I am trying to implement custom IDP login flow with own IDP server using React native
how to implement this ? is there any specific library available or any example ?
More details
1. My assumption is it should behave live "login with facebook"
2. When user clicks a button -> iframe should take to myidp.login.com/login -> and gives one time token to me.
Related
I have an iOS app, using a native login, based on the custom example.
This works perfect and I am happy with it.
I have a requirement to open an embedded WKWebView within my app, that SSO’s a user in.
The url looks something like this:
https://{my-okta-org}.com/app/{some-okta-app-id}/exkms5nzsh0tD0kO10h7/sso/saml?RelayState={some-relay-state}
When I launch this however within my web view, I am redirected to an Okta login page. I would expect this really as the embedded view has no context of the authenticated session.
How can I set my session against this webview without asking the user to sign in again? As I have used the native login, I do not have a cookie set, so I suspect I will need to request one but am unsure of the flow required in this case.
I would recommend to not use WKWebView for SSO 1.Not secure, using javascript you can get user login and password 2.Cookies not share between your session and Safari(you are loosing all SSO magic) 3.WKWebView has problems with cookie synchronizing Apple thread and you need manually manage your cookies
Bottom line, I want to create a new provider for logging in to my web.
The big picture.
We are developing hybrid mobile application using ASP.Net MVC5 (with angular on front).
The entire application is based on web view except of the log in page.
The user can log in using his Facebook and Google account. This is done 100% by the native application (we have to do that way in order to invoke the mobile app and not the browser i.e open the Facebook/Google mobile application).
After the native application get the confirmation from the external provider it should log in to my website.
I had 2 ideas of doing it. The first was that the native application will send me(the ASP web application) the user email address (using Restful service) and some encrypted data, I will decode and validate it and if everything alright I'll sign in the user and return the authentication cookie.
The second idea was to do it in 2 steps, the native app will send the username and a token, then I (the ASP web application) will send back the token and receive an answer if the token is genuine and valid. If it is, then I will log in the user and return an authentication cookie.
In both ways I have 2 problems:
I don't know how to sign in a user with no username/password or Facebook/Google. How do I do it?
I don't know how to manually return authentication cookie.
The real problem is that until now I've only used the identity feature in the classic way.
Thanks from advance,
Shaul
Short description:
If a user has already granted my application OAuth access to their google profile, I want to spare them of having to press "sign in using google" button every time they land on my home page and log them in automatically.
If user has not granted access yet, I want to present them with sign in options page with "sign in using google" button.
Long description:
I am implementing Google OAuth flow as described on this link:
Using OAuth 2.0 for Web Server Applications
Just for the clarity, the flow in question is as follows:
present (client side) user with "sign in using google" button
after user presses the button, redirect them to google's OAuth 2.0 server, where they allow/deny my application to access their google profile
if user allows access, google redirects them back to my application
my application (server side) uses acquired grant to get access token
my application (server side) access user's profile using acquired access token
I want to achieve the following:
If user has already allowed my application access to their google profile before (either on current computer or some other), I want them to have an impression of being signed in to my application (using google) immediately after they navigate to my application's URL. Without having to click anything.
This is at first glance not a problem. To achieve this, I would automate steps 1 and 2 of the flow described above. User would be redirected to google oauth server automatically - without having to press "sign in using google" button - right after they navigates to application's URL. Google in turn immediately redirects user back to my application with a valid grant (again without requiring any input from the user). The rest remains the same. User would have an impression of being logged in immediately .
This approach has a problem though. If user goes to my page for the first time (not having granted my application access before), they would also be redirected to google OAuth page. But since they haven't granted access yet, and didn't press any sing in button, they would and end up staring at google oauth server page confused having no clue, what is going on.
Is there some API, by which I can detect that user has not yet granted access to my app (and I should present him with sing in button first)?
Please, if your solution would involve some API calls, point me to a HTTP/REST API, as I don't use (and do not want use) any higher level OAuth library.
Thanks.
Add "prompt=none" parameter to your initial OAuth redirect. This way google will not block if user has not logged in or has not granted your app the permissions.
See Chapter 3.1.2.1 of http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Short summary of other possible "prompt" values:
none - will not prompt anything, redirects back with error "login_required" or "interaction_required" if silent login is not possible.
login - force the login prompt, even when user is logged-in.
consent - force the consent prompt, even if user has provided consent in the past.
select_account - present account selection prompt.
According to Facebook docs, Facebook login for IOS provide "FBSDKLoginManager" - which directly call into the API to perform login or additional authorizations with your own UI.
https://developers.facebook.com/docs/facebook-login/ios#login-apicalls
If an application uses its own login UI, it can potentially steals user credentials typed into it. That seems violates the purpose of OAuth2.0/OpenID to make authentication mechanisms and credentials independent from the client/app.
I'm wondering why there is a "FBSDKLoginManager" and what is the right use case for it?
The phrase "with your own UI" was referring to the UI elements that trigger the login flow (such as a custom login button). The authentication exchange still occurs over Facebook UI (i.e., the login manager will typically app switch to the native Facebook app if installed, or to the Safari browser).
we are running into an issue that once our users are login in the app and are authenticated thru the oauth flow the authentication page is never being displayed again, in that way user cannot switch account if needed. We are using a popup display mode (which does not provide options to switch user) and "switch user" small button in top right side of the screen is not appearing in our mobile small screen devices (as Iphones). We tried the auth_type=reauthenticate but it does not provide any option to switch user in popup mode either. We can´t control user´s cookies as well so there is not how to delete them. Is there any way to always ask user to reathenticate during all oauth requests allowing user to switch accounts?
If Facebook has implemented OpenID Connect correctly, try to add prompt=login or prompt=select_account to your authorization request. See "3.1.2.1. Authentication Request" in OpenID Connect Core 1.0 for details.