Single Sign On (SSO) authorization with Web Browser and mORMot

Stasonych · 2016-12-22 11:24:14

Hello! Tell me, please, is there any implementation of single sign-on through a web browser?
I was watching this topic http://synopse.info/forum/viewtopic.php?id=931&p=3 . It describes the module SynSSPIAuth. And in the example ThirdPartyDemos\Chaa\WindowsAuth the use of this module.
But this is for clients written in Delphi, but how can I implement authentication of a domain user via the WEB interface?
Thank you in advance for your answers!

ab · 2016-12-22 12:44:00

If I remember correctly, it will work also from a web client.

Chaa · 2016-12-22 14:47:12

Yes, it should work.

First, URI for login:
http://localhost:8080/root/auth?UserName=&data=

Server answer:
{"result":"76+cd5431e12b1d481b0a74b2e7c0a0e609fc0ac4742227332160ab426438c9a670","logonname":"MyDomain\\MyUser"}

After that, you need to sign each request with session identifier, as in Javascript authentication.

Stasonych · 2016-12-23 04:57:55

Thanks for the quick answers @ab @Chaa!

http://localhost:8080/root/auth?UserName=&data=

the URL must be with empty parameters UserName and data or not?
Maybe I don't fully understand, but in the post about authentication via JavaScript you need to pass the password.
What is the authorization must be configured on the server side ?

 AuthenticationRegister([TSQLRestServerAuthenticationSSPI]);

Or somehow differently it is necessary to configure authorization on the server?
Sorry if the questions seem stupid, but you are better versed in this than I am. I'm still at the stage of study and understanding
Thank you!

Chaa · 2016-12-23 05:35:41

Stasonych wrote:

the URL must be with empty parameters UserName and data or not?
Maybe I don't fully understand, but in the post about authentication via JavaScript you need to pass the password.

If parameters is empty, then SSO is used:
Server reply 401 Unathorized and Authorization: Negotiate.
And browser send current logged-in user credentials.

Stasonych wrote:

What is the authorization must be configured on the server side ?

TSQLRestServerAuthenticationSSPI registered by default on Windows.

Stasonych wrote:

Or somehow differently it is necessary to configure authorization on the server?

You need that in table TSQLAuthUser exists row for SSO user with LogonName = 'MyDomain\MyUser'.
That TSQLAuthUser instance will be stored in newly created session.

Stasonych · 2016-12-23 09:55:14

Thank you your answer! It worked.
When you query with empty parameters I'm using debugger I saw that the method is called TSQLRestServerAuthenticationSSPI.Auth. The browser returned me an answer here

 {"result":"219734857+3e3eeb398e94deb0e6ae6082c0a850235200767519301db77c9013b27ccbc4b9",
"logonid":1,
"logonname":"domain\\username",
"logondisplay":"username",
"logongroup":4,
"server":"WEB_Versions_MVC",
"version":"0.0.0.0"}

I.e., everything is fine.
Now, every request needs to send GET request received the number of the session

http://localhost:8092/versions/detail?data=219734857+3e3eeb398e94deb0e6ae6082c0a850235200767519301db77c9013b27ccbc4b9

I correctly understand? What's the name of the session parameter from the GET request data or session or something?

Chaa · 2016-12-23 11:02:28

Stasonych wrote:

Now, every request needs to send GET request received the number of the session.
I correctly understand?

No. You need to sign each request to server, as described in 21.1.3.2. mORMot secure RESTful authentication.

I think that good working code is in post #33 of Javascript authentication thread.

Firts, you need to parse {"result":"219734857+3e...b9"} and extract fSessionID and fSessionPrivateKey. See function gotSession.

Then, you add session_signature parameter to sign requests - see function SessionSign.

Typically, you must simplify authentication: remove gotNonce, and change gotTimeStamp:

  ...
  $.get(this.host+"/"+this.fRoot+"/auth?UserName=&data=", this.wrap(this.gotSession));
}

erick · 2016-12-23 13:04:28

Doing the authentication and updating the signature on each message - well it's a bit difficult at first. Everything you need to accomplish it can be found on this board. I implemented it in Pascal compiled to
JavaScript for my book following the leads of others who had done it in typescript and javascript.

Erick

Stasonych · 2016-12-26 08:17:07

Thanks a lot @Chaa @Erick!
Will continue to study
And what is the life time of the session? What time session_signature will be valid?

Chaa · 2016-12-26 09:44:37

Stasonych wrote:

And what is the life time of the session?

TSQLAuthGroup.SessionTimeout in minutes.

Stasonych wrote:

What time session_signature will be valid?

Default is 5 seconds.
See TSQLRestServerAuthenticationSignedURI.TimeStampCoherencySeconds (and TSQLRestServerAuthenticationSignedURI.NoTimeStampCoherencyCheck).

