[Owasp-leaders] Passing username in request header between apps as SSO feature

tonyuv at owasp.org tonyuv at owasp.org
Mon Mar 23 03:48:44 UTC 2015


+1 with Venki. No usernames in headers as it provides half the battle for auth in general.  A lot of web based APIs that don’t invest in SAML or OAuth (which I agree with Jim, is an optimal route) and the security assertions you can make, will simply rely on a token. Now how the token is constructed, encoded, and in some cases representing a hashed value from the server provides assurance that you won’t divulge a user name openly in an HTTP header. 


Tony UV






Sent from Windows Mail





From: Timur 'x' Khrotko (owasp)
Sent: ‎Sunday‎, ‎March‎ ‎15‎, ‎2015 ‎7‎:‎33‎ ‎AM
To: johanna curiel curiel
Cc: owasp-leaders at lists.owasp.org





For authenticating your services you can also use good old Kerberos: https://en.wikipedia.org/wiki/Kerberos_%28protocol%29


On Mar 15, 2015 6:05 AM, "Venkatesh Jagannathan" <venki at owasp.org> wrote:


For federating, normally auth tokens are passed ibstead of username. The typucal protocol used is mainly SAML. This protocol has an aurhenticated token that would be validated by the receivibg application.

Thanks & Regards,
~Venki

On 15-Mar-2015 2:22 am, "johanna curiel curiel" <johanna.curiel at owasp.org> wrote:



I have a question about some security issue I'm concern regarding SSO between applications 



Some security frameworks/apps that are used for authentication purposes (because ether can handle security security tokens) need to be integrated with a web application that ha stye final functionality and are being protected.



In order to integrate single sign on, the username is passed as a request header parameter from this Security framework application to the Web application that has been secured using this mechanism




I personally think that the web application accepting the request header parameter (username) should also enforce some form of validation that the request is coming from this secure authentication system




I would like to hear your opinions on this matter and what is the best approach




Hoping to get some answers 




Johanna

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



This message may contain confidential information - you should handle it accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150323/7baee342/attachment.html>


More information about the OWASP-Leaders mailing list