How does a HTTP client authenticate itself with a HTTP server?

Is it correct that there are various ways that a HTTP client can authenticate itself with a HTTP server?

Are the following such ways?

  1. authorization header: for various authorization protocols (e.g. basic, digest, …)

  2. digital certificates: as used in HTTPS.

  3. specify user name and passwords in HTTP request’s message body, by applying HTTP POST method on form data

Are they used individually or together? Are they used for the same or different purposes? When is each way used?

In the second way, is digital certificates specified in some HTTP request header(s)? (In curl, it is specified via --cerf)

In the third way, when specify user name and passwords in HTTP request’s message body, are they encrypted? Does the server know how to decrypt them?

Best way to authorize and authenticate a user on web API

I am doing a hypothetical web just for learn some security tips and the first problem I’ve found is the login, I’ve read like 40 articles, a lot of questions here on stackoverflow and I still don’t know which method is the best one (this is a non-real case, so we can assume we need a very high security)

most webs I’ve developed I use a expirable access token that I need to send on every call to the API via query param or via Authorization header, then I store the token on the local storage

I’ve read some articles that claims that way is unsecure and the best way is with cookies, I’ve read also that the best way is with sessions

Any hint? I’m a bit confused about which way is the best one to secure first the authentication and then the store of the access token to make the authorization

How Does the companies authenticate internal users in internal systems?

assuming that a company has an AD/LDAP server with all employees and has many internal systems that must authenticate those users. How would be a good solutions in terms of security best practices to allow these systems to access LDAP server?

I think it’s bad allowing many different systems accessing the company users base. What would be a good solution? Do you know any references/guidelines to this type of problem?

Authenticate SharePoint online REST API without user name and password

I am trying to build a console app that reads the data from SharePoint list.

But i dont want to pass the user credentials in order to authenticate, instead use the token. Is this possible?

I tried using the following code but i get forbidden error while trying to GetFormDigest

        static void Main(string[] args)     {         string sConnStr = "https://sab/sites/DevT";         Uri oUri = null;         oUri = new Uri(sConnStr + "/_api/web/lists/getbytitle('sd')/GetItems");          string sResult = string.Empty;          string stringData = "{'query' : {'__metadata': { 'type': 'SP.CamlQuery' }, 'ViewXml':'<View><Query><Where><Eq><FieldRef Name =\"Title\"/><Value Type=\"Text\">HR</Value></Eq></Where></Query></View>'}}";          HttpWebRequest oWebRequest = (HttpWebRequest)WebRequest.Create(oUri);         oWebRequest.Credentials = CredentialCache.DefaultNetworkCredentials;         oWebRequest.Method = "POST";         oWebRequest.Accept = "application/json;odata=verbose";         oWebRequest.ContentType = "application/json;odata=verbose";         oWebRequest.Headers.Add("X-RequestDigest", GetFormDigest());         oWebRequest.ContentLength = stringData.Length;          StreamWriter writer = new StreamWriter(oWebRequest.GetRequestStream());         writer.Write(stringData);         writer.Flush();          WebResponse wresp = oWebRequest.GetResponse();         using (StreamReader sr = new StreamReader(wresp.GetResponseStream()))         {             sResult = sr.ReadToEnd();         }     }      public static string GetFormDigest()     {         string sFormDigest = null;         string sConnStr = "https://sab/sites/DevT";         Uri oUri = null;         oUri = new Uri(sConnStr + "/_api/contextinfo");          HttpWebRequest oWebRequest = HttpWebRequest.Create(oUri) as HttpWebRequest;         oWebRequest.UseDefaultCredentials = true;         oWebRequest.Method = "POST";         oWebRequest.Accept = "application/json;odata=verbose";         oWebRequest.ContentLength = 0;         oWebRequest.ContentType = "application/json";         string sResult;         WebResponse sWebReponse = oWebRequest.GetResponse();          using (StreamReader sr = new StreamReader(sWebReponse.GetResponseStream()))         {             sResult = sr.ReadToEnd();         }          var jss = new JavaScriptSerializer();         var val = jss.Deserialize<Dictionary<string, object>>(sResult);         var d = val["d"] as Dictionary<string, object>;         var wi = d["GetContextWebInformation"] as Dictionary<string, object>;         sFormDigest = wi["FormDigestValue"].ToString();          return sFormDigest;      } 

Connect-SPOService : Could not authenticate to SharePoint Online

I am unable to connect to SPO from SharePoint online management shell using my account. MFA is enabled.

