I am trying to implement enterprise mobile SSO with our Identity Provider (OKTA). My goal is to have a smooth user experience; the user shouldn't leave our custom built app in order to login to the identity provider.
OKTA has a native iOS app that facilitates the process. During the login, it is possible to forward the user to the OKTA Native App, do the authentication and bring the user back to the custom app. The process looks like (image is taken from http://tech.blog.box.com/2013/03/rethinking-mobile-sso/):
What I am trying to is to avoid the opening of the Native SSO App (the first 2 steps). OKTA provides a REST API that allows the user to authenticate and create sessions programmatically (and more http://developer.okta.com/docs/getting_started/design_principles.html).
The question is: After creating a session with the native SSO App (OKTA) via its REST API and getting the auth token, can I authenticate directly with the Service Provider from my custom native iOS app?
Okta provides a method for native app sso on iOS that allows the user start in your app, and have an SSO experience. In this case the Okta Mobile App serves as the identity provider. So long as the user has a session within Okta Mobile, they can access your custom native app without entering their credentials. If the user's session in Okta Mobile has ended, they can re-authenticate with their PIN.
More details on the standards-based framework (SAML + iOS) are available here:
http://developer.okta.com/docs/getting_started/saml_guidance.html#saml-for-mobile-native-apps
https://github.com/okta/okta-mobile-sdk
Related
I have a first-party authorization server and I'm developing a first-party native mobile app and a SPA as a client. I noticed that the latest version of OAuth 2.0 no longer supports the "password grand type" and recommends using the "authorization_code grand type" instead, for mobile apps and SPAs.
My app has a native login screen and my SPA has its own unique login screen, and I want to avoid redirecting the user to the authorization server's login page or prompting a popup for login credentials since the authorization server is a trusted first-party server.
I'm wondering if OAuth 2.0 is still a good choice for first-party mobile app clients or SPA in this situation, and if there is a way to directly request a token through an HTTP request flow using user credentials obtained from the native mobile app login screen?
Any advice or insights on how to proceed would be much appreciated. Thanks in advance!
I found these two articles on this topic.
https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/
https://www.ory.sh/docs/hydra/concepts/before-oauth2
I have a react native ios app in which authentication is done using OKTA. As of now authentication of user is done by redirecting the user to OKTA login page and after authenticated in OKTA the user will come back into ios app. But my app should work in offline mode also how to authenticate a user using OKTA in OFFLINE mode. Can any one tell me how to validate the user when he is not connected to internet.
should i make use of any OKTA Primary authentication by making a custom login page.
We have web application built on ruby on rails and added Azure AD SSO feature. We are using OAuth2 and JWT gems for achieving SSO functionality. But after successful user login, our application is not visible on users office portal myapps dashboard. Instead it is only visible if AD admin assigns this app to the user.
But..
Our objective is to show our application on any user(multi-tenant) apps (https://portal.office.com/myapps) once he successfully performs SSO. Like, developing a Web app(ruby-on-rails) that users can install directly from the Office Store.
After our googling we found this ASP.NET DEMO application(https://github.com/OfficeDev/O365-WebApp-MultiTenant) which is working same as we expected. After login we are able to see this demo app on users myapps. In the app description following is written "web application that uses Azure AD for sign-in using the OpenID Connect protocol, and then calls a Office 365 API under the signed-in user's identity using tokens obtained via OAuth 2.0. This sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net.".
It is clear that DEMO app uses OpenID Connect protocol, which we are not using. is this creating problem? Kindly guide us in right direction.
The administrator have to accept the app for the whole Tenant so called admin consent.
http://blog.mastykarz.nl/implementing-admin-consent-multitenant-office-365-applications-implicit-oauth-flow/
https://github.com/waldekmastykarz/sample-azure-adminconsent
hope this help
I found working ruby on rails working example which implements Openid-connect protocol here https://github.com/nov/openid_connect_sample_rp. Then modified db/seeds.db to
I'm trying to implement server facebook authentication using passport-facebook on an iOS Facebook SDK app, and I'm unclear how to setup the passport authentication on the backend.
Basically the iOS client authenticates with Facebook and gets the sessionToken and I want to pass that to the passport-facebook /auth/facebook/callback to verify the session token with FB, and lookup the user from our database through node.js.
Is that the correct way to use passport-facebook, or do I need call /auth/facebook (and what parameters do I need to pass it).
This issue mentions building an app using Facebook iOS SDK and then authenticating on the server, but doesn't mention exactly how to do that.
https://github.com/jaredhanson/passport-facebook/issues/7
I could also write my own custom passport strategy that simply passes the FB session token and I can verify with FB graph API on the server to get the FB user ID and authenticate it's a valid session, as mentioned here:
Design for Facebook authentication in an iOS app that also accesses a secured web service
Check out passport-facebook-token, which is designed to authenticate based on a previously issued token (ie, the one issued to your iOS app).
passport-facebook is designed to do the web-based, redirect flow, which is not typically done from a mobile application.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.