Is there any way to use localstorage instead of cookies when dealing with passport.js oauth implementations (such as google, twitter or facebook) for persistence login?
The reason is quite simple: you can't use cookies in native apps wrappers like node-webkit or atom shell.
Thanks!
Related
I'm working on a native Swift iOS app. I've done a lot of reading recently about OAuth 2.0, including this answer, a fair bit of RFC 6749, and several other tutorials. There are lots of comments about how using an embedded webview isn't ideal, because cookies can't be kept secure, hence SFSafariViewController and ASWebAuthenticationSession.
But I haven't seen much talk about a login without a webview/browser at all, collecting user credentials through a UIView form, using a Resource Owner Password Credentials Grant and sending data directly with a URLRequest. I'm building my own application, with my own resource server, and my own authentication server (or using something like Auth0), which is only handling access to my app's protected resources. So everything is 'highly trusted' here. But I've seen notices like the following concerning a resource owner password credentials grant (from here):
The authorization server should take special care when enabling this
grant type and only allow it when other flows are not viable.
Technically, using another flow is 'viable' - I could build it. Does using an external user-agent, SFSafariViewController or ASWebAuthenticationSession still offer security benefits that can't be matched with a native login in this scenario?
One benefit of using an external user-agent that comes to mind is upgrading to 2-factor or multi-factor authentication in general.
I am building an express server that will be used with an iOS native mobile client.Users of the app will be able to form "parties" with other users, and users within the same party will be able to communicate to each other via socket.io.
I want to enable sessions so that 1) I can have persistent login on my frontend and 2) store user.party_id inside a session, so that for a particular user I always have access to his party. If the user leaves a party, then req.session.party_id will be set to null.
Is is possible to use express-session with a native mobile client? I would assume so, and that all the client has to do is set a cookie header on each request. The server then reads the cookie id, and has access to the user session. Are there any drawbacks to using a session with native mobile clients?
Are there any drawbacks to this approach? Someone suggested that instead I set a JWT as an Authorization header, and on each request, use that header to lookup the user and party_id. This approach seems to be a reinvention of a session.
Check out Swift: How to remember cookies for further http requests for info on how to save a cookie/session cookie.
As to JWT vs. session cookies, they do serve similar purposes. JWT is more widely used today as it enables you to have multiple servers that handle API requests (i.e. horizontal scaling or serverless architectures) and are more fault tolerant (i.e. still work even if the server restarts). Depending on your needs, it might be worth looking at JWTs.
I'm using AFNetworking to sign in using basic auth. There is a java session identifier (jsessionid) assigned and stored in a cookie. How can I store that cookie and use it when loading a WKWebView (or SafariViewController although I don't think that's possible, but I'd love to be wrong).
I am trying to set up a cache service and take use of the streaming api of Twitter. It confuses me, since this is a server-to-server use, why do I still need to use an access_token when no user are involved in the process, only the application?
So Twitter can have information on how are their API and services being used. Also, to prevent DoS and other kind of attacks
What is an oauth domain? Are there any free oauth services? Can I use it for a StackApps registration? I googled a lot for these but couldn't find an answer.
It is the domain in which redirect_uri to which users are redirected after OAuth 2.0 authentication is present.
Desktop applications cannot participate directly in OAuth 2.0 flows,
however the embeddable browser controls available in most frameworks
make it possible to work around this limitation.
Desktop applications should use the implicit client-side flow, hosting
the process within a browser control. For redirect_uri, a value of
https://stackexchange.com/oauth/login_success should be used. Upon a
successful authentication, access_token will be placed in the url hash
as with a standard implicit authentication.
So is it safe to use https://stackexchange.com/oauth/ as the OAuth domain for a desktop app? Can anyone confirm?