Is it correct that there are various ways that a HTTP client can authenticate itself with a HTTP server?
Are the following such ways?
authorization header: for various authorization protocols (e.g. basic, digest, …)
digital certificates: as used in HTTPS.
specify user name and passwords in HTTP request’s message body, by applying HTTP POST method on form data
Are they used individually or together? Are they used for the same or different purposes? When is each way used?
In the second way, is digital certificates specified in some HTTP request header(s)? (In curl, it is specified via
In the third way, when specify user name and passwords in HTTP request’s message body, are they encrypted? Does the server know how to decrypt them?
The IKE_SA_INIT does create a key seed SKEYSEED from the Diffie-Hellman values and nonces. Since the exchange does sharing the secret between the communication partners, I do not understand why it is not enough for authentication.
I am doing a hypothetical web just for learn some security tips and the first problem I’ve found is the login, I’ve read like 40 articles, a lot of questions here on stackoverflow and I still don’t know which method is the best one (this is a non-real case, so we can assume we need a very high security)
most webs I’ve developed I use a expirable access token that I need to send on every call to the API via query param or via Authorization header, then I store the token on the local storage
I’ve read some articles that claims that way is unsecure and the best way is with cookies, I’ve read also that the best way is with sessions
Any hint? I’m a bit confused about which way is the best one to secure first the authentication and then the store of the access token to make the authorization
assuming that a company has an AD/LDAP server with all employees and has many internal systems that must authenticate those users. How would be a good solutions in terms of security best practices to allow these systems to access LDAP server?
I think it’s bad allowing many different systems accessing the company users base. What would be a good solution? Do you know any references/guidelines to this type of problem?
I am trying to build a console app that reads the data from SharePoint list.
But i dont want to pass the user credentials in order to authenticate, instead use the token. Is this possible?
I tried using the following code but i get forbidden error while trying to
I am unable to connect to SPO from SharePoint online management shell using my account. MFA is enabled.
I’m executing the following command:
Connect-SPOService -url https://[URL].sharepoint.com
And I get the following response:
Connect-SPOService : Could not authenticate to SharePoint Online https://[URL].sharepoint.com/ using OAuth 2.0 At line:1 char:1 + Connect-SPOService -url https://[URL].sharepoint.com + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-SPOService], AuthenticationException + FullyQualifiedErrorId : Microsoft.Online.SharePoint.PowerShell.AuthenticationException,Microsoft.Online.SharePoi nt.PowerShell.ConnectSPOService
Can anyone help with this?
I have developed a desktop application which accesses our company SharePoint Online site in order to utilize multiple lists. Currently, this app is using username/password credentials in order to obtain an AuthCookie, which is then used for every subsequent access. This AuthCookie will expire only when user changes their password, which will in turn prompt them to re-enter their new password and obtain the new AuthCookie.
Now, company IT has decided to deprecate this “legacy authentication” and switch to “modern authentication”. This, as a consequence, will prevent my application to access our site as username/password credentials are no longer accepted.
I am now looking into modern methods for authenticating with our SharePoint Online site and that lead me to using application-assigned
Client ID and
First, how (if at all possible) can I authenticate my app using
ClientSecret? I would really appreciate a code snippet that (if possible) doesn’t rely on anything but CSOM. I have already learned about
SharePointPnPOnlineCore package and confirmed that it works, but it depends on large number of other packages which I’d like to avoid having to distribute with my app. Additionally, once authenticated, any operation this app does on any list should be recorded as being in context of user running the app (
ModifiedBy columns should have the actual user running the app).
Second, if this is not possible using CSOM, I have also started exploring the use of
MSAL.NET (which now seems to be the recommended method) but nothing I found so far has lead me to solving my problem explained above. Again, I’d really appreciate a code snippet which showcases the entire process of this type of authentication.
Finally, if using ClientID/ClientSecret is not the best choice, I would like to know what other options I have in order for my WPF application to properly authenticate and use CSOM.
How can a static ECC public key be authenticated when being shared between the client (who has just created the static ECC public key) and the CA (Certification Authority) – who will sign and send the client’s static public key to another node in the network??
Background context: The client and another node will both generate ephemeral ECC keys for a ECDHE key exchange. The ephemeral ECC public keys will be signed with the static ECC keys to prove the authenticity of the ephemeral ECC keys. But when the static ECC keys are generated and sent to the CA, how can their authenticity be proven??
We are developing a SharePoint 2013 Provider Hosted Add-In that calls an API in Azure. The API an App Service that has Azure AD Authentication and OAuth implicit grant type. Our wish is to authenticate the current user and do it on the client side, not use app permissions and run from code behind.
The catch is that a provider hosted add-in must have some url query strings like SPHostUrl. We cannot set the whole url in the App Registration Redirect Url, since SPHostUrl differs from site to site. When a user has logged in successfully in Azure AD, she/he will be redirected to the main page of Provider Hosted Add-In and loose SharePoint Context.
Server-based apps check for a session cookie before returning any content to the user. If an authentication cookie isn’t sent from the user’s browser, the only content delivered to the user is a redirect/error message.
Isn’t that a fundamental flaw? what stops an unauthenticated user from viewing the page before the redirect?