I want to be able to login to a Flask based server with Facebook authentication from a mobile application.
I understand that in mobile, a user logs into Facebook and is able to retrieve an access token that one can use to authenticate with the server as well.
I have found these two Flask examples:
https://github.com/mitsuhiko/flask-oauth/blob/master/example/facebook.py
https://github.com/litl/rauth/tree/master/examples/facebook
They are able to login into Facebook and retrieve an access token as well. What else do I need to do to be able to send back a status code to the mobile application telling it that it has logged into my own server with Facebook?
Or am I thinking about this backwards somehow?
Just make sure that you sending HTTP requests within same session(iOS default behaviour), so after you send token to flask server - flask server returns response, like {"status":"logged_in"} or with user data if you need.
This response contains cookies of login. So all requests within session are with logged in user.
Whenever user closes application - you can probably lose the login, so you need to enabled remember_token inside flask and store it in your application for future sessions.
Eventually remember_token will become invalid and you wont be able to login, so your application should rerequest access_token from facebook, relogin to flask server.
I advice to set remember_token expiration to 2 month, so it will match expiration date of access_token
Related
Does ORY Hydra currently have a feature that verifies if a client is logged in via OpenID Connect? I notice there is an API to logout via front-channel
When a user revisits the identity provider, however, I have no way of knowing if they are currently logged in or not. They could delete their client-side HTTP cookies and then I am out of sync with Hydra. Meaning: Hydra has them as logged in, but I have them now as logged out. Also, in the event of a back-channel logout, I want to be able to query for this state.
Is there an API I am overlooking that allows me to know whether a client currently has an active OpenID Connect login via Hydra?
It appears as of right now the only thing one can do is redirect the user to the authorization endpoint since we have no way of knowing if they are authorized or not.
The following two tables that ship with Hydra seem to be the source of truth for the data I am after: hydra_oauth2_access and hydra_oauth2_authentication_session. Does it ever make sense to query those directly if there is no supported HTTP API out of the box to see if a user has an active authentication session?
Sending an authentication request via a redirect to the Provider including prompt=none addresses this use case: it will silently login and return new tokens if there's an ongoing SSO session at the Provider, it will return an error code login_required if not.
Notice there will never be explicit user interaction in both cases so this is convenient (and meant) to run in an hidden iframe.
LOGGED IN STATE
An OAuth client is most commonly a UI application with multiple users. Each user's logged in state is represented by an Authorization Server session cookie that neither the application or user have access to:
The Authorization Server (AS) issues an SSO cookie, to be stored in the system browser for the AS domain
Both Web UIs and Native UIs send it implicitly on subsequent requests, when they invoke the system browser
AUTHORIZATION REDIRECTS
When an OAuth UI redirects the user, it is generally unknown whether:
The user will be prompted to login
The user will be signed in silently (eg the user could have signed in to another app)
For a Web UI it is possible to send an authorization redirect on a hidden iframe with a prompt=none parameter. If the user needs to sign in a login_required error code will be returned. See my Silent Token Renewal Page for further details.
This is not fully reliable however, and has some browser issues in 2020. Also it may be unsuitable if you are using a different type of client.
FEDERATED LOGINS
In some setups the AS redirects further to an Identity Provider (IDP), and the user's login state is further influenced by an IDP session cookie.
There is no way for an app to get hold of the user's IDP login state, since the app only ever interacts with the AS.
IS THERE A USABILITY PROBLEM?
If so, post back and we can discuss further ...
I am redirecting the authenticated user to link of my website from iOS App (user is authenticated from iOS app). There is log in page on website and some other pages. I want to redirect to my website without asking for log in. How can i achieve this?
What is needed to do at iOS side?
What is needed to do at website side?
I'm assuming that when you login through the iOS app, you are receiving back an authToken from the server that you can save for further queries. I would recommend sending that token to the server when you redirect and verify the token on server side.
As an added layer of security, you can encrypt your token before sending it to the server and then decrypt it on the other side
Is it possible to retain the login across browser session?
i.e. after user has been authenticated through Azure AD for the GraphAPI app and then close the browser, when she start the browser again and access the same GraphAPI app, the user won't be asked to login again.
If you have a backend daemon that can continually refresh the access_token before it expires and then cache it, that's possible with the user authentication OAuth2 flow.
In fact I've been working round the limitations with the confidential client OAuth2 flow (specically the lack of calendar access to Unified Groups) by doing exactly this server side. I use a scripted PhantomJS headless web browser on the server to log in as the required user, get an authorization token, gamble the authorization token up to an access token, cache the response and then continually refresh the access token using a long lived daemon process. Other back end code on my server can then pick up the cached access token and act as the user (ie generate calendar events in the Unified Groups), days or weeks later.
Obviously I'd prefer to use confidential client OAuth2 flow rather than this hack, but until that flow lets me access group calendars, this does work.
Goal
Fetch a company's updates save them locally in a background task
Problem
This should be done as a backend service without any real user interaction. We could provide a user account to use, but the authentication is a problem: There is literally no one to answer the OAuth redirect and there is no public redirect URL to configure, since it's a background service.
Is there any way to access the API without having a redirect URL or a real user?
You can get an initial access token in a regular front end flow, for you as the app developer i.e yourself as the LinkedIn user. Once you've got that, you can store it in the backend and use it for 60 days to get access to the LinkedIn APIs.
After 60 days you need to refresh the token as documented in:
https://developer.linkedin.com/documents/handling-errors-invalid-tokens
Unfortunately LinkedIn does not (yet) support an autonomous refresh flow where your app can get a new access token by presenting a refresh token on a backchannel. So the developer will have to refresh the access token by a manual login every 2 months.
Well, it is still all HTTP and HTML, so in fact there is no real reason to show the OAuth dialog to a user, as long you can strip out the necessary parts in the HTML authentication dialog and send a valid response back to the server, using the username and password from the user (which you can obtain from him, or save it yourself in a config file if it is you).
Note that there might be a legal issue if LinkedIn demands you to actually show the dialog, beside that, there is no technical need.
On iOS (or any mobile), after a successful login, how should I handle login with my own server?
Should I send the token and user id to my server and re-verify it, or is there a better practice?
I obviously don't want to send only the FB user id.
The FBConnect SDK should automatically save login information on the device, so every time the user goes to use the Facebook feature of your app, they are automatically logged in.
The current version of FBConnect doesn't provides obvious proxy authentication, but the old version did. I think you could create this proxy manually, ie. pass all login data, except api secret key to proxy, proxy adds secret key and sends request to FB. Then it returns response of FB server as it is.