1

I have a desktop application and a web application. The user is loged in on the desktop application. With a click on a button or something the browser should open and the user should be logged in.

Now I'm a little confused how to implement this in a safe way. My first thought would be to generate a nonce on the server, pass this to the application which in turn then generates a URL for the browser. (The whole communication is over HTTPS). But since the nonce would be in the URL couldn't a MITM just grab it and then login as this user? I guess the browser would show a certificate problem in case of an MITM attack but some of the users aren't very savvy so I assumed that they just would dismiss any certificate error.

This is a problem because some of this users are sort of an administrator (the create users) so it would be very bad if an attacker can login.

Is it possible to automatically login a user from a desktop application to a web application in a secure way?

morpheus05
  • 111
  • 3
  • What OS are you using? – Neil Smithline Jun 04 '15 at 16:18
  • See https://developers.google.com/identity/protocols/OAuth2InstalledApp – Neil McGuigan Jun 04 '15 at 18:41
  • Windows for the clients and GAE for the Server stuff. OAuth is not an option because the application is a business app and it would feel strange if the people would need a google account or something similar. – morpheus05 Jun 05 '15 at 07:57
  • If you observe a second use of the nonce on the server end, could you not simply shut down the session with an error notice to the user? – Ari Trachtenberg Jun 05 '15 at 14:13
  • My thought was that a MITM can just simply prevent the client form reaching the server with the nonce. I imagine the MITM as some sort of a proxy which undermines every connection to my server. But is this a realistic scenario? – morpheus05 Jun 08 '15 at 08:13
  • You could simply have a URL on the server that the client can visit, make sure that you only allow authenticated requests on that URL, generate a nonce/autologin URL on the spot and send it to the authenticated client. Make sure to expire the URL quickly (e.g. 1 to 5 minutes) and to tie it to the account that requested it. Then the client can pass the URL to the user's browser. – Steve Dodier-Lazaro Jun 09 '15 at 14:12

1 Answers1

1

I had this problematic a few weeks ago. I simply resolved it by making a webservice accessible via Https.

The user login from a local client application via a login/password form which is sent by https. The server get the data and send a Token to the client.

The Token is stored into the application for login purpose and expires after 2 weeks. When the Token expire my client has to login again.

My request are https based, so it takes care of the handshakes,encryption,etc.

A large amount of WebAPIs use this method to make secure transactions.

If you notice a large amount of login fail tentatives on server side, block any upcoming tentative from the client for a given amount of time, which will increase after futur failed attempts.

Fortune
  • 141
  • 3