OAuth approach in nativescript to jhipster spring social - oauth-2.0

Short: How to configure jhipster/spring social to land on custom page containing status / jwt token instead of app homepage after OAuth handshake?
Long:
I am building an app that has a web and mobile version that talk to a jhipster back end. I need to implement OAuth authentication in my mobile app. I am using nativescript on front end (mobile app) and jhipster with jwt/social login on the back end. I would like my app to authenticate with Facebook, Google, Twitter and possibly more providers.
There is a nativescript-oauth plugin but it currently will only support 1 provider (facebook, office360) per app instance and has no notion of a backend of any form. This plugin's architecture has the client invoking the OAuth dance through the nativescript WebView and then it parses/scans results from the WebView to check success or failure.
I am attempting to achieve something similar with the jhipster social login. I would like to invoke the Spring Social OAuth exchange through a nativescript WebView component that loads the /signin/ url in the jhipster app and then watch the WebView component to check for success or failure and get jwt token.
Can I configure jhipster/spring social to NOT land on home page after successful OAuth handshake but instead redirect to an empty or status page (jsp/thymleaf html) that I could scrape for success and jwt token?

So my answer to this is easily found in the application.yml file. There is a property: "jhipster.social.redirect-after-sign-in". Just changed it to my custom page and it worked fine after social login.

Related

Is OAuth 2.0 suitable for first-party mobile app clients? Can I use user credentials to obtain a token without redirecting or prompting the user?

I have a first-party authorization server and I'm developing a first-party native mobile app and a SPA as a client. I noticed that the latest version of OAuth 2.0 no longer supports the "password grand type" and recommends using the "authorization_code grand type" instead, for mobile apps and SPAs.
My app has a native login screen and my SPA has its own unique login screen, and I want to avoid redirecting the user to the authorization server's login page or prompting a popup for login credentials since the authorization server is a trusted first-party server.
I'm wondering if OAuth 2.0 is still a good choice for first-party mobile app clients or SPA in this situation, and if there is a way to directly request a token through an HTTP request flow using user credentials obtained from the native mobile app login screen?
Any advice or insights on how to proceed would be much appreciated. Thanks in advance!
I found these two articles on this topic.
https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/
https://www.ory.sh/docs/hydra/concepts/before-oauth2

Social authentication from both iOS app and backend server

I am trying to implement a login flow, which involves both iOS app and server integration. Other than social authentication, application support email/password authentication as well. Once successful authentication server application send auth_token which can be used in subsequent API calls.
My social login flow as follows :
iOS application initiate social login by retrieving a code as response type from the authentication provider.
Retrieved code send to server application, so it verifies with the social authentication provider and (create an account if not exist) authenticate the user.
Successful authentication will generate auth token as normal (email / password) authentication and send back to the mobile application.
Once successful authentication, both approaches mobile application receives auth_token.
I tried to implement this flow using OAuthSwift library and spring-social. I think backend part is working fine. But OAuthSwift doesn't seems to support retrieving just the code. (I opened a issue in their Github repo)
My Questions are:
If you see any problem with this approach?
What are the other Good Swift frameworks, which supports retrieving authentication code as response_type
You will lose the connection to your social login. Because you switch to your OAuth mechanism, you will not have any notice if the user changed something in there social account.
Thats ok, if you not rely on any off his data, for example his e-mail address.
But keep that in mind.

How does an iOS App receive a SAML auth response?

I'm working with a client who would like to authenticate with Active Directory Federated Services using SAML. As it was explained to me, the client ADFS server is the SAML identity provider and I simply need to provide a webview in the app for them to load a login page. Upon successful authentication the response should give authenticated metadata?
I've tried researching SAML and iOS and have only been able to find third party software which offers solutions, but no explanation of how this may be done without any third party integration into the app.
Resources I've looked into:
https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
http://blog.centrify.com/ideal-solution-for-sso-across-native-mobile-applications/
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Since I don't know anything about the content of this login page, how do I determine if the response has authenticated correctly? Additionally how do I extract and pull relevant information from this response into the app to store for future authenticated web service requests?
If the customer has ADFS 2012R2, it supports OAuth for public clients. Use the ADAL (Active Directory Authentication library) that supports ADFS. In this case, it will pop up a browser dialog window to do the authentication and then get a an authorization code. This code is then converted to an access token (JWT) which can then be used against a WebAPI.

Enterprise Mobile SSO in iOS - How to stay in the app

I am trying to implement enterprise mobile SSO with our Identity Provider (OKTA). My goal is to have a smooth user experience; the user shouldn't leave our custom built app in order to login to the identity provider.
OKTA has a native iOS app that facilitates the process. During the login, it is possible to forward the user to the OKTA Native App, do the authentication and bring the user back to the custom app. The process looks like (image is taken from http://tech.blog.box.com/2013/03/rethinking-mobile-sso/):
What I am trying to is to avoid the opening of the Native SSO App (the first 2 steps). OKTA provides a REST API that allows the user to authenticate and create sessions programmatically (and more http://developer.okta.com/docs/getting_started/design_principles.html).
The question is: After creating a session with the native SSO App (OKTA) via its REST API and getting the auth token, can I authenticate directly with the Service Provider from my custom native iOS app?
Okta provides a method for native app sso on iOS that allows the user start in your app, and have an SSO experience. In this case the Okta Mobile App serves as the identity provider. So long as the user has a session within Okta Mobile, they can access your custom native app without entering their credentials. If the user's session in Okta Mobile has ended, they can re-authenticate with their PIN.
More details on the standards-based framework (SAML + iOS) are available here:
http://developer.okta.com/docs/getting_started/saml_guidance.html#saml-for-mobile-native-apps
https://github.com/okta/okta-mobile-sdk

can an OAuth consumer app expose an API to an iOS app?

I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.

Resources