How does the supplicant connect to the auth server in EAP TTLS?

I understand that a tls has to be established between the supplicant (end user device) and the auth server but a few things are unclear :

  1. How does the supplicant know the ip adress of the auth server ?
  2. The supplicant is not granted access yet it has to communicate with tls, does that mean it is granted a temporary local ip address and only requests to the auth server are forwarded via usual NAT by the access point ?
  3. How does the supplicant authenticate the server ? If I were connecting to a website, I would chech the common name (and that the chain is correct up to a root CA certificate I have), but what would the supplicant check for in common name (subject) ?

authentication – Figure out security and auth for mobile app which uses Firebase

I need a bit of help to figure/plan out this scenario:

So for a mobile app I’m currently working on, the use case requires authenticating users via mobile number and OTP. So basically the user enters their number, receives an OTP, enters the OTP and is verified. No email/password/oauth.

It turns out that using Firebase’s mobile number verification service is rather easy to get started with, compared to setting up the whole thing server side. One needs to import the Firebase module into the app, and the mobile number is sent to Firebase’s service, which in turn sends the OTP code, and verifies it. Firebase’s service is used only for this purpose and not for storage/etc.

At this point, the user should be considered authenticated (with their mobile number).

For accessing specific data from the server, the user will also need to be authorized. For this I should be able to get the “app ID” or “device ID”, and store it on the server and link it to the particular mobile number. After Firebase validates the mobile number, the app makes a request to the server with the mobile number and the Device ID. On the server’s auth database, each user gets an internally generated UID. The combination of the mobile number and the device ID is also a primary key. The mobile number and/or device ID can change, and then the new value can be updated and linked to the UID.

So far I have not seen where the server will need to send a token/cookie to the client. That’s what I am used to while creating email/password login flows.

When the client app makes a request to the server, it includes the mobile number and/or device ID to identify itself to the server, which can then decide if the specific UID should have access to the resource being requested.

This is not a “critical” app like for banking etc. But there will be the ability to make payments via third party services/apps (the app doesn’t directly/itself handle payments). So the security doesn’t need to be watertight but reasonable enough.

Am I missing something in the description/flow above? Any pointers will be appreciated.

authentication – SharePoint Online Auth Cookie TTL

See Here. I assume this is what your are trying to do… maybe not.
But, i think these two links are closer to what you may be looking for:

if none of these suit you, then you may be wading into the undocumented backwaters of O365 as seen here.

As per this link The SPOIDCRL cookie is refreshed on each page load.
You cannot alter the duration of the cookie’s existence in the Admin Console in SPO. Without knowing more about what you are trying to do, i cannot be more specific

Here is a general guide to security token expiration in O365, but the SPOIDCRL cookie is not enumerated in this link (nor are any other O365 cookies).


Please remember to Up Vote and Mark as an Answer if this helped you.

authentication – Auth strategy for local Docker services

I’m trying to choose an authentication/authorization strategy for some Docker services that all run on a single Linux IoT device. There are N number of 1st party services, and a single 3rd party service. Each running in their own Docker container, and all on the same shared Docker Network to be able to communcate with each other.

I need to be able to authorize some endpoints being called inside the 1st party services. Really, I just need to make sure the 3rd party service can’t call certain endpoints on the 1st party services.

Since each service has its own DNS entry within Docker, would it be viable to use the caller endpoint for authentication? For example, since I know a call from ‘my-service-one’ is one of the first party services, any requests from it will get the ‘Admin’ role and can make calls to the /admin endpoint.

I have some other ideas, but since this is all running on an IoT device, I want a way for the services to
be able to run when there is no internet connection for an extended period of time.

postgresql – Local Postgres Server on Mac Pw Auth Fail

Disclaimer: I am new to MacOs. Haven’t found any useful related question.

After successfully installing postgresql 13.2 via homebrew on MacOs 11.2.1 (BigSur) i run into the following problem:

Use terminal for the command

psql postgres

Prompts user pwd of my standard Mac user account.

