I have a bit of an issue, unfortunately.
I need to integrate a third-party service within my application, and that services requires all user to authenticate via Google OAuth (as it uses Google related services)
The problem is, when signup is completed it redirects to a URL similar to
https://ab.cdef.gh.ik.lm?code=examplecode
I tried adding ab.cdef.gh.ik.lm as a URL Scheme to my app but it didn't work.
The problem stems from Google no longer allowing embedded browsers to authenticate, and I need to use an SFSafariViewController. However, due to limitations in SFSafariViewController, I cannot obtain the current URL and thus monitor when it reaches the ab.cdef.gh.ik.lm page.
Am I out of luck, or is there a way I could handle this authentication?
Thanks!
Related
I have a 3-legged auth flow working on a web app of mine. It goes as follows:
Use clicks Connect with Google
They accept on the OAuth dialog that Google Provides
The page gets redirect to my backend's /oauth/google endpoint with a code parameter which I send to Google to get a refresh_token so I can access data (like calendar info) on their behalf
I redirect back to the web app passing my own JWT token in the URL.
Whenever the web app makes a request like api.mybackend.com/me they use the JWT token I provided
I'm trying to accomplish something similar in a mobile app. What's the acceptable way to do this? Is it pretty much the same logic?
If it helps, my backend is Ruby on Rails and I'm writing the mobile app in Swift.
Thanks!
If you're using NSURLSession to make HTTP requests, then see this for information about handling redirects.
Google also has some pre-built Google Sign-In packages for iOS and Android that you can include in your app, similar to the one in your web client. I've never used them though, so I don't how exactly they'd integrate with you app.
Alternatively you can set up an authentication endpoint in your backend that handles the whole thing, with the app only ever making one request to your server and your server handling communication with Google. So, for example, you could have the user submit a request to /oauth/mobile. The server then submits an authentication request to Google and gets an access token and a refresh token. Then you can return your own app's token from the server. Google has some documentation on Google Sign-In for server-side apps that may be relevant.
It's funny but I can't find description of using HTTP requests to receive Google+ authentication code for offline access without iOS Google+ library.
Though example of it's integration is pretty straightforward, I don't want to add additional 20mb of weight to my iOS app.
I tried the approach described here
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
but in case of server clientId I receive message abount incorrect redirect uri.
Could someone give me advice about it?
There are two approaches you could take that may/may not work for you.
Installed app flow with internally stored client secret
Web flow within a web view.
Installed app flow
You will must likely need to use the offline OAuth v2 / installed app flow which has redirect URI that has something like urn:ietf:wg:oauth:2.0:oob enabling you to redirect back to the browser, from there you can get a code to exchange for tokens.
In your case, I'm guessing you didn't create the right client type (installed application) which is preventing the *:oob redirect.
It's less secure to handle sign in in this way - if the user can extract the client secret from your app, they can do bad things like authorize a malicious 3P app with access to your application data.
Web signin flow
An alternative would be to use the web signin flow from within a WebView, something that Apple may reject your app for and which is also insecure.
What you would do is host the sign-in solution on your web server, use the JavaScript web signin flow to initiate sign in, request offline access, then exchange the resulting code for an access token and refresh token.
You would then store the refresh token / access token on the device and exchange it for an access token when you need access to the user data or exchange the refresh token server-side and pass the bearer token back to the iOS app when it needs access. This again is bad because it can expose other apps to user authorization credentials and could potentially allow a malicious 3P to access user data.
I can't recommend either approach. Is there a reason other than the app size impact that you can't use the library? I'll see if there is a good way to avoid the file size hit from the framework.
I'm developing an iOS app that uses the Magento REST API, I'm following the documentation provided by Magento for the OAuth authentication (http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html)
I use the initiate endpoint to get the request token but then when I want to authorize this token I need to use the "authorize" endpoint and there I get redirected to a URL where I have to provide customer credentials to authorize the request token. This is not the behaviour that I was expecting since the user would be already logged in using the app's login (not implemented yet). Is there a way of making this "authorization" step transparent for the user? Like calling some service passing it the user's credentials provided in the login screen of my app?
If there is no way I'll use the Magento's SOAP API
I did that too really really painful Magento use OAuth1.x, basically you've got three options:
Do it yourself
Use some oAuth consumer lib, you can find them on github
Use MKNetworkKit with this add-on
I used the 3rd because oaf MKNetworkKit, and anyway there was still a lot of work to do, if you want to hide some passages injecting js.