I’m executing the following command:

Connect-SPOService -url https://[URL] 

And I get the following response:

Connect-SPOService : Could not authenticate to SharePoint Online  https://[URL] using OAuth 2.0     At line:1 char:1     + Connect-SPOService -url https://[URL]     + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo : NotSpecified: (:) [Connect-SPOService], AuthenticationException     + FullyQualifiedErrorId : Microsoft.Online.SharePoint.PowerShell.AuthenticationException,Microsoft.Online.SharePoi     nt.PowerShell.ConnectSPOService 

Can anyone help with this?


Authenticate a C#/WPF app using CSOM and Client ID / Client Secret

I have developed a desktop application which accesses our company SharePoint Online site in order to utilize multiple lists. Currently, this app is using username/password credentials in order to obtain an AuthCookie, which is then used for every subsequent access. This AuthCookie will expire only when user changes their password, which will in turn prompt them to re-enter their new password and obtain the new AuthCookie.

Now, company IT has decided to deprecate this “legacy authentication” and switch to “modern authentication”. This, as a consequence, will prevent my application to access our site as username/password credentials are no longer accepted.

I am now looking into modern methods for authenticating with our SharePoint Online site and that lead me to using application-assigned Client ID and Client Secret.

First, how (if at all possible) can I authenticate my app using ClientID/ClientSecret? I would really appreciate a code snippet that (if possible) doesn’t rely on anything but CSOM. I have already learned about SharePointPnPOnlineCore package and confirmed that it works, but it depends on large number of other packages which I’d like to avoid having to distribute with my app. Additionally, once authenticated, any operation this app does on any list should be recorded as being in context of user running the app (CreatedBy/ModifiedBy columns should have the actual user running the app).

Second, if this is not possible using CSOM, I have also started exploring the use of MSAL.NET (which now seems to be the recommended method) but nothing I found so far has lead me to solving my problem explained above. Again, I’d really appreciate a code snippet which showcases the entire process of this type of authentication.

Finally, if using ClientID/ClientSecret is not the best choice, I would like to know what other options I have in order for my WPF application to properly authenticate and use CSOM.

Authenticate Static Public Keys

How can a static ECC public key be authenticated when being shared between the client (who has just created the static ECC public key) and the CA (Certification Authority) – who will sign and send the client’s static public key to another node in the network??

Background context: The client and another node will both generate ephemeral ECC keys for a ECDHE key exchange. The ephemeral ECC public keys will be signed with the static ECC keys to prove the authenticity of the ephemeral ECC keys. But when the static ECC keys are generated and sent to the CA, how can their authenticity be proven??

Is it possible to authenticate a user in Azure AD from a SharePoint 2013 Provider Hosted Add-In client side

We are developing a SharePoint 2013 Provider Hosted Add-In that calls an API in Azure. The API an App Service that has Azure AD Authentication and OAuth implicit grant type. Our wish is to authenticate the current user and do it on the client side, not use app permissions and run from code behind.

The catch is that a provider hosted add-in must have some url query strings like SPHostUrl. We cannot set the whole url in the App Registration Redirect Url, since SPHostUrl differs from site to site. When a user has logged in successfully in Azure AD, she/he will be redirected to the main page of Provider Hosted Add-In and loose SharePoint Context.

Serverless Apps Authenticate Users After Page Load – Flaw?

Server-based apps check for a session cookie before returning any content to the user. If an authentication cookie isn’t sent from the user’s browser, the only content delivered to the user is a redirect/error message.

I’m new to server-less apps. In the several Javascript S3/Cognito-based tutorials I saw (for example AWS’ WildRydes), this authentication is client-based. It’s triggered only after the entire page has loaded and then redirects to a login page.

Isn’t that a fundamental flaw? what stops an unauthenticated user from viewing the page before the redirect?