Replicate password encryption from System User DB 

Replicate password encryption from System User DB 

  

Hello,


I want to provide a complete offline login for my app. 

For that i need to compare the password that is saved locally and the password given, however, the saved one is encrypted and is the one that is saved on the System User DB. How can i encrypt the given password, with the same algorithm from the System User DB, in order to compare both encrypted passwords?


Please help


Best regards, and keep the good work!

Hello Rui

There is a great module called PlatformPasswordUtils, which is readily available in the dependencies menu, and has all the functions that you need.

You just need to call the GenerateSaltedMD5Hash function with the password the user inputs, which will be safe to store. Then, when you need to check if another given password matches that one, you call ValidatePassword with both the input one (unaltered) and the one you stored previously.

Hi all,

I have a similar question but in my case I want to give to a third part Outsystems ValidatePassword method so when a user type a plain text password on that third part app they can compare with encrypted password that they have saved in their DB that was previous generated in OS so they can confirm if the typed password it's the correct one or not for that user.

How can I do that? Will the OS ValidatePassword method be available to a third part system? 

Thanks in advance for you help.

Cheers



Hi,

Well, I am a bit confused what you even want to achieve.

exposing validations of passwords to 3rd parties is a no-no in my book.

Unless you are 125% sure the network is safe etc, you might think of  exposing a webservice that will have 2 input parameters where in the action you do the validatepassword...


but tbh I would reconsider the architecture of the whole process



J. wrote:

Hi,

Well, I am a bit confused what you even want to achieve.

exposing validations of passwords to 3rd parties is a no-no in my book.

Unless you are 125% sure the network is safe etc, you might think of  exposing a webservice that will have 2 input parameters where in the action you do the validatepassword...


but tbh I would reconsider the architecture of the whole process



Hi J.,

thank you for your response. 

The idea it's to implement a SAML "hybrid" authentication where a third party prompts a form where the user just type the password (the username it's already pre populated passed  through SAML) the third party systems validate the username and password with the ones stored on their systems (provided by us) and if the user has a valid username and password that response will be sent to us through a SAML response and we will decode the response and login the user in our OS app.

I understand your reluctancy with this process...but is this technically possible to achieve without using a webservice? We have access to password utilities extension from ousystems right? The only thing is to know if that code will work in a third party system....

Cheers


I see what you want to do, but then you don't need a password in outsystems?

just login the user with the "Login" action of system.


Hi J.,


yes, that's the idea, just use the login function after we decrypt the username that come on SAML response (with all the certificate and private keys validations).

Cheers