locked
Reported Security Vulnerability with Auth0, owin version 2.0 or above RRS feed

All replies

  • User475983607 posted

    First, OWIN is not what you think.  OWIN defines an interface between a web application and the host.  OWIN is a way to add features to an ASP.NET application.

    http://owin.org/

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/

    how to check whether auth0 / owin is in use

    OAuth is an authentication protocol.  It is unclear why your web application security is unknown.  Perhaps contact the team that support the applications and ask.

    https://oauth.net/2/

    how to upgrade it to owin4

    The common approach is reading the documentation to find deprecated or breaking changes going to a new API.  Do a source code analysis to find deprecated code.  Make a plan to update and test.

    https://www.nuget.org/packages/Microsoft.Owin/

    can we disable owin

    A forum cannot answer this question.  If you are using OWIN; obviously disabling OWIN will cause unwanted application behavior.

    Does Microsoft use owin for authentication purpose?

    Not really, read the links to get a better understanding of OWIN and Kantans.

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/

    AuthO is a paid service. If you need help with AuthO then go through the AuthO support channels.  This is an ASP.NET forum and not related to AuthO.

    Wednesday, September 26, 2018 4:03 PM
  • User1724605321 posted

    Hi MrMaker ,

    OWIN is a specification on how web servers and web applications should be built in order to decouple one from another and allow movement of ASP.NET applications to environments where at the current state it is not possible. Katana is project name to implement OWIN in ASP.NET, please check the tutorial  .

    To meet the OWIN4 support , from this github issue

    For web applications, the standard OIDC middleware should be used as per the Quickstart:
    https://auth0.com/docs/quickstart/webapp/aspnet-owin

    For Web API, the package has been updated for OWIN 4. Please refer to Quickstart:
    https://auth0.com/docs/quickstart/backend/webapi-owin

    Best Regards,

    Nan Yu

    Thursday, September 27, 2018 2:18 AM
  • User695854811 posted

    First, OWIN is not what you think.  OWIN defines an interface between a web application and the host.  OWIN is a way to add features to an ASP.NET application.

    http://owin.org/

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/

    ==================

    First Thanks for taking your time to  reply my query!

    I am from IT support team. I know we should use https to secure web communication other than that, I do not know what other protocols are involved on web communication other that http/https, TCP/IP where auth0/OWIN might be used.  That is why I am struggling to identify whether any applications or servers utilising auth0/OWIN in our network.  We purchase applications from third party and support them.  If you can advise me, how can I identify whether any applications in our network uses auth0/owin for web authentication and what version of auth0/owin are in use? that will be my first step in understanding this protocol and towards addressing this vulnerability in our network.

    If I identify one particular application is using it, I can go back to application support or vendor and get help to address this vulnerability issue.

    Thursday, September 27, 2018 11:56 AM