I'm having a VERY hard time using Aware as a back-end to Appgyver.
I have several major issues, so I was going to just abandon Aware as my REST provider and just use NodeJS.
NOW, the problem I have is with authentication.
I will definitely have users that are native Aware users... so their password is encoded by Aware's algorithm.
Some of those users will ALSO login with my native phone app - and my NodeJS authorization endpoint will receive a username and password.
That queries the MSSQL backend to authenticate.
So how do I see if the submitted password matches the encrypted password in MSSQL?
When I was passing in a PW to an Aware service, I was using the PWD_ENCRYPT() function to compare that result with the stored PW, but I don't have access to this from outside Aware.
I need to authenticate a user from OUTSIDE of Aware, against his Aware password
I need to authenticate a user from OUTSIDE of Aware, against his Aware password
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: I need to authenticate a user from OUTSIDE of Aware, against his Aware password
Interesting, and completely undocumented as far as I know.
This will not answer your question but might give some ideas whats going on.
The default Administrator account password is a plain MD5 hash:
password = 5f4dcc3b5aa765d61d8327deb882cf99
However, the new users don't get plain MD5 hashes. The key length is the same so I guess this is still MD5. So either the input modified before hashing, or the MD5 algorithm for the new accounts runs slightly different, like multiple passes. Or a combination of both. I think the first option is the correct one.
The user accounts lack an individual salt. So if you have multiple users with the same password, the hash will be the same.
Here is my theory of what is going on, would be great if any dev could confirm this:
password -> passwordSecretKey123 -> default MD5 Hash algorithm -> output hash
monkey -> monkeySecretKey123 -> default MD5 Hash algorithm -> output hash
toaster -> toasterSecretKey123 -> default MD5 Hash algorithm -> output hash
So in theory, if you could only acquire the "SecretKey123" part, it would probably be pretty easy to come up with an authentication solution.
This will not answer your question but might give some ideas whats going on.
The default Administrator account password is a plain MD5 hash:
password = 5f4dcc3b5aa765d61d8327deb882cf99
However, the new users don't get plain MD5 hashes. The key length is the same so I guess this is still MD5. So either the input modified before hashing, or the MD5 algorithm for the new accounts runs slightly different, like multiple passes. Or a combination of both. I think the first option is the correct one.
The user accounts lack an individual salt. So if you have multiple users with the same password, the hash will be the same.
Here is my theory of what is going on, would be great if any dev could confirm this:
password -> passwordSecretKey123 -> default MD5 Hash algorithm -> output hash
monkey -> monkeySecretKey123 -> default MD5 Hash algorithm -> output hash
toaster -> toasterSecretKey123 -> default MD5 Hash algorithm -> output hash
So in theory, if you could only acquire the "SecretKey123" part, it would probably be pretty easy to come up with an authentication solution.
-
- Posts: 58
- Joined: Thu Sep 13, 2012 7:06 pm
Re: I need to authenticate a user from OUTSIDE of Aware, against his Aware password
Interesting topic, I have the same problem.
Re: I need to authenticate a user from OUTSIDE of Aware, against his Aware password
Did anyone solve this?
Have exactly the same need and issue
Tks.
Have exactly the same need and issue
Tks.
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS