Anyone have passkeys implemented

[rjolda]

Hi
NT 14.31  C11
I am looking into implementing passkeys for secure access to my APP.  Has anyone done any work with these or have any insights?
Thanks,
ROn

[Jane]

Not real passkeys.

What I have implemented on a few internal apps is use of a one-time token.
Somebody is logged into a SQL report server and part of running certain reports generates a GUID token in a SQL database.  The table has an expiration date/time.

They can then link from the report server to one of my internal web apps with a URL that passes that token and specifies an internal "Connect" netWebPage.

The webHandler has an overload of p_web.Authenticate that just has a single parameter for pBearerToken.
That version of the method validates the token against the list in SQL.  If valid, then it falls into my code for setting permissions and stuff just like a regular name/password login.

I'm sure there are more elegant options for passing the token.
What I did is

1. Create a NetWebPage which I call Connect
2. In the Connect page, there's a local variable
            _token  STRING(40)
3. In the Connect page, shortly after the CODE statement, I have the following code:

Code: [Select]

    _token = p_web.GetValue('c')
    IF p_web.Authenticate(_token)   
      p_web.Script('window.location.replace("/IndexPage");')
    ELSE
      p_web.Script('window.location.replace("/LoginForm");')
    END ! if    4. My SQL report has a link to pass the token to the web app   
           theWebAppURL/Connect?c=[THE TOKEN VALUE]

This was quicker to throw together for an internal app, rather than trying to come up with a correct implementation of basic authentication.  But regardless of how you snag the token that's passed to you, you can use the pBearerToken version of p_web.Authenticate.

[seanh]

Secwin 7 has something akin to this.   It allows you to logon once and get a token so you don't need to login again for n days.
It also has a number of other authentication methods I haven't tried.

[Jane]

Secwin 7 has something akin to this

Good to know, Sean.

Off topic from the passkey question...

I played a very little bit with Secwin 7 when it first came out.
I couldn't find a way to assign permissions within an app to nested Active Directory groups, rather than to Secwin's own groups.

So to avoid more instruction for our IT people, I coded my own thing querying AD to get group membership for the person logging on and then assigning permissions in code.  That way, when staff changes the IT people can just assign people to relevant AD groups and don't need to be familiar with my apps.
Not as flexible as far as changing what a particular group can do, but those group roles are rarely changed once an internal app is put into service.

Are you able to use AD groups (including nested groups) directly now in NetTalk with Secwin?

Jane

[seanh]

Jane, 
I don't use secwin in the app I have that uses AD so I've never looked.   

[Jane]

Thanks, Sean.

I had rolled my own AD groups permissions for web apps before SecWin 7 was released and it works OK.  I just took a quick look at SecWin 7's groups when it was released and couldn't see an easy way to make it work seamlessly for what I needed so stuck with what I already had.

Hope you're doing well.

Jane