I'm developing a blazor server web application and I've been reading about Cross Site Request Forgery vulnerabilities. I understand that the mitigation is to use anti-forgery tokens when a form is submitted so that a form in a malicious website won't be able to submit. But in a Blazor Server App, it uses SignalR so that the form doesn't really submit. It occurred to me that maybe Blazor Server apps aren't vulnerable to CSRF because the runspace is bound so that the session doesn't exist if you open a new tab or something like that, I'm pretty new to this stuff. So what's the go with CSRF and Blazor Server Apps?
Related
I’ve got a set of APIs written in ASP.NET. These are to be accessed by a web app and native mobile app, and should be protected by the SSO.
I would like to be able have a SSO, where the user can login online and access the web app, and can also login on the native app (via the browser), and it’ll remember their login details (ie with an authorization_token).
I’ve been looking into IdentityServer4 but I’m a bit stuck on which authorization flows I would need for this.
Any help is appreciated, as it’s starting to hurt my brain! Do let me know if I need to explain it better.
For flows, there are today only two flows you should consider.
Authorization code flow, this flow is for clients where you want a user to login/signup, like a mobile app or web-application. Meaning, you have a user and a browser involved here.
Client credentials flow, is all about machine to machine communication, where you have no user involved.
We're looking to secure an Angular application that is running in an MVC project.
If I secure the MVC app using hybrid flow, then all the Angular $http calls are jQuery $.ajax calls under the hood. Which if I remember rightly, sends all cookies with each web API call.
My question is, how should I secure this application. Do I need to secure the MVC app using hybrid flow and then do I need to further secure the APIs?
EDIT
I've just been watching the NDC video and it talks about asking for 2 tokens when you originally authenticate.
Communication between an angular app and MVC is usually secured using session cookies. If you need your APIs to be called from other apps then you better move those APIs to WEBAPI and communicate with them using bearer tokens. If you already have other APIs that require bearer token, you can get an access token in hybrid flow and talk to those APIs(from either the angular app or the MVC app).
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
I am developing a web application where i wish to achieve stateless communication between the client and the server.The server serves out a web page template to a client.Now from the client side i wish to know the identity of the user of the application so that i can print his name on the page.
Since it is a facebook app so i am not providing the option of user to login or logout through my application.
How would i be able to do it?i can not use JSP to serve dynamic web pages and also i can not use cookies.
That leaves localStorage, I guess.
But I do have to wonder what the point is of said application, with only client-side state.
I'm developping a SSO web system for my company. When poeple want access to an application, it redirects the user on the SSO server (web application) which keeps the authenticated user in memory. The SSO server then redirects the user to the application, which is creating its own session.
The problem is when a user spend a lot of time on the application, the session on the SSO is lost.
Have you an idea to resolve this problem ?
My SSO application is an ASP .NET application and others applications could be in ASP .NET or ASP .NET MVC3.
Thanx for your help
You would need to look into setting the timeout values of the WebAgent by observing the typical usage patterns of your users..
So how do you currently handle the user's SiteMinder session timeout..? Ideally you would be using a redirect URL to a custom page that informs the user that the session was terminated, etc.