I am creating a new SPA with a REST API and for the backend I am using Rails with devise_token_auth. I am new to token authentication and while searching I am seeing a lot of libraries for frontend libraries that support JWT but I can't tell if this is compatible with devise_token_auth.
Is JWT the standard for web tokens and is it what devise_token_auth uses?
No, devise_token_auth gem doesn't use JWT.
It authenticates a user by validating the client-id, access-token &
UID and processes the request. All these keys are received during a
successful login.
Related
Pardon the ignorance in advance: I am working on a project where our back-end validates access to APIs with tokens generated by Auth0 login. We are in the process of creating the app version for this previously web-only app, and we are using Unity, for which there is no Auth0 plugin. Therefore, I was considering using Firebase for login to generate the proper token and then pass that to our back-end. Given what I have read implies that Auth0 is really just an implementation of the OAuth2 protocol used by everyone, I was curious if there are any foreseeable issues with passing tokens in this way to a back-end configured to accept tokens from Auth0.
I have SPA app, backend is ruby on rails and frontend is React. Now I am developing new authentication feature; login with GitHub account with omuniauth gem.
However after authorization with GitHub we need to redirect to backend server as that is the server which is sending authorization request to GitHub authentication server. That means my frontend cannot receive response from GitHub which contains auth information such as user name, token, etc.
I understand we can redirect to frontend URL through backend API, but even in that case I believe auth information from GitHub is not passed to frontend.
Is there any way to share the auth info from GitHub after oauth2 authorization? Any help would be really appreciated. Thank you so much in advance!
For your use case (which is implicit grant flow) I think that's not possible, common pattern to solve this is token handler pattern
Basically, after your backend receive callback from the github & exchange it with access token, you can issue a cookie or token (not oauth token) to the frontend. This cookie is associated with the github's access token.
Later, after you redirected back to the frontend, you need to request the github's user profile proxied via backend
If you want to be able to access github api directly from the frontend, consider using client credential flow (typically used for SPA, without backend)
My API uses the devise_token_auth (omniauth) gem for authentication in the Rails 5 backend. The frontend are using ng-token-auth (Angular 1.x).
I have all the API requests in Postman. I did the security implementation and I need authenticate Postman with every request. Devise_token_auth uses authentication with OAuth 2 and I am having difficulty to implementing this authentication.
For this type of authentication, using Postman, what is the process needed to obtain the connection?
For getting the token, there are few things you need to setup.
The client ID, client Secret are the things to be added into your identity serve as clients.
The Auth Url and access token url will be provided by the identity server and you will be able to get the url by hitting the identity server website when its ready for testing.
The grant type also is dependent upon how you setup the client. For the first time try doing the access token instead of authorization code flow.
For the authorization code flow its a two step process. Get the code first and use the code to get the token.
I recomment watching this tutorial which will help you in understanding Identity server and oauth better.
https://app.pluralsight.com/library/courses/oauth2-openid-connect-angular-aspdotnet/table-of-contents
I am using the doorkeeper gem with jwt on my rails-api backend and a angularjs frontend (satellizer).
Question 1
Do I need to share JWT sercet key to the frontend (the angularjs app)?
Question 2
How does doorkeeper verify JWT tokens?
Thanks!
Answer. No, you don't have to share JWT secret key with anybody. Only components that need to know what is "inside" JWT token need to have it.
To my understanding, no. You have to do that by yourself in your controllers. Doorkeeper only checks if token as "string" is valid - expired. It treats it as any other token.
I'm building a Rails web app. I use OmniAuth for authentication.
I would like to provide API access but only after the user has authenticated themselves with OAuth (via twitter mainly).
Any suggestions of where to start?
EDIT: add more context as requested
Not trying to become an Oauth provider, but simply use the same login tokens. For example, you log into my app through twitter. You have both the token and secret OAuth tokens. I want to use those tokens to allow a user API access to the site.
I have a similar question: Retrieving OAuth tokens (on server) from Faraday OAuth module (from client)