So IdentityServer3 stores grant data in tokens table. What I am trying to figure out is how does it create a key corresponding to access token or refresh token?
If I check the code for IdentityServer3, it shows like below:
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
When I use the access token received, for validation, how does it figure out corresponding security token based on that access token?
I am trying to decode the data stored in database for IdentityServer3 to migrate to a new authorization server we have built. Is this possible even?
I figured this out.
What identity server 3 does (for a key it stores in database):
1. It generates an access token and refresh token.
2. For these generated tokens, it creates UTF-8 encoded bytes
3. It hashes the byte data with SHA-256 algorithm
4. And it Base64 encode hashed data from step 3.
Related
Is it possible to pass the MetaData as a condition to partition a synchronization?
I need the partition value in sync to be different from %%user.id because the value that will control the partition I get from a MetaData in authentication via JWT in Realm, I tried something like %%user.profile.puid , but in the log I get an undefined comparison.
I added the fields in MetaData Fields in authentication via JWT, but what I need the most is the puid as it should control the partition
In the code I can retrieve the value after authentication as expected and set it as a partition value for synchronization
const credentials = Realm.Credentials.jwt(response.access_token);
const user = await app.logIn(credentials);
if (user) {
setUserId(user.profile.puid as string); // State where it will be passed to the sync command on the partition
setUser(user);
}
In the permission configuration I didn't find any example that shows how to retrieve the MetaData value, I tried as follows...
{
"%%partition": "%%user.profile.puid"
}
But when I try to run the log on the realm it tells me that the comparison value is undefined
Error:
could not evaluate sync permissions with error: cannot compare to undefined (ProtocolErrorCode=206)
Partition:
3c403***-****-****-****-*****5b1218f
I don't understand why in the permissions area the rule to retrieve the puid doesn't work because the logged in user has the data, the realm doesn't support this type of operation?
I was trying to implement the OneLogin authentication using the NextAuth for my NextJS app. I was able to get everything done and is connected to MongoDB. But trying to figure out how to store extra data received from OneLogin
Since I enabled the debug option in the NextAuth, I was able to see the following in logs in the OAUTH_CALLBACK_RESPONSE from OneLogin, and would like to include these three fields to the database's users collection against the user:
OAuthProfile: {
given_name: "",
family_name: "",
preferred_username: "",
......
}
Because I want to set the name field of the User (that will be stored in database), with the value from given_name from the OAuthProfile (example above).
And also I would like to add an extra field like auth_level with a default value of "user", to denote that this User is by default a normal User. No elevated privileges' or anything.
What is the best way to design or name an API URL that would get a specific user with a given unique identifier? I'm using cognitoId as the unique identifier.
Which of the following should I use?
/profiles/profile, then pass the cognitoId as URL Query String Parameters
/profiles/{id}
/profiles/profile then check 'Invoke with caller credentials'
If it is an API where any authorized user can get anyone's username by passing a unique ID, then you could use something like this: /profiles/{id} For example, https://api.github.com/user/1
If it is an API that returns the username of the caller by using the cognito ID, then /profiles/profile should work. See $context.identity variables in documentation to fetch the cognito ID.
I have a question concerning the Hash::make method in Laravel 4.2 .. I've notice that it returns always a different string for the same value . So I am wondering if this affects If I want to look for a user using his email and hashed password in the table . If it's not ? Why I have then this issue of not getting a user with correct credentials from the table using the where statements (where email and where password) ? but when I look for it using just the email it works .. I am 100% convinced it's just about the Password . What do you think ?
You get different hashes on purpose, the function adds a random salt to each hashed password. This is important to get secure hashes.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = Hash::make($password);
The verification cannot be done in the SQL statement directly, instead you can search for the user by username/email, get the stored password-hash, and afterwards verify the entered password with the password-hash from the database.
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = Hash::check($password, $existingHashFromDb);
I have an Entity Framework model that contains the tables
apsnet_Users
aspnet_Memberships
I want to check for the validation of username, and password in WCF library how to achieve that
Shall I add membership to the app.config, how to achieve something like that?
Best regards
A basic (but secure) username/password database should have columns something like this:
UserName - Text
PasswordSalt - Binary
PasswordHash - Binary
The user name can be stored as plain text.
The salt is a random string of bytes, preferably at least as long as the hash.
The password hash is the binary hash of the password + salt.
Here is the basic procedure when giving a user a new password. I will use SHA-256 hashing as an example.
Convert the desired password into a byte array.
Use a CSPRNG to generate another byte array, 32 bytes long. This is the salt.
Add the salt to the end of the password byte array.
Hash the password with SHA-256.
Store the salt in the database.
Store the password hash in the database.
Then when a user enters their password when logging in, this is the procedure.
Look up the user in the database.
Convert the entered password into a byte array.
Add the salt from the database to the end of the password byte array.
Hash the password with SHA-256.
If the hash matches the hash in the database, the password was correct.
This method of password authentication is the preferred method for high-security applications. It is not slow, nor very hard to implement. The best thing is, you can give the entire password table to anyone you please, and the most they will be able to do is pick a user and start guessing passwords.
I failed to use entity framework, and the other algorithms of authontications, so I used Membership with SQL directly , Microsaoft encrypt bu way so hard to retrieve