Be Excellent To Each Other

Hello hive mind, can you do my job for me please?

We have a piece of software that automatically authorises as the logged in user (I am aware of things like Kerberos and NTLM, but this isn't exactly my area), it's also integrated with Microsoft CRM (4.0 near-end-of-life software fans), so I'm not sure if it in some way piggybacks off that authorisation (ignore all this, like I say, I don't really know what I'm talking about).

Anyway, the providers of said software have recently told us about their API, which supports a series of HTTP GET and POST requests to get data in and out of the system. Each of these requests requires a valid token to authorise the request. You get a token by submitting a POST request with the valid credentials of the user that you want the token for (ie, their windows login details) - in the body of the request. So, my hopes and dreams for the API, were to write something that would automatically authenticate as the current user, and then allow them to do stuff in the system, but I've hit a bit of a stumbling block with the token as the only way I appear to be able submit credentials is in the body of the request, and understandably, there doesn't seem to be a way to get someones password and use it in this way.

I spoke to the author of the API and they basically said they didn't use it like that and suggested prompting for a password, although I'm waiting for a response from our IT to see what they think about me writing something that asks people to enter their windows passwords (I've promised not to log them all to a file buried on the network).

So, am I being stupid, are they being stupid, or do I just have ridiculous expectations of what I should be able to do with an API?

I believe our work gets around this kind of thing with single sign on , but I'm no expert. (and they recently broke that anyway so I have to put in my password so the time.)

Same here. The university uses a "Shibboleth" system with a single login authorising you for dozens of systems.

No idea how it works though. It's all tied to the domain

If you're sending to a third party to get a token, they can't be authenticating against your AD logins, can they? So you need to send a password that matches the credentials they're expecting their end.

That really shouldn't ever be how AD authentication works. Passing the password in the request body? That's broken and wrong.
What'a the web server it's running against?

https://en.wikipedia.org/wiki/Basic_acc ... entication

Except I'm almost sure it won't be the Windows login details - it'll be the details of that user that are stored at the API end. You could set that up silently for them.

That's not in the request body, that's in headers. There's a solid chance that it will be an AD user at the far end, if it's designed that way. If it is though, and it's IIS, well that's why integrated auth exists.

In the grand scheme of things that doesn't make much difference.

Damn straight. Even in the headers is bad enough, at least give each user some sort of API access password that is only used to get a token from the API rather than sending their full account password over the air, goddamnit.

There's no difference!

Except that passing www-authenticate headers means they can be processed automatically by the web server. Passing them in the post body means you have to manually take them and use them in code to authenticate.

Yes, but that's their end. Give a fuck about their end. Neither way is more secure.

You give a fuck about their end because they're your credentials.

It's always going to be more secure to use built-in auth functions that have been tested to destruction all over the place than to roll your own custom code for it.

I was thinking more about during transit. Don't forget there's nothing stopping them getting their hands on the headers.

If you're logging in, I'm assuming it's SSL protected in transit. If not, burn the whole fucking thing down.

When you ASSume, I put my DICK in your mums ASS.

Or something.

Cheers guys, I barely understand anything you've said, other than it's a shitfest, but I kind of suspected that anyway.

What is it built on, Joans? What's the webserver?

IIS.

I've got access to the server if anyone wants me to break stuff.

IIS? Blimey

If it's IIS then turn on integrated authentication for the virtual directory the API uses and see what happens.

Er, how do I do that?
If I go to the site in IIS, and view virtual directories, there are none.

I tried enabling Windows Authentication earlier, but that didn't seem to make any difference (or I don't know how to request a token properly).

if there's only one top level site and you've tried it with integrated auth turned on, then they're doing something weird and they'll have to try and tell you what's needed, sadly

There are loads of sites (on the left), but the one relating to the api doesn't have anything listed under view virtual directories. If that's where I'm supposed to be looking?