Page 1 of 1

Custom Tab / Components - Inherently awkward / insecure? - 03161332

Posted: Sun May 06, 2018 12:16 pm
by markggn
Hey guys,

I'm trying to figure out how to integrate our application partially using the custom tab functionality. We're hoping to place forms and actions that ought only to be available to authenticated users of both our app and Bullhorn, but the parameters we receive on the iFrame don't provide any security boost particularly. For example, a custom tab for the Candidate entity will yield the following params on the GET request for our iFrame:-

EntityType: Candidate
UserID: x
CorporationID: y
PrivateLabelID: z
EntityID: n

I can't see any (seamless) way of using this that prevents someone from just loading the same URI Bullhorn generates (easily found in the source code) and requesting this directly. Is there further authentication / trust I can leverage here? The only option I can see here is asking the user to log in to Bullhorn (OAuth stylee) via the iFrame even though they're already logged in.

Any tips appreciated!