[aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Matthias Wessendorf
Hi,

using the Auth-Token to get access to protected resources / endpoints
(after doing a login) works fine!

I am wondering how to avoid that one token is used on different
devices? (e.g. when somebody is 'stealing' the token).

I did sign-in to the app, using the browser and got the following
token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc

Now I was able to issue a get request against the endpoints, by using
the same token, from different 'devices':
- curl
- iOS test case

NOTE: we don't need a solution now, since I know you guys are busy
with some demo work - but just want to run that 'issue' by this list

Greetings,
Matthias

--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Bruno Oliveira
Hi Matthias, this is our biggest concerns to M7, we had some discussions about it with PicketBox team to improve it. Currently the token relies on PicketBox sessions like this:

 token = user.getSubject().getSession().getId().getId().toString();

Easy to break like you've did. My initial suggestion, is generate an application ID at first glance and create event or time based tokens.


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:

Hi,

using the Auth-Token to get access to protected resources / endpoints
(after doing a login) works fine!

I am wondering how to avoid that one token is used on different
devices? (e.g. when somebody is 'stealing' the token).

I did sign-in to the app, using the browser and got the following
token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc

Now I was able to issue a get request against the endpoints, by using
the same token, from different 'devices':
- curl
- iOS test case

NOTE: we don't need a solution now, since I know you guys are busy
with some demo work - but just want to run that 'issue' by this list

Greetings,
Matthias

--
Matthias Wessendorf

_______________________________________________
aerogear-dev mailing list


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Matthias Wessendorf
Hey Bruno!

On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <[hidden email]> wrote:
> Hi Matthias, this is our biggest concerns to M7, we had some discussions
> about it with PicketBox team to improve it. Currently the token relies on
> PicketBox sessions like this:
>
>  token = user.getSubject().getSession().getId().getId().toString();
>

yep saw the code in the Filter;

> Easy to break like you've did. My initial suggestion, is generate an
> application ID at first glance and create event or time based tokens.

Glad we already had some discussion about this (assuming that, base on
your email).

I raised another question on IRC (#picketbox), on when the
PicketBoxSession expires.
I asked b/c I cloud issue a GET request one hour my last activity,
using the same 'old' token

Greetings!
Matthias


>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
>
> Hi,
>
> using the Auth-Token to get access to protected resources / endpoints
> (after doing a login) works fine!
>
> I am wondering how to avoid that one token is used on different
> devices? (e.g. when somebody is 'stealing' the token).
>
> I did sign-in to the app, using the browser and got the following
> token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
>
> Now I was able to issue a get request against the endpoints, by using
> the same token, from different 'devices':
> - curl
> - iOS test case
>
> NOTE: we don't need a solution now, since I know you guys are busy
> with some demo work - but just want to run that 'issue' by this list
>
> Greetings,
> Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Bruno Oliveira
Hi Matthias, looks like the PicketBox API only support timeout specified in minutes, so here we go:



-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

On Thursday, September 27, 2012 at 7:30 AM, Matthias Wessendorf wrote:

Hey Bruno!

On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <[hidden email]> wrote:
Hi Matthias, this is our biggest concerns to M7, we had some discussions
about it with PicketBox team to improve it. Currently the token relies on
PicketBox sessions like this:

token = user.getSubject().getSession().getId().getId().toString();

yep saw the code in the Filter;

Easy to break like you've did. My initial suggestion, is generate an
application ID at first glance and create event or time based tokens.

Glad we already had some discussion about this (assuming that, base on
your email).

I raised another question on IRC (#picketbox), on when the
PicketBoxSession expires.
I asked b/c I cloud issue a GET request one hour my last activity,
using the same 'old' token

Greetings!
Matthias




--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:

Hi,

using the Auth-Token to get access to protected resources / endpoints
(after doing a login) works fine!

I am wondering how to avoid that one token is used on different
devices? (e.g. when somebody is 'stealing' the token).

I did sign-in to the app, using the browser and got the following
token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc

Now I was able to issue a get request against the endpoints, by using
the same token, from different 'devices':
- curl
- iOS test case

NOTE: we don't need a solution now, since I know you guys are busy
with some demo work - but just want to run that 'issue' by this list

Greetings,
Matthias

--
Matthias Wessendorf

_______________________________________________
aerogear-dev mailing list



_______________________________________________
aerogear-dev mailing list



--
Matthias Wessendorf

_______________________________________________
aerogear-dev mailing list


_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Reply | Threaded
Open this post in threaded view
|

Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Matthias Wessendorf
thanks.

On Thu, Sep 27, 2012 at 1:21 PM, Bruno Oliveira <[hidden email]> wrote:

> Hi Matthias, looks like the PicketBox API only support timeout specified in
> minutes, so here we go:
>
> https://github.com/aerogear/TODO/commit/7f5a0d5fa7756e35ba95d15a0eaca5c7f435ca8c
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Thursday, September 27, 2012 at 7:30 AM, Matthias Wessendorf wrote:
>
> Hey Bruno!
>
> On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <[hidden email]>
> wrote:
>
> Hi Matthias, this is our biggest concerns to M7, we had some discussions
> about it with PicketBox team to improve it. Currently the token relies on
> PicketBox sessions like this:
>
> token = user.getSubject().getSession().getId().getId().toString();
>
>
> yep saw the code in the Filter;
>
> Easy to break like you've did. My initial suggestion, is generate an
> application ID at first glance and create event or time based tokens.
>
>
> Glad we already had some discussion about this (assuming that, base on
> your email).
>
> I raised another question on IRC (#picketbox), on when the
> PicketBoxSession expires.
> I asked b/c I cloud issue a GET request one hour my last activity,
> using the same 'old' token
>
> Greetings!
> Matthias
>
>
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
>
> Hi,
>
> using the Auth-Token to get access to protected resources / endpoints
> (after doing a login) works fine!
>
> I am wondering how to avoid that one token is used on different
> devices? (e.g. when somebody is 'stealing' the token).
>
> I did sign-in to the app, using the browser and got the following
> token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
>
> Now I was able to issue a get request against the endpoints, by using
> the same token, from different 'devices':
> - curl
> - iOS test case
>
> NOTE: we don't need a solution now, since I know you guys are busy
> with some demo work - but just want to run that 'issue' by this list
>
> Greetings,
> Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev