I am redirecting the authenticated user to link of my website from iOS App (user is authenticated from iOS app). There is log in page on website and some other pages. I want to redirect to my website without asking for log in. How can i achieve this?
What is needed to do at iOS side?
What is needed to do at website side?
I'm assuming that when you login through the iOS app, you are receiving back an authToken from the server that you can save for further queries. I would recommend sending that token to the server when you redirect and verify the token on server side.
As an added layer of security, you can encrypt your token before sending it to the server and then decrypt it on the other side
Related
I am trying to build an application for my users so that they can log in to my website using Twitter and they can manage their Twitter account from the website itself.
I have created a full 3-legged authentication flow and other managing API calls at my server (some server url) when I call authentication API from the browser it works fine.
But now I want to use a webpage for my users so that they can log in and manage their accounts from that website (a website URL different that server url). So I am trying to create a flow like this:
User will click to log in on my website.
Website will send a login request to my server with the user credentials so that I can verify the
user and its request at my server first.
Then the server will redirect the user to the authentication page of Twitter.
But this is not working, I am getting a CORS error in the console, I attached a screenshot for reference.
Thank you.
Error I am getting in console
I have tried whitelisting server and website URL in twitter developer console.
I know the flow may work if I return the authentication url from server to frontend and navigate user to that url, this may get rid of CORS, but I want to know whether this can be achieved by directly redirecting user to authentication URL from server?
We have a desktop application that requires the user to login. We're using OIDC (Auth code with PKCE) to do the login. I'd really like to be able to launch a browser and go to our website and log the user in automatically without resorting to anything dodgy.
From my understanding of OpenID Connect, I'm pretty sure this can't be done. Am I correct, or is there a mechanism I've missed?
This should work fine if the user has a valid session cookie with the OpenID Provider (OP) in the browser. There's no need to send something to the browser, as the user is already authenticated there.
When subsequently your native app requests authorization, the OP can authenticate the user based on the existing session, provided that request parameters like prompt, max_age and acr_values allow for that.
As background, I'm using the Google OAuth2 NodeJS client, but I think my question is more abstract / technology independent.
My website is single-page application that communicates via AJAX to the server.
When a user first visits my website, I perform an OAuth2 flow which redirects them to Google to log in, and then redirects back to my site with an access token. I store this access token in a cookie, and use it to handle various calls made to the server via AJAX.
My challenge is that I'm unsure what to do when that access_token expires. Should I be storing the refresh_token in a cookie as well, and using that, or are there security issues in doing so?
Should I be redirecting the browser to perform the login flow again? That seems fairly ugly for a single-page application.
You can do the OAuth2 flow via js in the background(like the login flow with the popup window), and if the access hasn't been revoked for you app id, then the user shouldn't see anything about it. Although you can set a hint on the user email to authenticate, this may not work.
The other way that you mentioned, is the refresh token, that you can use to ask for a new access token, without user interaction. Maybe that would be the better idea, but remember, that you will only get a refresh token if you set the access type to offline.
I have an iOS app that is using the Facebook SDK to authenticate. I am then able to use omniauth, devise, and omniauth-facebook-access-token (via AFNetworking) to create a user on the server for that facebook account.
Now I need my iOS app's user to be able to "have a session" on the RoR server - I could do that by passing some information in the headers or URL for each request to be authenticated or I could use a cookie. When the app makes API requests (JSON usually), I need those requests to be in the context of the user who has been authenticated.
What is the best practice for having an authenticated RoR user on an iOS app in this situation?
Some options that come to mind:
Maintain a cookie on the client
Send a piece of information for each API request in a header or somewhere else (access_token? user_id?)
My concern is that I want to be able to add additional oauth2 authentication providers without redoing this code.
You need a token to authenticate the user, you should also keep sending the csrf-token in order to keep your app secure. Take a look at this question, and see how the csrf is handeled in its answer.
On iOS (or any mobile), after a successful login, how should I handle login with my own server?
Should I send the token and user id to my server and re-verify it, or is there a better practice?
I obviously don't want to send only the FB user id.
The FBConnect SDK should automatically save login information on the device, so every time the user goes to use the Facebook feature of your app, they are automatically logged in.
The current version of FBConnect doesn't provides obvious proxy authentication, but the old version did. I think you could create this proxy manually, ie. pass all login data, except api secret key to proxy, proxy adds secret key and sends request to FB. Then it returns response of FB server as it is.