Hello,
during some security discussions with my colloquies, the question comes up, how Outsystems apps are authenticate themselves to the Ousystems cloud environment and how this connection is secured?
In other words:
Can somebody explain that?
Thank and best regard Daniel
Hello Daniel,
Is this the documentation you are looking for?
https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_App_Authentication#Authentication_Cookies
Regards,
Daniel
Hello @Daniël Kuhlmann,
thank you, that's what I've been looking for.
Regards, Daniel
Your welcome!
I don't know the *exact* details of the authentication, but it's going to result in the client getting a token. The security is HTTPS. If anything can intercept that token, they are doing a man-in-the-middle attack, or have enough of your credentials to generate a token, or can decrypt your HTTPS traffic in some other way (such as Fiddler or Wireshark). We use this mechanism when we do load testing, UI testing, and so on. So on the one hand, yes, this sounds slightly alarming, that someone can get a token either by generating one or by capturing one. But on the other hand, once someone has the ability to do that, you are breached already.
With the token, all they can do is access the underlying REST endpoints (all of the Data Actions and Aggregates at the screen level will generate a REST endpoint) and the screen itself. it isn't like they can take the token and start running queries directly on the data; they can only do what you programmed the app to be able to do. (This is a big reason why Reactive security is a really important topic, to protect yourself in case of something like this.)
J.Ja
Hello @Justin James,
thank you for your answer. I'm not really afraid that the connection will be breached, I believe that the connection is secure in general. I just want to understand how it works, so I'm prepared for discussions with our cyber security engineers.
I've found out, that for the communication between an app and the Outsystems environment REST-API's are created and that this REST-API's the system implements an authentication mechanism that results in an access token for the client.
Can you find out how the token for the client is generated? OAuth2?
Regards Daniel
Hi @Daniel Krüger,
This exercise uses an example with Google OAuth and may help as a guide on retrieving the access token among other things. The Lesson Material can be downloaded at the bottom of that link
AJ
This isn't what he was asking about, this is an example of integrating with Google OAuth.
I have no access or insight into that particular mechanic.