I am trying to implement a login flow, which involves both iOS app and server integration. Other than social authentication, application support email/password authentication as well. Once successful authentication server application send auth_token which can be used in subsequent API calls.
My social login flow as follows :
iOS application initiate social login by retrieving a code as response type from the authentication provider.
Retrieved code send to server application, so it verifies with the social authentication provider and (create an account if not exist) authenticate the user.
Successful authentication will generate auth token as normal (email / password) authentication and send back to the mobile application.
Once successful authentication, both approaches mobile application receives auth_token.
I tried to implement this flow using OAuthSwift library and spring-social. I think backend part is working fine. But OAuthSwift doesn't seems to support retrieving just the code. (I opened a issue in their Github repo)
My Questions are:
If you see any problem with this approach?
What are the other Good Swift frameworks, which supports retrieving authentication code as response_type
You will lose the connection to your social login. Because you switch to your OAuth mechanism, you will not have any notice if the user changed something in there social account.
Thats ok, if you not rely on any off his data, for example his e-mail address.
But keep that in mind.
Related
I'm working with a client who would like to authenticate with Active Directory Federated Services using SAML. As it was explained to me, the client ADFS server is the SAML identity provider and I simply need to provide a webview in the app for them to load a login page. Upon successful authentication the response should give authenticated metadata?
I've tried researching SAML and iOS and have only been able to find third party software which offers solutions, but no explanation of how this may be done without any third party integration into the app.
Resources I've looked into:
https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
http://blog.centrify.com/ideal-solution-for-sso-across-native-mobile-applications/
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Since I don't know anything about the content of this login page, how do I determine if the response has authenticated correctly? Additionally how do I extract and pull relevant information from this response into the app to store for future authenticated web service requests?
If the customer has ADFS 2012R2, it supports OAuth for public clients. Use the ADAL (Active Directory Authentication library) that supports ADFS. In this case, it will pop up a browser dialog window to do the authentication and then get a an authorization code. This code is then converted to an access token (JWT) which can then be used against a WebAPI.
I am working on a AngularJS web app and I am trying to implement single sign on. I had a nice implementation using Identity server and authorization server with implicit flow and oAuth tokens, however I need a mechanism to sign the user out of all apps they are signed into.
I am currently redirecting the user to authorization server, this then redirects the user to identity server. The user logs on and it shown a consent screen, a Json web token is then sent to the app via the query string and is put into local storage. This token is attached to the Authorization header which the web api (that is on a different domain) receives and either allows or denies the request.
The problem is oAuth has no way of singing a user out of all apps. I have now looked at WS-Federation using Json web tokens but this approach still appears to use cookies which I would like to avoid as the api and client app are on different domains.
Does Thinktecture Identity Server have any way to do this and if so are there any examples I could take a look at.
Thanks
As you already said - OAuth2 is not an authentication protocol and hence does not have the concept of (single) signout.
I'm trying to implement server facebook authentication using passport-facebook on an iOS Facebook SDK app, and I'm unclear how to setup the passport authentication on the backend.
Basically the iOS client authenticates with Facebook and gets the sessionToken and I want to pass that to the passport-facebook /auth/facebook/callback to verify the session token with FB, and lookup the user from our database through node.js.
Is that the correct way to use passport-facebook, or do I need call /auth/facebook (and what parameters do I need to pass it).
This issue mentions building an app using Facebook iOS SDK and then authenticating on the server, but doesn't mention exactly how to do that.
https://github.com/jaredhanson/passport-facebook/issues/7
I could also write my own custom passport strategy that simply passes the FB session token and I can verify with FB graph API on the server to get the FB user ID and authenticate it's a valid session, as mentioned here:
Design for Facebook authentication in an iOS app that also accesses a secured web service
Check out passport-facebook-token, which is designed to authenticate based on a previously issued token (ie, the one issued to your iOS app).
passport-facebook is designed to do the web-based, redirect flow, which is not typically done from a mobile application.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.
I am creating an API (Restlet, GAE) and implemented OpenId for authentication and OAuth2 to protect access to the API. When testing this from a client web app that I built, everything is fine. When the user hits a part of the web app that wants access to the API, the user is asked to login via OpenId and then is asked to grant access to the web app to grab resources from the API.
However, I noticed that the web app doesn't know who the user is (!). All the web app has is an auth token. Thus, the web app can't say "Hello, username", since it doesn't know who the user is.
With Restlet technology, the authentication is essentially:
// Authentication code
OpenIdVerifier verifier = new OpenIdVerifier(OpenIdVerifier.PROVIDER_YAHOO);
verifier.addRequiredAttribute(AttributeExchange.EMAIL);
Authenticator au = new MyRedirectAuthenticator(getContext(), verifier, null);
While the following handles both authentication and OAuth2 authorization:
// Authentication + OAuth code:
OAuthParameters params = new OAuthParameters("2345678901", "secret2", "http://localhost:8888/v3/", roles);
OAuthProxy local = new OAuthProxy(params, getContext());
Initially I was only using the "Authentication + OAuth" in my web app and the authentication was happening "invisibly" (as mentioned above).
I figured that one way around the "problem" is that if the web app handles the authentication "visibly". So I added the Authentication code to the web app. The flow looks the exact same to the user, but the web app is able to capture the user info (email) and all is fine. There doesn't seem to be any conflict with the "both" code either.
Another way around the problem is to add something to the API that would return the user info associated with an authToken (a la Twitter's verify_credentials).
My question: Is the approach I have taken reasonable? Should I use the Twitter approach instead? Or something completely different? (I am pretty new to all this stuff, so it is hard to figure out if I am choosing a solution that seems to work, only to hit a brick wall later on).
The short answer is that when a client web app gets permission to access OAuth resources on behalf of a user, the client web app isn't supposed to know anything about the user (login, password, etc.). If the client web app wants to know who the user is, it can provide authentication.
I have implemented the above scheme with Restlet and google app engine, allowing the user to authenticate to the resource server via OpenId and also adding Google Authentication for the web client app (just so it can give a "hello" message). All seems fine.