Returns:

psql: error: FATAL:  password authentication failed for user "standarduser"

Try:

sudo psql postgres

Now asks standard user pwd and accepts it.
Then asks root user pwd and rejects it with the same error as before:
Returns:

psql: error: FATAL:  password authentication failed for user "root"

What am I missing?

maven – How do I use token auth for Github Packages from Gradle?

In the repository section of your gradle.build.kts, include the following:

repositories {
    ...
    maven("https://maven.pkg.github.com/<OWNER>/<GIT_REPO>") {
        credentials(HttpHeaderCredentials::class) {
            name = "Authorization"
            value = "Bearer ${project.findProperty("gpr.token") as String}"
        }
        authentication {
            create<HttpHeaderAuthentication>("header")
        }
    }
}

Replacing <OWNER> with the name of the user or organization that owns the repo and and <GIT_REPO> with the name of the git repository that generates the package. You then add the token you generated on https://github.com/settings/tokens to gradle.properties in the same directory as your build.gradle.kts. It should look like:

gpr.token=<Token, without quotes>

The file may already exist with other settings, you don’t need to remove them. DO NOT COMMIT THIS FILE.

If this still does not work, verify that the token you generated has the read:packages permission. If it doesn’t, you’ll need to generate a new token.

Hopefully this saves you the 4 hours it took me to figure out what was happening.

multi factor – Anonymous SMS-based auth: How to get phone numbers to receive a single 2FA authentication SMS with minimal cost and effort, multiple times

What is the simplest, fastest, cheapest, easiest way to get access to a ‘non-VOIP’ phone number just long enough to receive a single text message?

Traditional approaches that are not ideal:

  1. Use existing mobile phone number. Compromises anonymity.
  2. Go to the store, buy a burner SIM, buy some minutes, set it up. Probably the best approach, but relatively costly and time-consuming… to receive a single text message! Cheapest I’ve seen is about $10USD for the SIM, plus about >$10-20USD for some ‘days’. Also, considerable hassle to set this up, from going to the store to calling the carrier to scratching off blah blah blah.
  3. Use one of the many burner SMS services, eg burnersms.com, many others, or use Twilio, Google Voice, Skype, or other online-services. This doesn’t work on the site. Need a ‘non-VOIP’ number, presumably registered with a standard carrier, see below.
  4. Ask someone else to receive the text. Creepy, and, well just not good.

Why / use case
In order to create more than one account on a website that requires SMS-based 2FA as a test to prove that you’re human and allow registration for the site. The site doesn’t store the phone number for later 2FA as would be typical for password retrieval, so the number isn’t needed again later. It is only ever needed to receive a single SMS. Caveats regarding the number:

  1. It has to be a phone number that has never been used on the site before.
  2. It cannot be a phone number that the site deems ‘VOIP-based’, see above, or it won’t work.
  3. Want at least reasonably decent anonymity, so not trivial to connect the phone number to the registrant, as it would be for a personal mobile number in routine use.

Want to do this multiple times, so want an approach that is inexpensive and non-time-consuming. Does not matter which country the phone number is associated with it appears.

Thanks!

8 – How to Logout user with Basic auth?

I can log in, perfectly fine, but can’t get logout to give me a JSON response. Currently, I can only do POST to

d8.com/user/logout?csrf_token=123&?_format=json 

and that would log out, even though the token 123 is not the same as the given csrf-token at login or the logout token. This doesn’t work without the token query, even though cookie/session isn’t enabled anywhere

(“message”: “‘csrf_token’ URL query argument is missing.”).

The logout happens when hitting a 403 forbidden on that URL.

Other info:
csrf_token=123 is the actual query, doesn’t need to be csrf-token or the log out token is given at login
Version: 8.5.3
The only basic_auth turned ON, at all endpoints.

authentication – Token Auth best practices

I am getting familiar with authentication (using passportjs) and using things like sessions, jet, etc.

My question is what is the best way to prevent someone from going on a computer and copying a sessionid/token/jwt/etc. and entering it into the website on their browser and getting unobstructed access into the users profile.

Is there a technique that makes this not possible? I’ve looked into browser fingerprinting and not sure if that’s a good idea since browsers often change navigator attributes.

Also, I code with JS so preferably that language.

Thanks so much,

P