Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am really new to Azure and honestly not so familiar with Active Directory since majority of my works were relying on different users and their logins completely saved in DB.
But I have got a new requirement for a little big application and its going to work in Azure.
Its an ecommerce application, but other than being a common ecom application, its little different. Each sellers can sell their goods from their own shop page. Customers never get a feeling they are buying from a common store like Amazon.
My concern is how to handle the users and their logins and transaction. I have got confused about Azure AD because many pages says Azure AD can be use for handling the users and roles.
So does it means I dont need to store user ID and roles separately in my table and Azure AD can handle those part??
Expecting kind help because I am a beginner..
What you are looking for is Azure AD B2C.
It's service to support user credentials and authentication flows. Users can use the authentication flows to sign up, sign in, and reset their password. Azure AD B2C stores a user's sensitive authentication information, such as the user name and password. The user record is unique to each B2C tenant, and it uses either user name (email address) credentials or social identity provider credentials
you can follow this on how to setup
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 days ago.
Improve this question
I've written .NET WPF desktop app for Windows OS and now I'd like to restrict access to it only for signed in users. Additionally, some features of the application should be available only for users with certain type of priviledges (admin/regular user). The application will be installed on numerous machines so some kind of remote database should be used to store and manage users credentials (login, password and username) so that they could sign in to the application from anywhere.
What is the best approach to achieve that? I've read about Azure AD and it seems to be the most popular solution for authentication and accounts management, but are there any other (maybe better) ways?
If I use Azure AD, I also have to use MSSQl or is it possible to use other type of db?
And do I even need to create a database as I want only create/manage accounts and perform authentication operations?
I've read about Azure Active Directory and relational databases. For now I struggle with sorting all those concepts out. As far as I understand, Azure AD is used only for authentication and once the authentication is successful, user gets access to db with certain priviledges. What I need is to know if my reasoning is ok and I'd be grateful if more experienced people advise me what are the best practices to achieve my goal
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm facing a problem developing the app for the client that uses a SQL Server with Windows authentication only, so the situation is that there is a number of Windows accounts in Active Directory that can access the database and some application are using those accounts.
My problem is I have to develop a C# application that has to get any modification in specific table with a SqlTableDependency the only way to access the database is by using an administrator account; is there a way to define any of the defined accounts to connect using Windows authentication for users to execute the app developed?
And many thanks.
You make this assertion about SqlTableDependency:
The only way to access the database is by using Administrator account
But that is not correct. ANY account can do this, no matter what kind of authentication it uses, if the required security permissions are granted. You will need to find out the exact permissions this item uses and communicate with your client about granting those permissions to their users.
At this point there's a good chance your client will get uncomfortable... they may not have realized what they were asking for! But that's okay. Now you can have a real conversation about what their needs are. Perhaps they need a special (sql-auth-based) service account for this. Or perhaps they want to change the architecture so this runs as a background task on the server. It doesn't matter: the important part is you and the client are now making better-informed decisions about the application.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
We have a mobile app with ServiceStack-based cookie authentication. The app stores the user's login cookie and keeps itself logged in if the user so desires.
We have a 'Purchase PIN' feature in the app - the user can set a PIN and require it to be entered every time they make a purchase. The intention is to guard against purchases being made on a stolen or mislaid unlocked phone.
The app has a settings/configuration view in which, amongst other things, the user can set and turn on and off the purchase PIN. We therefore need to force the user to re-authenticate to be able to edit their settings.
Our thinking is that when the user tries to enter the settings page:
The app requires the user to re-authenticate with their password.
In response, the API issues a token back to the app. The token represents some secret that only the API knows, plus the user ID, plus an expiry timestamp in the near future.
All user-settings-related API calls require a valid token to be sent in the request.
The API validates that the token was issued for the same user, and checks that the timestamp is still good.
If the API finds that the token isn't valid or has expired, it responds with a signal that the UI should have the user re-authenticate to obtain a new token before continuing.
This all has to live outside / alongside the existing ServiceStack cookie authentication (reworking our current auth layer is outside scope and timeline for various reasons).
What's the best practice for implementing this additional level of security in ServiceStack?
You may want look at the WebSudoFeature Plugin which allows a privileged protected service to force the user having to re-authenticate in order to be able to access Services annotated with [WebSudoRequired].
As for the expiring token I'd implement that as a separate App Layer security feature passed as a Request DTO property into your Service instead of trying to integrate it with ServiceStack's top-level authentication.
For its implementation you could create a JWT Token manually which you could validate in your App or you could generate a DB entry with a UUID/Guid PK that contains the expiry as you may want this to maintain audit info (e.g. time/IP) when these PIN authorized tokens are used rather using a stateless Token without any audit history.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm developing a ASP.NET MVC application that runs on one server. The server has user accounts.
The user accounts are not allowed to RDP to the server, but I want to give them a way to change their password through my website.
The website has a home page that anonymous users can see, also an account page that users have to use their windows credentials to log in and see, and there is a Forget Password button. If the users forget the password, I can reset for them.
The users go to my website through Internet.
Is Windows authentication able to allow anonymous access to some page? Is Form authentication able to read Windows account credential? Which way is easier in implementing my requirements?
In general, there is extensive information on ASP.NET MVC authentication types available.
The Problem with Windows Authentication is, that it's quite limited. You can't really have a "Forgotten Password" function with Windows Authentication, it's basically read-only access, but on the other hand, the easiest/fastest solution for Windows Intranet Sites. That's by design, users should change their password through Domain functions. Anonymous access is easy, for example, simply decorate a single method ("Action") or a whole Controller with the [AllowAnonymous] attribute.
Your most flexible choice probably is to use ADFS. It's best of both worlds. You can have a combination of Windows authenticated internal users, Forms authenticated external users (with Username/Password incl. "Forgot Password" function etc.) and anonymous access, as described here. But it's not the easiest way obviously.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have created an asp.net MVC web API application which uses JWT token to authorise the users after normal login.
I am able to implement it correctly but I have following concerns regarding security:
If someone copies the token of valid user and tries to access the api
(my current implementation not able to identify it).
How to detect if someone logins from two different machines?
What are the other things needed to be included in JWT token generation? (I have now used userid in my current implementation)
I need some guidance.
Thanks In advance!!
Copying the token is not easy as you will store it in local storage of browser. It will be more secure than stealing cookie.
You can add one more claim : Mac Address. Then on each request compare the Mac Address of Request with Mac of Claim.
Use a long random string, it should be enough. I would recommend 25 characters as standard. Don't store the key in web.config. Your token is as secure as the secrecy of your key.