Currently in the process of moving from OAuth1 to OAuth2 in a desktop application for a web service (Imgur), I've been baffled by the OAuth2 specs. Apparently it breaks all the security OAuth1 provided, according to this doc http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified and by looking at different services docs regarding OAuth2.
With OAuth1 you could use a URL to the service where the user would grant access and a PIN was displayed to copy/paste in your app, which was really nice security in the sense that the user never grants their login/password to the app, and can revoke the given access to it at any time through the service's website.
Now with OAuth2 they left this scenario out, forcing the app to request the user's login/password, unless the app makes their own script in their website to receive a token from the service after granting access (then have the user copy/paste it from your website)
Am I missing something here?
Desktop applications can and should use a user agent (browser) to do OAuth and that is described in the OAuth 2 spec under "Native Applications". The flow you described is meant more for devices with limited input capabilities like a gaming console, printer, camera, etc.
AFAIK, the device flow was in the early specs of OAuth 2, but was omitted at some point. Some API providers like Google have implemented limited support for it regardless.
Native applications are the way to go. See the ["Native Applications"][1] section of OAuth 2.0 RFC. The native applications are not intended to store passwords. If you want to avoid entering of credentials directly in the app (even within a browser control), you may do the following from the OAuth 2.0 native application:
Launch the default browser with the authorization endpoint.
Implement a simple web page for your redirect URI, which picks the authorization code and shows it to the user.
Ask the user to copy the code and paste it back in the native application.
Alternatively, the spec suggests that you leverage the URL redirection scheme of the native platform to bring back the original application. You may check iOS and Android's "URL Scheme" capabilities. Unfortunately, neither of these platforms guarantees uniqueness of the URL scheme, hence the authorization code may be hijacked by another rogue app, which is activated on the same URL. I have filed an iOS bug for that.
[1]: https://www.rfc-editor.org/rfc/rfc6749#page-52
i wonder how do desktop apps without any domain names use oauth? or is it not supposed to be used this way? if so what do i use? say for tumblr they have an authentication api so i will have to put the username and password in the url/query string?
i am thinking of using WPF/Adobe AIR. how does something like tweetdeck work?
I've been puzzled by the same question about lack of domain or app url, but it turns out redirection is not the only possible way to complete OAuth authentication process.
I.e., when webapp requests access it provides callback url: the one user will be redirected to when process is completed. That's how webapp know that everything's done.
But you can't redirect to application on user's machine. Thus, there's another way: upon successful authentication server presents special code to the user. Then user copies this code and provides it to application.
You can see both ways described in specification draft.
Also, here's an example of this authentication flow with twitter.
It looks like it may be possible, see googles docs on the subject:
https://developers.google.com/identity/protocols/oauth2/native-app
For a desktop app where a user needs to authenticate himself, you will usually want to use the Authorization code flow.
The approach goes roughly like this:
setup a temporary webserver that listens on the loopback interface
present the login page to the user (either in an embedded browser control or an external browser), with the URL of your temporary webserver as redirect_url
upon successful login, the user will be redirected to your temporary webserver and you can obtain the access code from the code query parameter
Using the access code, you can obtain a token and start making requests using it
Shutdown the temporary webserver
Please note that you will have to allow localhost as redirect URL in your identity provider, in ordrer for this approach to work.
For further details, please take a look at these sample apps from Google.
You should start by reading about getting started with OAuth. Eventually, even a desktop application will open a browser window to authenticate the user - TweetDeck and other Twitter clients do this, as you've probably noticed.
Tumblr, in your example, doesn't use OAuth but rather basic authentication that is being performed via simple HTTP web requests.
Twitter doesn't want users entering their credentials into your application. So at some point the desktop app will need to open a browser window through which Twitter can authenticate their users and return an access token representing the user. From that point the desktop app can use the access token to represent the user in all subsequent API calls to Twitter.
In a desktop environment you have another way to get the token, the browser open url itself.
the OAuth2 server will redirect the users browser to the Redirect URL with the token as a query parameter, so if you control the browser used, you can read the the token directly from the url that the user was redirected to.
Graphical libraries like GKT+ have integrated options to create mini browsers that the user can use to authenticate, and it automatically return the token to the app, but other options are possible, like reading Firefox url for example.