I'm creating an API with laravel 5.3. "laravel passport" got my attention these days. previously i used tymon/JWT package to authenticate my users. but i wants to use laravel passport for my new peoject.
So i can use my API for my mobile and web both client.
So ho can i do typical authentication with email and password in laravel passport for web client.
Take a look at Password grant token.But in short you send some form_data to /oauth/token route and get an access_token in return and with that token you make your API requests.
Related
I want to know the API to get the Google OAuth client access token.
I want to use only client_id, client_secret, user_name, and user_password when I bring an access token.
(Because the method using redirect uri is not applicable)
for example
https://{get-google-OAuth-client-access-toke-api}
body: {
client_id: xxx
client_secret: xxx
user_name: xxx
user_password: xxx
}
so..
Is it possible to wonder if it could be imported into grant-type = password?
https://developer.okta.com/blog/2018/06/29/what-is-the-oauth2-password-grant
Help me...
What you are referring to is called client login. It was a method of getting a access token using a login and password.
Google shut down client login in 2015.
In our efforts to eliminate password-only authentication, we took the first step by announcing a deprecation date of April 20, 2015 for ClientLogin three years ago. At the same time, we recommended OAuth 2.0 as the standard authentication mechanism for our APIs. Applications using OAuth 2.0 never ask users for passwords, and users have tighter control over which data client applications can access. You can use OAuth 2.0 to build clients and websites that securely access account data and work with our advanced security features like 2-step verification.
You will need to use Oauth2 now. Have your user run your application and consent to your accessing their data once they have done that you will get an access token.
Gant type password is not allowed with the Google Authorization server.
Because the method using redirect uri is not applicable
Redirect uri is only needed for web applications if you have an installed application or a mobile app you should not need it.
I have SPA app, backend is ruby on rails and frontend is React. Now I am developing new authentication feature; login with GitHub account with omuniauth gem.
However after authorization with GitHub we need to redirect to backend server as that is the server which is sending authorization request to GitHub authentication server. That means my frontend cannot receive response from GitHub which contains auth information such as user name, token, etc.
I understand we can redirect to frontend URL through backend API, but even in that case I believe auth information from GitHub is not passed to frontend.
Is there any way to share the auth info from GitHub after oauth2 authorization? Any help would be really appreciated. Thank you so much in advance!
For your use case (which is implicit grant flow) I think that's not possible, common pattern to solve this is token handler pattern
Basically, after your backend receive callback from the github & exchange it with access token, you can issue a cookie or token (not oauth token) to the frontend. This cookie is associated with the github's access token.
Later, after you redirected back to the frontend, you need to request the github's user profile proxied via backend
If you want to be able to access github api directly from the frontend, consider using client credential flow (typically used for SPA, without backend)
I'm developing a set of microservices exposed as REST through WSO2 API manager.
Now, I'd like to call these services in Angular front end. What is the best way to handle user authentication and authorization?
I found it can be done through OAuth2 Password Grant as described here?
When user logs in, user credentials will be sent to specific WSO2 APIM endpoint (/token), it validates, generates the token and this token will be sent in header for subsequent calls.
Is this the best approach to this case?
Thanks in advance,
As mentioned in your question, https://apim.docs.wso2.com/en/next/learn/api-security/oauth2/grant-types/password-grant/
This method will only work when you have the resource owner's username and password.
Take an example, suppose you have published the APIs and created a user (resource owner) in the WSO2 store. this user is subscribed to the API using the application. the application will have a client id and secret, which will be used to generate the OAuth2.0 token. this token will be used to invoke the APIs.
Now in your angular project, one way is to hardcode the base64(clientid:clientsecret) and call the token API to generate the OAuth2.0 bearer token. use the generated token to call the APIs onboarded on WSO2. To protect your APIs from the attack, use rate limiting based on IP
Now take another situation, if you want the user to authenticate first, then generate the JWT token for that user using the password grant type (using actual user's username and password), and using that JWT generate the OAuth2.0 Bearer token which will be used to call the APIs.
Steps to be performed for the second situation:
during registration (from Angular), internally onboard the user in the WSO2 Identity Server. (There is a WSO2 API for the same)
After registration, generate the JWT token from the identity server by authenticating username and password. (Again for this, WSO2 API is there)
now using this JWT token, Generate the OAuth2.0 token from WSO2 APIM
use this token to call the APIs
The second approach is the ideal approach for user to service authentication and authorization using WSO2 as the gateway while the first approach mainly focuses on service to service authentication and authorization
Hope this answers your question
Reference Link: https://medium.com/wso2-learning/how-to-protect-your-apis-with-self-contained-access-token-jwt-using-wso2-api-manager-and-wso2-75673d8a4686
I am using laravel passport for authorization from mobile app.
But I'm not sure where to place the client credentials i.e client_id/client_secret and redirect_uri.
Will it be placed at mobile app end and they will pass these to an API while authenticating to get tokens or these details be kept at server side in some env variables for security purpose?
And will the every user be having different client_id and secret or it will be same for all users throughout the application.
The client credentials grant type is for when you want your application to contact the server with out a user. For example a weather app will contact the server to get the latest weather data. It does not need to user to login to do this. You want to client credentials because you do not want everyone using your api. It is a way to protect your api and only allow your approved apps to access the api information.
Yes you will pass the client_id/client_secret from your mobile/desktop application to the /oauth/token url on your server so it will return an access token for you to use when getting all the information through the api.
The client_id and client secret do not need a user. It is for the client (Mobile/Desktop application). But it will be the same for every user since they all will be using the same mobile/Desktop application.
I'm a complete beginner in RESTful services in general. I am required to make an app that would require a user to log in with his credentials and then use the oAuth token to access the provided api.
I registered the app that I made and I have the Client ID and Client secret.
Now I have two questions:
How should the URI look like when I try to get the oAuth token?
What is the redirect uri used for?