[Owasp-leaders] Passing username in request header between apps as SSO feature

tonyuv at owasp.org tonyuv at owasp.org
Mon Mar 23 03:48:44 UTC 2015

+1 with Venki. No usernames in headers as it provides half the battle for auth in general.  A lot of web based APIs that don’t invest in SAML or OAuth (which I agree with Jim, is an optimal route) and the security assertions you can make, will simply rely on a token. Now how the token is constructed, encoded, and in some cases representing a hashed value from the server provides assurance that you won’t divulge a user name openly in an HTTP header. 

Tony UV

Sent from Windows Mail

From: Timur 'x' Khrotko (owasp)
Sent: ‎Sunday‎, ‎March‎ ‎15‎, ‎2015 ‎7‎:‎33‎ ‎AM
To: johanna curiel curiel
Cc: owasp-leaders at lists.owasp.org

For authenticating your services you can also use good old Kerberos: https://en.wikipedia.org/wiki/Kerberos_%28protocol%29

On Mar 15, 2015 6:05 AM, "Venkatesh Jagannathan" <venki at owasp.org> wrote:

For federating, normally auth tokens are passed ibstead of username. The typucal protocol used is mainly SAML. This protocol has an aurhenticated token that would be validated by the receivibg application.

Thanks & Regards,

On 15-Mar-2015 2:22 am, "johanna curiel curiel" <johanna.curiel at owasp.org> wrote:

I have a question about some security issue I'm concern regarding SSO between applications 

Some security frameworks/apps that are used for authentication purposes (because ether can handle security security tokens) need to be integrated with a web application that ha stye final functionality and are being protected.

In order to integrate single sign on, the username is passed as a request header parameter from this Security framework application to the Web application that has been secured using this mechanism

I personally think that the web application accepting the request header parameter (username) should also enforce some form of validation that the request is coming from this secure authentication system

I would like to hear your opinions on this matter and what is the best approach

Hoping to get some answers 


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

This message may contain confidential information - you should handle it accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150323/7baee342/attachment.html>

More information about the OWASP-Leaders mailing list