I am implementing user authentication using Twitter login and I would like to know how I can proceed.
My app is a universal app with react + redux. I set up the server side login logic using passport and passport-twitter. When I go to http://myApp/auth/twitter, I obtain auth token from Twitter, persist it in db, and save the serialized user using express-session. I am redirected back to my app.
I now want to set up the client side logic. I think I need to store the user information in my redux store. But how can I do it? When I am redirected back to the app after a successful auth, how can I retrieve the user information?
Do I need to find the user info on the server side using something like req.cookie, send the initial state to the client, and rehydrate the user info on the client?
Related
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I have an app that uses ember simple-auth with torii and devise extensions.
My backend is on rails with devise to protect ressources. (BTW, I am a rails noob)
My goal is that I want users to be able to register/login with facebook, but I also need to authenticate requests made to my backend. (e.g. A user can only access his account info)
If I take each authenticators by itself, it works fine. For example, I can authenticate a user through facebook. And I can register and sign in on my rails server. However, I want the registration to happen through facebook( No forms to fill for the user)
The questions I have are:
- What information should I persist on my server so that I can identify a facebook authenticated user and authorize him to access ressources?
- Is there a more straight forward way to do it ?
- Does it even make sense to have 2 authentication processes ?
If you're using Facebook login the only data you need to persist is the App-scoped User ID (https://developers.facebook.com/docs/apps/upgrading#upgrading_v2_0_user_ids)
That's a unique ID generated for the user in your App. When the user logs into your App with Facebook you only have to get back this ID and then match it in your database.
I hope it helps.
How do I parse a webpage with login and password requirements to view the individual user's information, like facebook for example. I want my app to access to the individual facebook page, after entering login and password in the app.
By now I was able to parse usual webpages with TFHpple, but I have no idea how to pass the login and password requirements to get the page content.
Thank you very much in advance!
Usually the process for logging in is:
User POSTs data to a login form with username and password.
The server responds with a session cookie
Future requests include the session cookie and the server knows that the user is authenticated.
If you wan to do this login process on your user's behalf through our app, you'll need to save the cookies and send them on subsequent requests.
Why don't you use the Facebook iOS SDK:
https://developers.facebook.com/docs/ios/
I think it's a little bit strange from the architecture perspective that you want to parse the personal Facebook newsfeed, when there's the possibility to get the data via the Facebook API (given that you have the appropriate User Permission)...
I'm making the back end for an iOS app in Rails. Users need to be able to log into the app using an app-specific username/password or via Twitter, but I'm not quite sure how to set things up for logging in via Twitter.
If I use OmniAuth, then it seems like the flow goes like this:
The iOS app directs users, in Safari, to the /auth/twitter page OmniAuth sets up for me
The /auth/twitter page sends the user to Twitter for OAuth authentication
Twitter returns the user to /auth/twitter/callback, and OmniAuth gives me an auth hash full of info
????
iOS app now has the credentials it needs to identify the user making requests when it calls my APIs
Authentication complete, app use proceeds as normal
It's step 4, getting the credentials back to the iOS app, that I don't know how to set up. All my APIs the iOS app calls are stateless; if they require an authenticated user, then user credentials are included in the API call. I don't know that much about writing iOS apps, and pretty much nothing about how apps interact with Safari.
What is a safe way of getting the user credentials back to the app? One that can't be snooped? If I have the callback page put information in cookies, or in the session, will that be accessible to the app but not anyone watching the traffic?
Alternately, if the app attaches some identifier for itself to the initial call to /auth/twitter, will Twitter & OmniAuth preserve that identifier so that it gets included in the /auth/twitter/callback, so that the app can then ask my back end for the credentials for an authentication that just finished associated with that identifier?
Alternately, if the app attaches some identifier for itself to the initial call to /auth/twitter, will Twitter & OmniAuth preserve that identifier so that it gets included in the /auth/twitter/callback, so that the app can then ask my back end for the credentials for an authentication that just finished associated with that identifier?
Did you try? Cause that's usually how your step4 goes. You keep a token or something about the user so when you get the callback you can lookup for that user again. No session or cookies, just plain db.
I am currently working an an app that requires access to multiple Box accounts. I am using the Web API Library. So far, I am successful in accessing a single account. I am saving the auth token when I authenticate a new user. And then when I want to access any account, I use [Box +initializeSessionWithAuthToken:callbacks:] with the respective auth token. But I am only redirected back to the login page again. Just before initializing a new session, I use [Box +logoutWithCallbacks:] to logout the old user. What Am I doing wrong?
I know this is an old question but
+logoutWithCallbacks:nil
Should invalidate the session and log out the user. Have you verified that this method completed successfully and actually did log out the user.
Then you can use
+ (void)initiateWebViewLoginWithCallbacks:(BoxOperationCallbacksDefine)callbacks;
or
+ (void)initiateLoginUsingURLRedirectWithCallbacks:(BoxOperationCallbacksDefine)callbacks;
these will display a new web log in and allow you to create a new authentification token for the new user