We are using an app which acts as a Web Security Gateway and it's blocking users from logging into the Uber app. Normally I can capture web traffic and whitelist the URL, but I can't capture traffic within the Uber app. I've whitelisted *.uber.com * but it's still not working. Does anyone know what URLs Uber uses? I've called, but they were not able to provide me with any details.
Related
I have hosted my REST services on API management and consuming those in the Azure Web app service which consists of only HTML pages, javascript files and CSS files.
I would like to know how to restrict accessing the REST endpoints of the API management only from the web app without Azure AD and OAuth setup.
Client side application sources are by design available in clear text to anyone using it. Any user can open developer tools in browser and look at code you've written to make app work. So even if you secure your REST API with some secret and use it in app code to talk to that REST API anyone in the world will be able to take that secret our of the app and call your REST API directly, and you would have no way to distinguish their calls from calls made by your app.
OAuth and AAD would work to a certain extent but even they allow you to authenticate user, not the app. Same user can easily trace calls made by your app to REST API and reproduce them in any other app, and you again would have to way of figuring that out.
I think your best bet is to throttle calls made by a certain user identifying it any way you want (even if by IP address).
You can use Certificate authentication from web app to api management. The ssl certficate thumbprint on you web app you can validate in api management policy.
I want to whitelist only the Facebook Debugger Tool so it can see our development environments and I am wondering how I am able to do that? I see that Facebook has provided a list IPs and User Agents to whitelist but I believe this will whitelist ALL of Facebook instead of just their debugger tool.
That is correct, there's no more specific information available about which IPs within Facebook's datacenters will be used for the debugger, you need to whitelist all IPs under AS32934
I don't really understand why that's something you don't want to do, the only traffic you should receive directly from Facebook is from the debugger, other automated systems (e.g. Advertising review) or Facebook employees (e.g. if you submit your app for app center or open graph approvals and it needs to be reviewed)
I am trying to use the google drive SDK with a metro app. The metro app connects to google drive using REST services. The first problem I am facing is in authentication. Metro app has a redirect URI which follows microsoft specific scheme like "ms-app://s-1-15-2-1527804777-383724396-285855344-2678584489-1963608684-3789894444-799666712/".
How can I register this URI with my Google app profile? Google has made it compulsory to register the redirect URI, I don't know why. No other provider (like dropbox/skydrive) does this.
Could anyone please help?
Thanks in advance.
The redirect URI is part of the OAuth 2.0 spec, which is an open standard and critical to the security of the system. If other providers are performing OAuth 2.0 without this, they are insecure. Worse, if other providers are forcing apps to get usernames and passwords from users, that is bad too.
For installed apps, you can use the Installed Application Flow, with a local web server (localhost URI), or with the "out of band" URI, urn:ietf:wg:oauth:2.0:oob. Having said that, I never tried with a metro device, perhaps others can suggest how to perform OAuth 2.0 on metro.
As per the OAuth 2.0 spec:
When registering a client, the client developer SHALL:
o specify the client type as described in Section 2.1,
o provide its client redirection URIs as described in Section 3.1.2, and
o include any other information required by the authorization server
(e.g. application name, website, description, logo image, the
acceptance of legal terms).
I'm putting analytics on a facebook application and i'm unsure what the protocol would be.
Here's a screenshot from the analytics set up
In general I would prefer https. No idea what google does with it but https is the best way to share your application and its contents. If you run your App in a facebook iframe tab your app has to be reachable via https. That means that the content also gets shared via https (because FB will call your app by the users privacy settings (http or https)).
So all my apps and their sharing URLs are set to https so that the like-count etc. are the same and are reachable whether called via FB or not. Because of this I would prefer the https way.
Facebook now requires https for all applications, so I don't see any reason not to use https for your analytics script.
However, if you use a protocol-less url, your browser will figure out for you. E.g.
<script type='text/javascript' src='//www.google.com/yourscript.js'></script>
I'm looking to implement Single Sign On for a native iOS app whereby logging in with this single sign on gives the mobile device authenticated access to our private service in a fashion that is somewhat similar to oauth.
The marketing text on openid.net suggests that "OpenID is a safe, faster, and easier way to log in to web sites.". Emphasis on web sites.
So the question is: Is it reasonable to implement openID on a native mobile app, or is openID only for web sites.
I've been scouring the web and I'm not finding a way to fit openID in as my login option.
The best way to do this seems to be to use a UIWebView and render a log in page from your site in it. Once the user logs in, they'll be redirected back to your site and have an auth cookie, which you can extract, store, and send on subsequent HTTP requests to the server.
See this, which has a sample code link at the bottom.
OpenID sends its messages as a series of HTTP requests and responses. Your app and the openid provider must communicate to each other via HTTP post, and you will need to redirect the user to corresponding URLs, and have a URL for the user to be redirected back to. As such, you will probably find it difficult to integrate with your app.
Derek Knight claims to have been experimenting with iOS and OpenID using the Janrain Engage iOS SDK. Although the github link he references no longer exists and he doesnt provide a complete and verified solution, he does offer an idea for how it might work.
OpenID and iOS development - gordonknight.co.uk
Janrain Engage for your iPad Apps
The accepted answer diminish the OpenID protocol. OpenID is a federated authentication protocol aiming simple SSO experience, its a web based protocol but it can be implemented if you design an authentication broker.
APPs share nothing, apps should never access anything but identity token and access token (if allow). here is a link to get you starter in the right path to build seems-less SSO in the mobile between apps regardless the app isolation level.
https://www.pingidentity.com/developer/en/resources/napps-native-app-sso.html
Libraries:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-Android