I'm new to Auth0 and having real trouble wrapping my head round it. My app is going to be built using React, packaged using Phonegap.
Am I able to use Auth0 with a completely custom UI for creating accounts, logging in etc.?
Ideally my signup flow would be...
User Signs up using my react form
Details are sent to my API and then passed to Auth0
Success message is received from Auth0 and the user is mirrored in my local DB
My ideal login flow would be...
User fills in email/password on my custom form.
Details sent either directly to Auth0 or via my API
Token is sent back and stored in localStorage
Then each request to my API...
React attaches token to every request in header (actually Axios interceptor does)
My API is able to verify that the token is valid and not expired
API performs request.
Not sure how to deal with social logins, claims etc. but that's for another day, basically I want to do everything through the API and not use their lock screen etc. Is this possible?
Yes! That is definitely possible and to achieve this you would want to use 'Resource Owner Password' grant type.
Once you collect the credentials from user in your custom form, you can directly pass those to Auth0 by calling an endpoint - 'https://yourapplication.auth0.com/oauth/token' with all the necessary parameters. You can make a simple POST request to this endpoint from you client application. For ease of use, there is a javascript library provided by Auth0 for all of their endpoints- (https://auth0.com/docs/libraries/auth0js/v9).
Auth0 will return a token which can be used to call your server side APIs by passing it to the request header.
So to conclude, you can do it through API without using their lock screen.
Let me know if you need any further help. We can discuss on social logins and claims also.
Related
We are implementing the integration of our existing web resource with Rocket.Chat. We are using the community version of Rocket.Chat. For this, user authorization via OAuth2 has already been done.
Now I am faced with the problem of proactively creating a user (when applying for a job, for example) without the participation of the user himself. Rocket.Chat API allows you to create a user, but it is a normal user (when creating, you cannot specify that this account will be authorized via OAuth and, accordingly, associate it with the account of the web resource).
Another option: on the side of the web resource, simulate a request for obtaining an Authorization Code via the OAuth protocol and send a correct response to this request to the Rocket.Chat server. Thus, the Rocket.Chat server would then receive the user's token and data and automatically create his account. But this is impossible, because according to the protocol specification, when requesting an Authorization Code, the client pass a randomly generated string ("state" field), which is returned unchanged when answering this request, and the server, checking the equivalence of this value, protects itself from such manipulations.
I am also trying to work with the Rocket.Chat Apps-Engine framework, but I still can't figure out how to create such accounts through it.
I would be grateful for any experience or ideas on how to solve this problem!
I am building an API for my rails app. Through that API I will log users in and allow them to interact with their data.
On top of that users authentication, I will also like to make sure only my iOS app has access to the API, and eventually my own web app.
I want to make sure no one else will be using the API, so on top of the user authentication, I will like to protect my API with a token for each of my apps.
How do you usually solve this problem? Would I have to pass that token over on each call in order to authenticate that the call is coming from a valid client and identify which client it is (web vs iOS).
I will very much appreciate any pointers or if you know of an article explaining how to deal with this.
As you are already using jwt's to authenticate your user, why not just use the functionality of jwt to include additional information in the token, in this instance some form of hashed string that you can verify server side if it is a valid "client id".
On each request you could refresh the string.
Kind of dual authentication in each request. the user and the client.
I have a 3-legged auth flow working on a web app of mine. It goes as follows:
Use clicks Connect with Google
They accept on the OAuth dialog that Google Provides
The page gets redirect to my backend's /oauth/google endpoint with a code parameter which I send to Google to get a refresh_token so I can access data (like calendar info) on their behalf
I redirect back to the web app passing my own JWT token in the URL.
Whenever the web app makes a request like api.mybackend.com/me they use the JWT token I provided
I'm trying to accomplish something similar in a mobile app. What's the acceptable way to do this? Is it pretty much the same logic?
If it helps, my backend is Ruby on Rails and I'm writing the mobile app in Swift.
Thanks!
If you're using NSURLSession to make HTTP requests, then see this for information about handling redirects.
Google also has some pre-built Google Sign-In packages for iOS and Android that you can include in your app, similar to the one in your web client. I've never used them though, so I don't how exactly they'd integrate with you app.
Alternatively you can set up an authentication endpoint in your backend that handles the whole thing, with the app only ever making one request to your server and your server handling communication with Google. So, for example, you could have the user submit a request to /oauth/mobile. The server then submits an authentication request to Google and gets an access token and a refresh token. Then you can return your own app's token from the server. Google has some documentation on Google Sign-In for server-side apps that may be relevant.
For my current work project we're trying to use OAuth to secure a mobile API, but the app doesn't have user accounts, so authentication would take place invisibly from the user, where the app will send up some secrets to the server and receive the token to be used for subsequent web service calls. The problem is, all the libraries and tutorials I can find implementing OAuth follow this pattern:
Present a web view allowing a user to login
Receive a callback to a custom URL scheme, and parse the necessary information to authenticate future web service calls
How do I achieve this without the webview step? I should be able to make an HTTP request directly with the correct credentials which will return the necessary authentication details.
The app will use OAuth 2.0
It is not clear what do you mean by
the app doesn't have user accounts
If you want to call some API on behalf of user you should ask him for a password. Doing it in webview or not depends on provider implementation. For example, twitter doesn't force you to do that.
In other case, if you want to call service on behalf of client, take a look at this answer: https://stackoverflow.com/a/7477112/2283405
If the app doesn't require "personalised" or "user-specific" data to be manipulated, then you can probably try using "client-credentials" grant type to obtain access tokens using the application credentials granted upon the application registration process by the Authorisation Server (for e.g.: OAuth server) that's there in your environment. The idea is that, your app is what basically authenticates with the Authentication Server for you using the aforesaid credentials (i.e. Client Consumer Key and Client Secret Key).
NO, you have to do login compalsary. if you try without. it won't be possible.
I'm developing an iOS app that uses the Magento REST API, I'm following the documentation provided by Magento for the OAuth authentication (http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html)
I use the initiate endpoint to get the request token but then when I want to authorize this token I need to use the "authorize" endpoint and there I get redirected to a URL where I have to provide customer credentials to authorize the request token. This is not the behaviour that I was expecting since the user would be already logged in using the app's login (not implemented yet). Is there a way of making this "authorization" step transparent for the user? Like calling some service passing it the user's credentials provided in the login screen of my app?
If there is no way I'll use the Magento's SOAP API
I did that too really really painful Magento use OAuth1.x, basically you've got three options:
Do it yourself
Use some oAuth consumer lib, you can find them on github
Use MKNetworkKit with this add-on
I used the 3rd because oaf MKNetworkKit, and anyway there was still a lot of work to do, if you want to hide some passages injecting js.