Im really just looking for some guidance here.
My goal is to create (for instance) a webpage, client will then enter there authentication details on that site, which will talk to the wso2 Identity server, which in turn will talk to either facebook, or some oauth provider and authenticate the user. The user will then be allowed to use that site.
What im looking for is the url for the wsdl. I've read quite abit an notice alot of people talking about the wso2 API Manager. Do i need to install that?
Thank you in advance.
p.s: I asked a similar questions here. The answer got me pretty far, however using soapUI on the RemoteUserStoreManagerService wsdl, i am unable to auth facebook users. Also i will be using php to write this website.
Related
I'm trying to get my head around OAuth from the context of having an API that I want to secure and a javascript based single page app made in Vue.js that will consume this API. I've been told that OAuth is the industry standard for this type of thing.
I want to let other clients like a mobile app also use the same API.
From what I can gather the right flow is Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/
The bit I am confused over is how I seem to need to get users to approve access. For example you don't have Twitter saying "Would you like Twitter to use Twitter". If I was in the position of people using the account to create another account I wouldn't have any confusion but when the client is your own website what is supposed to happen?
I can sort of imagine that I could automatically approve the website or just bypass the part where the user approves but then I feel like I'm going off script. Then I think to myself, have I completely got the wrong end of the stick- is OAuth not designed for this?
If anyone can see where my ignorance is I'd be more than happy to be corrected!
Thanks!
OAuth and OpenID Connect enable you to authenticate users in many ways, for web and mobile clients. Each app implements a code flow and redirects to an authorization server (AS).
Each client is configured with an entry in the AS, and consent can be disabled when required. It is typically only enabled when personal assets are involved. Eg to grant a security code scanning service access to my GitHub repositories.
From asking around a bit and reading a bunch more found searching for "first party" providers: it is okay to just have the main website bypass the bit where they approve access and just send over the token.
I'm using the Amplify CLI to create a Cognito user pool for my React web application. I've found the withAuthentication UI doesn't meet my needs because I can't customize the signin form (say to remove the phone number field) or protect just part of my app.
Instead, I would like to use the Hosted UI provided by Cognito but am struggling with how to implement the Authorization Code Grant flow. Is there an easy to use the npm library to help me with this?
I've tried directly calling the /authorize endpoint as described in the docs but get a cors error when calling from localhost. I've also tried using window.location.ref to redirect to the hosted URL that the Cognito Console provides a link to. This works but when arriving back on my specified page (following the callback), parse the code from the query string, and send a POST request to the /token endpoint as described in the docs, I get a 400 status code back. Is there more I need to be doing here?
I'm very new to OAuth so would appreciate any simple explanations or pointers to basic materials a noob can understand would be great!
My resources use code flow with Cognito and will give you sonething to compare against:
Code Sample
Blog Post
A couple of pointers:
Register an OAuth client in your user pool to fix the CORS error
Trace OAuth messages from the browser and focus on getting them the same as mine
My code sample is easy to run against my Cognito endpoint. It does not use React or Amplify though - but once you understand principles it should be easy to port them to your own technology choices.
Currently, I am working on linking my Alexa skill with my website. I'm stuck. I've followed YouTube tutorials and looked at the documentation. I basically want users to click on the account linking button, be taken to a login page and then have that authorize the users with their own private data. Do I need to create a oauth server? Is there anybody I can talk to who has already done something like this? I created a html page to log users in using an api call but I haven't gotten any further. Any help is appreciated.
There are two questions that you asked here. Addressing them consecutively:
Do you need to an OAuth server for account linking? --> Yes. You either create your own authorization server which uses OAuth2.0 or you can rent it from providers. There are various OAuth server providers like auth0, okta etc.
If you have created an html page for login, then it needs to connect with your auth server in the backend and you need an API to do that as well as connect with the LWA server to complete account linking with Alexa.
The auth server will basically generate an auth code upon authenticating the user and subsequently it will generate an access token. Both these URLs must be mentioned in the Amazon Alexa developer console.
Then you need to make the calls to LWA to complete authentication with Amazon. This will generate an LWA auth code and subsequently an access token.
This LWA access token along with user auth code generated by your auth server will be used to enable the skill from your website.
Feel free to contact me if you have more queries! Good luck.
I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.
The twitter api keeps refusing my credentials, no matter what shared library I use. Is there any reason for this?
Twitter no longer allows BASIC AUTHENTICATION on its API. You need to do OAUTH authentication. This is most likely the problem you are having. If you need further help, you need to post some code, what library you are using, and exactly what part of the API you are trying to access.