LogicNets Access Security
This article describes the user security features of the LogicNets platform.
Applications can be protected against unauthorized access by requiring users to authenticate themselves. Supported authentication methods are as follows:
- Local user login
- OAUTH2 - LogicNets supports OAUTH2 integration via authorization code-flow
- Windows Authentication - LogicNets supports ActiveDirectory integration via ADFS and OAUTH2
At the highest level the application can define the supported user roles. You can refine access control by modeling logic based on role of the logged-in user.
Web API Authentication and Authorization
You can protect Web APIs against unauthorized access by requiring clients to authenticate themselves. LogicNets supports the following authentication methods:
- Basic authentication
- Bearer authentication (using a signed JWT token)
At the highest level the Web API application can define the supported user roles. You can model refinement of access control within the logicnet itself, using the information from the user profile of the web client.
Local Users Database
Standard LogicNets functionality provides a local user database with the following supported features:
- Groups and roles assignment
- Hashed: HMAC SHA1 (256-bit / 4096 integrations), salted, keys generated using cryptographic pseudo random generator (Open SSL)
- (LNv8 on) All passwords are hashed with PBKDF2-HMAC-SHA256 (32-bytes key-length, 4096 iterations, using 32 bytes cryptographically generated salt)
- Password expiry, max- retry count before account locking, password policy
- 2-pass authentication with Google Authenticator with time-based OTP (one-time passwords)
External Users Database
While LogicNets provides internal databases with which you can manage the users for your application, you can also connect your application to a user database that is external to the system. This use case requires that you work with a LogicNets development specialist. If you are interested in this configuration, contact the LogicNets Sales team.
Authorizing External Users
To authorize external users these users must be registered to local user groups in LogicNets by either:
- (Explicit) Adding the name of the external user to the local user group
- (Implicit) Making the local group name the same as the external group name
- (Implicit) Matching against dynamic rules in the external Identity Provider profile
The LogicNets platform has implemented the following features to secure the communication between the client and server:
- Connection through HTTPS is (by default) enforced
- Protection against session mining. Each session has a unique session ID that the system generates using a cryptographic pseudo random generator (OpenSSL)
- Session pinning to prevent session stealing / hacking (e.g. by copying the URL with session-id to another computer).
Where a cookie with a cryptographic random ID is placed on the client’s computer the server checks each request to verify that the session-pin-cookie value belongs to the session ID. The system changes the session-pin-cookie value regularly to avoid the use of stolen cookies.