Stasonych · 2016-12-27 06:05:20

Hello! Thank you for your answers.
I had based the script in post #32 Javascript authentication. Because I don't want to use angular or ExtJS only for authorization, so interesting plain javascript. Quite a bit changed it. Edited the Procedure onGotTimestamp that it caused onGotSession, not onGotNonce. As a result, the server returned status login OK. Further, as I understand it, from server response

{"result":"245386974+2e169c06c3384f67851312e524d72275db5cdc913ff70b9f63bf7536a76a1f9f",
"logonid":1,
...}

need to allocate the string before the "+" (245386974) sign and translate it into hexadecimal notation. In the case that happened less than 8 characters, it is supplemented with zeros at the beginning.In our case, it turns out EA04EDE we first add 0, poulchaetsya 0EA04EDE. Ie this is Session_signature and our.
In I add it to the query

http://localhost:8092/versions/Get_vw_dep_jrnl_send_mail?session_signature=0EA04EDE

and get a 403 response - "Authentication Failed: Invalid signature (0)".
The debugger and saw that the authentication fails in the

...
TSQLRestServerAuthenticationSignedURI.RetrieveSession
...

in this place

...
if Ctxt.URISessionSignaturePos+(18+8+8+8)>length(Ctxt.Call^.url) then begin
    result := nil;
    exit;
  end;
...

It turns out that I have not the same length: 77 to the left and to the right 61. What makes this condition? As I understand it, this procedure returns me the result is incorrect signatures

Last edited by Stasonych (2016-12-27 06:07:41)

mpv · 2016-12-27 06:58:34

Please, look carefully at function SessionSign from #32 Javascript authentication
This function create a correct session signature

Chaa · 2016-12-27 09:30:26

{"result":"245386974 + 2e169c06c3384f67851312e524d72275db5cdc913ff70b9f63bf7536a76a1f9f",
           |           |
           SessionID   SessionKey

Stasonych · 2016-12-29 09:43:20

Thanks for all the answers!
I got to deal with the authorization mechanism.
I describe the order. The basis took scripting in post # 32 Javascript authentication .
On the recommendation from the Chaa I changed onGotTimestamp procedure in mORMotKlient.js file came to call OnGotsession, but not OnGotNonce.
Server properly executed authorization request

 http://localhost:8092/versions/auth?UserName=&data=

Then the server returns the error 403 - incorrect signature, which was formed in signUrl procedure. On the server, I saw that the signature of the server and the client are out of sync. I could not understand why.
All my questions arise because Java scripts described authorization is done by filling in your login and password.
And this is not necessary for me. The calculation of the signature performed by hashing the password and because of this discrepancy occurred server and client signatures.
Here is a piece of code

...
SynAuth.PasswordHashHexa = SynAuth.Sha256hash ( "salt" + password);
...

should be replaced by

...
SynAuth.PasswordHashHexa = "";
...

After this error with the signature disappeared. Everything turned out the way I wanted.
Only now, as I understand it, I need to keep track of time and the end of the session to re-do the authorization in the background.

P.S. Perhaps these details will be useful for the community, especially for those who have just started to learn this wonderful framework.

erick · 2016-12-29 14:50:47

In my implementation I didn't keep track of the session time (in seconds), because there may be other reasons the session closes, such as if the mormot exe gets restarted. I just keep using it until I get an appropriate HTTP/S errors.

Hope that helps,

Erick

Stasonych · 2016-12-30 05:30:35

erick wrote:

In my implementation I didn't keep track of the session time (in seconds), because there may be other reasons the session closes, such as if the mormot exe gets restarted. I just keep using it until I get an appropriate HTTP/S errors.
Hope that helps,
Erick

How is the parameter substitution session_signature outgoing GET and POST requests?
We must each outbound request to carry through the procedure javascript SignUrl or there is another way, a better and more correct?

mORMot Open Source

#1 2016-12-22 11:24:14

Single Sign On (SSO) authorization with Web Browser and mORMot

#2 2016-12-22 12:44:00

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#3 2016-12-22 14:47:12

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#4 2016-12-23 04:57:55

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#5 2016-12-23 05:35:41

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#6 2016-12-23 09:55:14

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#7 2016-12-23 11:02:28

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#8 2016-12-23 13:04:28

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#9 2016-12-26 08:17:07

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#10 2016-12-26 09:44:37

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#11 2016-12-27 06:05:20

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#12 2016-12-27 06:58:34

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#13 2016-12-27 09:30:26

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#14 2016-12-29 09:43:20

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#15 2016-12-29 14:50:47

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

#16 2016-12-30 05:30:35

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Board footer