I am very new to JHipster... but, I am trying to learn.
What i am trying to figure out is, what needs to be implemented for OAuth with social login (G+) to work?
suppose i am making a REST service that supplies weather data via jhipster. connecting to the service is an android app. the app has its own OAuth flow, but I want to lock down the REST service.
Do i need to implement a separate OAuth flow for the Rest service? does that mean the user would have top log in twice? I don't see much in the way of documentation on what gets created with jhipster, and what needs to be generated ontop of it to implement social login.
JHipster supports social login out of the box for Google. For this, it is sufficient to use the usual session authentication and the "Social Login" in additional options. In detail, you select this option in the generator, and will have to fill additional details for your social accounts,
you will have a auto generated configuration in application.yaml with this content
social:
# see https://developers.google.com/+/web/signin/server-side-flow#step_1_create_a_client_id_and_client_secret
google:
client-id: xxx
client-secret: xxx
# see https://developers.facebook.com/docs/facebook-login/v2.2
facebook:
client-id: xxx
client-secret: xxx
# see https://apps.twitter.com/app/
twitter:
client-id: xxx
client-secret: xxx
where you just add your data.
If you are only interested in google, you can disable unneeded components as you need it, manually in your generated application.
the closest I could come up with was the following:
https://jhipster.github.io/tips/012_tip_add_new_spring_social_connector.html
http://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_manual
Related
Currently, I am working on linking my Alexa skill with my website. I'm stuck. I've followed YouTube tutorials and looked at the documentation. I basically want users to click on the account linking button, be taken to a login page and then have that authorize the users with their own private data. Do I need to create a oauth server? Is there anybody I can talk to who has already done something like this? I created a html page to log users in using an api call but I haven't gotten any further. Any help is appreciated.
There are two questions that you asked here. Addressing them consecutively:
Do you need to an OAuth server for account linking? --> Yes. You either create your own authorization server which uses OAuth2.0 or you can rent it from providers. There are various OAuth server providers like auth0, okta etc.
If you have created an html page for login, then it needs to connect with your auth server in the backend and you need an API to do that as well as connect with the LWA server to complete account linking with Alexa.
The auth server will basically generate an auth code upon authenticating the user and subsequently it will generate an access token. Both these URLs must be mentioned in the Amazon Alexa developer console.
Then you need to make the calls to LWA to complete authentication with Amazon. This will generate an LWA auth code and subsequently an access token.
This LWA access token along with user auth code generated by your auth server will be used to enable the skill from your website.
Feel free to contact me if you have more queries! Good luck.
I am trying to allow users log in with multiple social media identity providers but have them linked to one email using Keycloak 8.0.1. Logging in for each one IDP works.
When I try to first login with google this works. When I then log in with facebook, I am getting
KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException. Futher in the log I see a IDENTITY_PROVIDER_FIRST_LOGIN_ERROR. The message is I am just using the default authentication flows - First Broker login as First Login Flow and empty as Post Login Flow.
I assume the Authentication flow needs to be adjusted somehow?
Any ideas are much appreciated.
Here is I have a small problem of architecture, first of all, I have two applications:
An api writes symfony 3.3
A front writes too it symfony 3.3
Then, I would like have two manner to sign in:
the first one by using of third application such as Facebook, Google or Twitter. For this part I thought of using hwiOauthBundle
Or simply by login / password. Here I thought of using FOSUerbundle
Finally I would like to have secure api, that a not connected user cannot reach the resources of the api.
What do I have to install or to develop to have all the expressed criteria higher?
In advance, thank you of your answer.
You have to setup some kind of login proxy endpoint that has the oauth client_id and secret.
Then with the username and password given by the user you have to query the backend oauth token endpoint to get an accesss token.
After that you just need to sign your request to the backend with that token.
In my case I'm using FosUserBundle for user management, FosOauthServerBundle for the Open Auth management. Both are installed in the backend.
Once installed you have to register a aAuth client. This tutorial was really helpful for me OAuth2 Explained
I have implemented an Identity Server4 and it looks great. Now, I have a requirement to connect a native mobile app(xamarin) to it.Most of the blogs and discussions suggest to use either "Authorization Code" or "Hybrid" flow, and the xamarin example in the github uses "Implicit" flow.
I have been through this documentation on Authorization flow and it does not talk anything about username or password.
https://identityserver4.readthedocs.io/en/release/endpoints/authorize.html
What I need is to allow the user to supply his/her username and password to the authentication server, and the server should ultimately give back the access code.
Which will be the most appropriate authentication flow for this.
There are two "mindsets" -
a) the login UI is native in the application
b) the login UI is rendered from the OpenID Connect in a browser
Generally b) is recommended - check the spec:
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-native-apps/
I also did a talk about that last year:
https://vimeo.com/171942749
If you absolutely don't want the redirect/server-based approach, then research the "resource owner password grant" - e.g. here:
https://identityserver4.readthedocs.io/en/release/quickstarts/2_resource_owner_passwords.html
But, I would not recommend it.
We have all the user data in our local mysql database. We are moving our services to cloud and I need to use cloudfoundry UAA to authenticate by calling a login microservice endpoint on our network instead of doing uaac add user for all the users in db.
I am new to this, it would help me if you can explain the steps to do it.
Thanks in advance
I assume (based on the SAML tags on your question) that you are thinking of doing this with SAML. If this is your first time doing SAML then there is a bit of learning curve. If so you may find it easier to just creating a custom Login app.
SAML
You would setup an Identity Provider and the IdP would authenticate users against either mysql or your login microservice. simplesamlphp can be used for this purpose. A user would authenticate to the IDP, the IdP generates a SAML assertion (e.g a signed xml doc with information about the user) that gets sent to the Service Provider (UAA). The service provider then looks at the assertion to determine who the user is. UAA supports SAML logins. It has been a while since I've set it up that way, but I recall you run a separate 'login' war from the rest of UAA, and the login war uses APIs to talk to UAA. You also need to configure the SAML trust relationship between ssp and the UAA login war. This isn't hard to do if you are familiar with SAML. If you aren't then it can be difficult to get all the pieces right.
Custom Login App
I think an easier approach is to just build your own login app that calls your authentication service and the UAA apis. UAA provides a sample app and documentation