I am developing a Spring Boot application that will provide a web app and a REST interface for an iOS application that a colleague develops.
The Spring Boot MVC web application already uses Spring Security with a form based login and a JPA entity for authentication of users with roles. Everything pretty straightforward.
We want to use OAuth2 for connecting the iOS app to the server for accessing the REST API so that we do not have to store the username/password on the device.
What would be the easiest configuration for this?
Do we need to call /oauth/authorize or would it be enough to call /oauth/token to get an access and a refresh token by sending the username/password the user provides once in a form in the iOS app?
I want the iOS application to be authenticated as the user via oauth token afterwards so that it can access the entities assigned to the user.
Related
I am building a spring boot java resource server as a backend for an iOS app. The iOS App authenticates users using federated login with Facebook and passes access token for resource server to create an internal user. linked to the facebook profile.
Any documentation I came across discusses how to use spring security to authenticate/authorize users using login form, but I am just trying to parse/validate the access token already given by FB. How can I do this? Google offers a library to easily parse access token and extract user's information, but I can't find a counterpart library for facebook.
I want to build a clone of Sheetsu application using python. For this, I need to authenticate and authorize the user. I came across three types in OAuth 2.0 authentication flow. They are
1. Web server
2. Installed application
3. Service account
Can Someone explain me the difference between all the three?
OAuth2.0 Scenarios:
Web server
The Application which user interacts with is hosted on a web server. The user wants to delegate access to his data to this application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant.
Installed application
Application which user interacts with is hosted on a device e.g. phone application or desktop application. Again, the user wants to delegate access to his data to this native application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant with PKCE.
Service account
Application is hosted on a web server. The application requires a token to access data from an API, but not in the specific context of an end user
Suggested OAuth2.0 Flow:-
Client Credentials Grant.
Or, Resource Owner Password Credentials passing in a service account username and password - some legacy APIs work like this but avoid this flow when possible.
There is another type of app as well:
Single Page App (SPA)
The application which a user interacts with runs on their web browser server. The user wants to delegate access to his data to this application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant with public client if available else,
Implicit Grant.
I'm working with a client who would like to authenticate with Active Directory Federated Services using SAML. As it was explained to me, the client ADFS server is the SAML identity provider and I simply need to provide a webview in the app for them to load a login page. Upon successful authentication the response should give authenticated metadata?
I've tried researching SAML and iOS and have only been able to find third party software which offers solutions, but no explanation of how this may be done without any third party integration into the app.
Resources I've looked into:
https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
http://blog.centrify.com/ideal-solution-for-sso-across-native-mobile-applications/
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Since I don't know anything about the content of this login page, how do I determine if the response has authenticated correctly? Additionally how do I extract and pull relevant information from this response into the app to store for future authenticated web service requests?
If the customer has ADFS 2012R2, it supports OAuth for public clients. Use the ADAL (Active Directory Authentication library) that supports ADFS. In this case, it will pop up a browser dialog window to do the authentication and then get a an authorization code. This code is then converted to an access token (JWT) which can then be used against a WebAPI.
I am building a mobile app that authenticates to a rails server using token authentication. I am using Devise for authentication and have figured out a way to make it work on mobile. But I also have a web app. The web app is not consuming json API but it's just a regular rails web app.
Now the problem is I want to be able to use token based authentication for mobile, but at the same time allow users to sign in via web interface.
How can I make this work?
I'm building a small web application using ASP.NET MVC3, in which I'm using the default ASP.NET Membership API to create and authenticate users.
There's also a small desktop client which updates the web application. My question is what would be the best way to authenticate the desktop client. Considering that users would register using their username and password via the website, I don't really want to store any user credentials on the desktop.
I was thinking about implementing an OAuth provider in my web application, and associating the token with the authenticated username. That way I would authenticate my desktop client like most twitter clients do now.
So basically my question, should I do OAuth, or maybe there's another popular option?
Why not expose a login action method that returns a token? This would avoid the added complexity of an oauth service. As long as your mvc app is decoupled and using services, your client can consume these same services.