#1 2016-12-22 11:24:14

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Single Sign On (SSO) authorization with Web Browser and mORMot

Hello! Tell me, please, is there any implementation of single sign-on through a web browser?
I was watching this topic http://synopse.info/forum/viewtopic.php?id=931&p=3 . It describes the module SynSSPIAuth. And in the example ThirdPartyDemos\Chaa\WindowsAuth the use of this module.
But this is for clients written in Delphi, but how can I implement authentication of a domain user via the WEB interface?
Thank you in advance for your answers!

Offline

#2 2016-12-22 12:44:00

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,356
Website

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

If I remember correctly, it will work also from a web client.

Online

#3 2016-12-22 14:47:12

Chaa
Member
Registered: 2011-03-26
Posts: 245

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Yes, it should work.

First, URI for login:
http://localhost:8080/root/auth?UserName=&data=

Server answer:
{"result":"76+cd5431e12b1d481b0a74b2e7c0a0e609fc0ac4742227332160ab426438c9a670","logonname":"MyDomain\\MyUser"}

After that, you need to sign each request with session identifier, as in Javascript authentication.

Offline

#4 2016-12-23 04:57:55

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Thanks for the quick answers @ab @Chaa!

http://localhost:8080/root/auth?UserName=&data=

the URL must be with empty parameters UserName and data or not?
Maybe I don't fully understand, but in the post about authentication via JavaScript you need to pass the password.
What is the authorization must be configured on the server side ?

 AuthenticationRegister([TSQLRestServerAuthenticationSSPI]);

Or somehow differently it is necessary to configure authorization on the server?
Sorry if the questions seem stupid, but you are better versed in this than I am. I'm still at the stage of study and understanding
Thank you!

Offline

#5 2016-12-23 05:35:41

Chaa
Member
Registered: 2011-03-26
Posts: 245

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Stasonych wrote:

the URL must be with empty parameters UserName and data or not?
Maybe I don't fully understand, but in the post about authentication via JavaScript you need to pass the password.

If parameters is empty, then SSO is used:
Server reply 401 Unathorized and Authorization: Negotiate.
And browser send current logged-in user credentials.

Stasonych wrote:

What is the authorization must be configured on the server side ?

TSQLRestServerAuthenticationSSPI registered by default on Windows.

Stasonych wrote:

Or somehow differently it is necessary to configure authorization on the server?

You need that in table TSQLAuthUser exists row for SSO user with LogonName = 'MyDomain\MyUser'.
That TSQLAuthUser instance will be stored in newly created session.

Offline

#6 2016-12-23 09:55:14

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Thank you your answer! It worked.
When you query with empty parameters I'm using debugger I saw that the method is called TSQLRestServerAuthenticationSSPI.Auth. The browser returned me an answer here

 {"result":"219734857+3e3eeb398e94deb0e6ae6082c0a850235200767519301db77c9013b27ccbc4b9",
"logonid":1,
"logonname":"domain\\username",
"logondisplay":"username",
"logongroup":4,
"server":"WEB_Versions_MVC",
"version":"0.0.0.0"} 

I.e., everything is fine.
Now, every request needs to send GET request received the number of the session

http://localhost:8092/versions/detail?data=219734857+3e3eeb398e94deb0e6ae6082c0a850235200767519301db77c9013b27ccbc4b9 

I correctly understand? What's the name of the session parameter from the GET request data or session or something?

Offline

#7 2016-12-23 11:02:28

Chaa
Member
Registered: 2011-03-26
Posts: 245

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Stasonych wrote:

Now, every request needs to send GET request received the number of the session.
I correctly understand?

No. You need to sign each request to server, as described in 21.1.3.2. mORMot secure RESTful authentication.

I think that good working code is in post #33 of Javascript authentication thread.

Firts, you need to parse {"result":"219734857+3e...b9"} and extract fSessionID and fSessionPrivateKey. See function gotSession.

Then, you add session_signature parameter to sign requests - see function SessionSign.

Typically, you must simplify authentication: remove gotNonce, and change gotTimeStamp:

  ...
  $.get(this.host+"/"+this.fRoot+"/auth?UserName=&data=", this.wrap(this.gotSession));
}

Offline

#8 2016-12-23 13:04:28

erick
Member
Registered: 2015-09-09
Posts: 155

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Doing the authentication and updating the signature on each message - well it's a bit difficult at first.  Everything you need to accomplish it can be found on this board.  I implemented it in Pascal compiled to
JavaScript for my book following the leads of others who had done it in typescript and javascript.

Erick

Offline

#9 2016-12-26 08:17:07

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Thanks a lot @Chaa @Erick!
Will continue to study
And what is the life time of the session? What time session_signature will be valid?

