Architecture

This information is still applicable to v6

Groups / Rights

Functionality is driven by giving groups (application roles) specific rights to actions (e.g. Save, New, Delete, Print, Export, …). Without an explicit right for an action the user won’t be able to execute the action and the backend will throw an exception.

Query, Read, Edit and New rights can be defined at the attribute (property/column) level, all other actions can be defined at the persistent object (class/table) level.

Authentication

Vidyano application can be configured to allow multiple authentication sources which all map to users that can be assigned to groups.

Vidyano Authentication

Enabled by default, allows the usage of any custom name and password to log in. Passwords are stored in the database using a BCrypt hash. The BCrypt complexity can be configured and is increased by the framework on regular intervals (currently at 13). Will require a password with at least a length of 8 and it should not be in the blacklist (currently a list of the top 25 worst passwords and Pwned Passwords using the V2 range API), can be configured to use a different length, complexity (no longer recommended) or a different blacklist.

Password requirements are based on Microsoft’s Password Guidance and NIST’s Digital Identity Guidelines

The https://haveibeenpwned.com/Passwords service is used to validate that passwords don’t appear on any leaked password list. The new V2 api is used with the Range API to provide k-anonymity to check for breached password without disclosing the actual password (or even a full hash of it).

ADFS Authentication

Allows the use of an Active Directory Federation Service to authenticate the user in the application. The application can be configured to automatically put unknown authenticated users in specific group or this logic can be handled using code (to put the user in a specific group based on the returned claims). Will use the http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname claim as user name.

OAuth Authentication Providers

Allows the use of an OAuth provider (Microsoft, Google, Facebook, Twitter or Yammer) to authenticate the user in the application. Can also be configured to automatically create unknown users. Will use the email as user name.

Auth Token

Once the user has been authenticated the server will return an auth token to the client that can be used for the next requests.

The token is a SHA256 hash composed of the following information:

• Application salt

• User name

• User version (incremental number in the database that is increased when the password is changed or the user is disabled)

• Expiry date and time

• IP address

• Optionally the original user when an user is impersonated

The actual IP address to check can be configured to allow switching between addresses within a specific cidr range in case the users have multiple external IP address or it can be changed using code.

public override string GetClientIpAddress(string userName, string ipAddress)
{
    if (userName == "salesguy") // NOTE: Always on the road
        return Manager.Current.GetUser(userName).Profile["AuthTokenSalt"];

    return base.GetClientIpAddress(userName, ipAddress);
}

Security Token

To ensure that the client works with the correct model (based on the rights) the server will generate a security token that can be checked when the persistent object is send back.

The token is a SHA256 hash composed using the following code:

private string GetTamperingDetectionToken(string securityToken)
{
    string salt;
    if (securityToken == null)
        salt = ObjectEx.GetSecureRandomString(6);
    else
        salt = securityToken.Substring(1, 8);

    var allData = new StringBuilder();
    allData.AppendLine(salt);
    var poSalt = VidyanoDbCache.Default.GetPersistentObject(Id, false)?.Salt;
    if (poSalt != null)
        allData.AppendLine(poSalt);
    allData.AppendLine(Id.ToString());
    allData.AppendLine(ObjectId);
    if (BulkObjectIds != null)
        BulkObjectIds.Run(id => allData.AppendLine(id));

    Attributes.OrderBy(a => a.Id).Run(attr =>
    {
        allData.AppendLine(attr.Id.ToString());
        if (attr.IsReadOnly && !attr.Name.Contains("."))
        {
            var attrWithReference = attr as PersistentObjectAttributeWithReference;
            allData.AppendLine(attrWithReference != null ? attrWithReference.ObjectId : attr.Value);
            allData.Append(attr.IsValueChanged);
            allData.AppendLine();
        }
    });

    allData.AppendLine(SecurityScope.ApplicationSalt);
    var result = allData.ToString().GetSHA256();
    return "$" + salt + result;
}

The token uses a random salt to prevent any oracle attacks. All information is included so that the client can only modify the entity as it was sent by the server with only the attributes that were available. For attributes that the user has no edit rights the actual value is also used in the token so that the application can securely set these attributes on the server-side. Trying to modify any of the data will result in an exception being thrown by the backend.

Force Https / TLS 1.2

Vidyano will automatically redirect to https:// for certain subdomains (azurewebsites.net, apphb.com, …) and can be configured with a simple appSetting for custom domains. Enabling this flag will also enable HSTS (Strict Transport Security) which tells the browser to always go the https:// site directly even if the user tries to go to http:// to block MITM attacks.

Depending on the deployment it is recommended to only allow TLS 1.2 if possible. This can be enabled for Microsoft Azure App Services on the SSL settings tab:

Two-factor authentication

Each user can set its own two-factor code on the user settings page (available using the gear in the lower left of the application). The application can also be configured to require (force) two-factor authentication for users that are in a specific group (e.g. Administrators).