Secured images inside Tiny ATS


#1

Hi,

Just noticed an issue with images secured with SSO.

The first time I load Tiny ATS it returns a 302 redirect for secured image URLs.

Once I load up results or any other secured link it obviously fixes itself.

Will this be a problem in the live app, or is it peculiar to Tiny ATS?

Mike.


#2

Hey Mike, I am not sure about that. We are just about to release a new developer platform that replaces Tiny ATS (imminent) so could I ask you to see if you see this problem on that?


#3

Sure. Will check that when it becomes available.

Obviously it will depend if there are any other calls to our secured URL’s before the images are loaded.

If not then the only way around it may be to add a “dummy” request.


#4

Hypothesising (but let’s see how things go against the new environment shortly)…

  1. Your resource is SSO protected. In the case of a SSO-protected web page, SSO kicks in when someone visits and sends a 302 to send them to the sign in page.

  2. In your case though, the image is embedded inside another app’s web page (the ATS). The user is signed in to the ATS but not to your app. So when the browser comes to render your image, your app’s SSO responds with 302 to a web page (not to an image). Hence the browser gets stopped in its tracks.

  3. If at any time the user clicks through to your interaction url on any assessment (also SSO protected) then the user does get signed in. Probably from that point onwards, your images will render fine. At least until the SSO times out again.

If all the above is true then there are a couple of ways we could go:

  1. Don’t make the images SSO-protected. This may be the only option in the short term. If you use complex/ magic urls that will somewhat address the security issues as only a signed in person can ever be able to obtain your urls.

  2. Somehow we do some magic authentication to force SSO in your app, e.g. a tiny hidden iframe somewhere on the ATS page. That should always work - since the user is already signed into the ATS, they will always sign in smoothly to your app without actually needing to enter credentials. This presents a few challenges though!

Lets see how the new environment goes anyway.


#5

Yep, that is exactly right.

Images are secured because they show scores, so option not protecting them is not so great, although you are correct in that I could use some kind of obfuscation to make them almost impossible to access outside of the environment.

Lets see how the new environment goes anyway.


#6

Mike, the new sandbox stack is available here: https://github.com/talentappstore/tas-core-apis/wiki/08a.-Installing-sandbox-apps (announcement and doc. fixes pending :). You’ll likely see the same problem, but would appreciate any feedback.