAS client application side.
Here is a working example: https://github.com/leleuj/cas-oauth-demo-3.5.x/blob/master/cas-oauth-client-demo-3.5.x/src/main/webapp/WEB-INF/deployerConfigContext.xml. You can also get the OAuth access token to perform additionnal operations...
I create a brand new schema called 'blogpost' with the service http://www.Stackmob.com. Its read/write access is granted to authenticated users.
After authenticating as a user to my schema, my POST queries succeeds, but GET fails with
{"error":"Invalid OAuth credentials or signature: Key not provided"}
I don't understand this because the authentication header in my POST/GET requests are created from the exact same function, which takes input mac_key and access_token values granted to a user from the server.
Why would this be? Details of the code post is also at:
http://stackmob.zendesk.com/entries/27724236-Invalid-OAuth-credentials-or-signature-Key-not-provided
I hope this is not a Flash11 restriction.
I have an iPhone application that needs to collect data from an online MySQL database. I've written a PHP web service so I collect the data with JSON. The problem is that everyone can see the data if they go to the URL now. How do i secure the data transfer properly?
Thanks for your suggestions.
Typically, if you are showing data private to a particular user, then each user will generally have an account (user id and password). The app will pass the user's credentials to the server before the server will provide the user's data.
You can also do something similar using SSO integration, or OAuth (ala Facebook).
In some cases, your app may only pass the username/password on the initial call and receive a session ID, which the app passes on remaining calls. This allows the server to store session data.
Even if the data isn't private to a particular user, you can use accounts to restrict access and privileges for a publicly reachable web API.
In all of the above cases encryption such as SSL (HTTPS) must be used to protect the authentication mechanisms and data transfer.
I'm assuming your data is public for all users of your app, in other words, you don't want to implement a login mechanism for your users. If you just want to make sure you return the data only to users of your app and not to anyone who happens to enter the right URL in their browser, you will need to sign your requests, so that only requests from your app are accepted by your server.
I use a secret key that my app uses to create a hash/digest of the request which the server verifies (it knows the secret key as well). Also I make sure requests cannot be replayed if they are intercepted by adding a timestamp and a nonce. The timestamp is checked to be within 10 minutes of the server's timestamp (relaxed sync) and the nonce must be unique (server keeps the last 10 minutes of nonces). This way no-one can copy the same request, the server will just serve an error if they try.
This post explains how to sign your requests in a bit more detail:
http://www.naildrivin5.com/blog/2008/04/21/rest-security-signing-requests-with-secret-key-but-does-it-work.html