Azure ACS 2.0 with Microsoft Account on Windows 8
Asked Answered
U

2

6

I'm securing my Windows 8 to Windows Azure hosted WCF service connection using SSL. I'm interested in verifying that the user is using my Windows 8 app and not just some 'hacker' using Fiddler.

I obviously can't store a username and password inside the c# code and in this situation I'd really like to avoid asking the user for a username and password every time they use the application (or ever for that matter).

I've had a look into Azure ACS but it looks like it's for single sign in only and the user will have to enter the username and password every time.

Is there anyway to:

  • Use the default Microsoft Account (which most users will have entered when they setup Windows 8) with ACS?
  • Encrypt and store the user's login details to prevent the user having to enter login details every time?

Thanks!

Unarmed answered 19/9, 2012 at 12:24 Comment(1)
Since your app is on Windows 8, and you're looking to use the Microsoft Account, have you considered using the Live SDK directly? Michael Crump has an article about integrating the Live SDK with your WinRT application at silverlightshow.net/items/…Brendin
D
2

About your requirement "I'm interested in verifying that the user is using my Windows 8 app and not just some 'hacker' using Fiddler.", I am not sure how deep you would try securing your application as if others want to try consuming your application differently, the will find their way and if you think using ACS or LiveSDK add any security, I don't think so.

ACS or LiveSDK services are ways to authenticate a specific user and then allowing them to use your application. Once the authentication token is given to your application about a specific user and you do not have a way to save and again verify that info, there is no difference between having ACS/LiveSDK based authentication in your application or not having it. These oAuth based services are just a way to authenticate the user, still you would need to write extra layer of the code to provide user specific service.

It does not matter if you use ACS/oAuth/or your own membership service, user will have to enter username and password to get authenticated time to time. Based on login time and type, you can keep the user active for x amount of time as live session however the session will expire and user will have to enter the username and password. Storing username and password locally to avoid entering credential again is not a good application design.

Now about your first question you should be using LiveSDK (not Azure ACS) to authenticate Live (Hotmail, Live, Skydrive and Outlook domain) users because in Windows 8, most of the services are using these ID so using one of these will help your application to be part of same eco-system. You can use this latest doc to use Live SDK in your application. If you will use Live SDK in your Windows 8 application and the user using the same live ID for their other application on Windows 8 and login before your application, your application will already have a live session to use it depend on Live ID and application settings.

About your second question "Encrypt and store the user's login details to prevent the user having to enter login details every time?" I am not sure why do you need it. First of all no oAuth service will give you user login credentials besides user name only which you can save to verify the user if he visits again and that u can use to be sure that it is a proper user. You must need to store this info to cloud and then once authenticated, do whatever you want.

Diamagnet answered 21/9, 2012 at 0:59 Comment(3)
So essentially, there's no way I can verify somebody is using my app because at the end of the day my XAP package is accessible to anybody who wants it. Windows Phone and Windows 8 app packages are now encrypted but it looks like people have already hacked it. forum.mobilism.org/viewtopic.php?f=1073&t=386304. Is there no way of verifying somebody is using my unmodified application?Unarmed
You do bring a very good point unfortunately this is not a forum for discussion such scenarios. As I mentioned the fact is if someone (1% or less) want to use your application other way around and they will find a way so it is you who needs to decide what % of energy/resources you need to spend on this regard.Diamagnet
Thank you! I'll have a look and see what I can do. Do you know anywhere I could discuss this please?Unarmed
S
2

Take a look at this credential store sample for Windows 8 modern-style applications - http://code.msdn.microsoft.com/windowsapps/PasswordVault-f01be74a. It's not Azure ACS - but it should hopefully help you solve you issue. PasswordVault is a new API(Windows.Security.Credentials.PasswordVault) building on the identify features we saw introduced in .NET 3. It allows you to securely store remote application credentials in the OS, in a protected store, and dynamically access them within your application. The user remains in complete control of the store and can remove the data by using the control panel if they so wish. Currently this is the way most modern application are persisting data such as OAuth tokens for remote service calls such as Twitter.

This will only work for third party identities. If you want to use the Microsoft Account instead, follow the guidance above and take a look at the LiveSDK.

Sorrel answered 21/9, 2012 at 2:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.