Offline

#10 2016-12-26 09:44:37

Chaa
Member
Registered: 2011-03-26
Posts: 245

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Stasonych wrote:

And what is the life time of the session?

TSQLAuthGroup.SessionTimeout in minutes.

Stasonych wrote:

What time session_signature will be valid?

Default is 5 seconds.
See TSQLRestServerAuthenticationSignedURI.TimeStampCoherencySeconds (and TSQLRestServerAuthenticationSignedURI.NoTimeStampCoherencyCheck).

Offline

#11 2016-12-27 06:05:20

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Hello! Thank you for your answers.
I had based the script in post #32 Javascript authentication. Because I don't want to use angular or ExtJS only for authorization, so interesting plain javascript. Quite a bit changed it. Edited the Procedure onGotTimestamp that it caused onGotSession, not onGotNonce. As a result, the server returned status login OK. Further, as I understand it, from server response

{"result":"245386974+2e169c06c3384f67851312e524d72275db5cdc913ff70b9f63bf7536a76a1f9f",
"logonid":1,
...}

need to allocate the string before the "+" (245386974) sign and translate it into hexadecimal notation. In the case that happened less than 8 characters, it is supplemented with zeros at the beginning.In our case, it turns out EA04EDE we first add 0, poulchaetsya 0EA04EDE. Ie this is Session_signature and our.
In I add it to the query

http://localhost:8092/versions/Get_vw_dep_jrnl_send_mail?session_signature=0EA04EDE 

and get a 403 response - "Authentication Failed: Invalid signature (0)".
The debugger and saw that the authentication fails in the

...
TSQLRestServerAuthenticationSignedURI.RetrieveSession
...

in this place

...
if Ctxt.URISessionSignaturePos+(18+8+8+8)>length(Ctxt.Call^.url) then begin
    result := nil;
    exit;
  end;
...

It turns out that I have not the same length: 77 to the left and to the right 61. What makes this condition? As I understand it, this procedure returns me the result is incorrect signatures

Last edited by Stasonych (2016-12-27 06:07:41)

Offline

#12 2016-12-27 06:58:34

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,563
Website

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Please, look carefully at function SessionSign from #32 Javascript authentication
This function create a correct session signature

Offline

#13 2016-12-27 09:30:26

Chaa
Member
Registered: 2011-03-26
Posts: 245

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

{"result":"245386974 + 2e169c06c3384f67851312e524d72275db5cdc913ff70b9f63bf7536a76a1f9f",
           |           |
           SessionID   SessionKey

Offline

#14 2016-12-29 09:43:20

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

Thanks for all the answers!
I got to deal with the authorization mechanism.
I describe the order. The basis took scripting in post # 32 Javascript authentication .
On the recommendation from the Chaa I changed onGotTimestamp procedure in mORMotKlient.js file came to call OnGotsession, but not OnGotNonce.
Server properly executed authorization request

 http://localhost:8092/versions/auth?UserName=&data= 

Then the server returns the error 403 - incorrect signature, which was formed in signUrl procedure. On the server, I saw that the signature of the server and the client are out of sync. I could not understand why.
All my questions arise because Java scripts described authorization is done by filling in your login and password.
And this is not necessary for me. The calculation of the signature performed by hashing the password and because of this discrepancy occurred server and client signatures.
Here is a piece of code

...
SynAuth.PasswordHashHexa = SynAuth.Sha256hash ( "salt" + password);
...

should be replaced by

...
SynAuth.PasswordHashHexa = "";
...

After this error with the signature disappeared. Everything turned out the way I wanted.
Only now, as I understand it, I need to keep track of time and the end of the session to re-do the authorization in the background.

P.S. Perhaps these details will be useful for the community, especially for those who have just started to learn this wonderful framework.

Offline

#15 2016-12-29 14:50:47

erick
Member
Registered: 2015-09-09
Posts: 155

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

In my implementation I didn't keep track of the session time (in seconds), because there may be other reasons the session closes, such as if the mormot exe gets restarted.  I just keep using it until I get an appropriate HTTP/S errors.

Hope that helps,

Erick

Offline

#16 2016-12-30 05:30:35

Stasonych
Member
Registered: 2016-11-25
Posts: 8

Re: Single Sign On (SSO) authorization with Web Browser and mORMot

erick wrote:

In my implementation I didn't keep track of the session time (in seconds), because there may be other reasons the session closes, such as if the mormot exe gets restarted.  I just keep using it until I get an appropriate HTTP/S errors.

Hope that helps,

Erick

How is the parameter substitution session_signature outgoing GET and POST requests?
We must each outbound request to carry through the procedure javascript SignUrl or there is another way, a better and more correct?

Offline

Board footer

Powered by FluxBB