I am new in Silex PHP framework and OAuth2, I could implement oauth2 server but there is no user authentication, I mean when user press authorize button it redirects directly authorization page where system will ask user allows this app or not, but without any user authentication I couldn't implement there sign in function. Is there anybody implement oauth2 and silex php framework together. Please someone can it would be very good thanks in advance!
I have never used OAuth at all, but have seen some ready components like this one - Silex OAuthServiceProvider. Maybe you can use the code and adjust it to your needs. Good luck!
Related
I'm about to create a web application which has some data linked to individual user accounts in the database. I want to implement it by Google sign-in because I don't want let users create new accounts just for this app. I'm now confusing which flow below is for my case.
Please help me.
https://developers.google.com/identity/sign-in/web/sign-in
Very simple.
https://developers.google.com/identity/sign-in/web/server-side-flow
Server Side flow?
https://developers.google.com/identity/protocols/OpenIDConnect#authenticatingtheuser
 This document says this is Server Flow.
https://developers.google.com/+/web/signin/server-side-flow
Just for Google+ users?
Is the No.1 maybe called "implicit" flow? I would like to take it if it is secure because of its simplicity.
https://developers.google.com/identity/sign-in/web/sign-in is best option for you.
In case you need to "use Google services on behalf of a user when the user is offline" you can use https://developers.google.com/identity/sign-in/web/server-side-flow on top of https://developers.google.com/identity/sign-in/web/sign-in.
I have two Rails apps, and I would like to accept user login credentials from one app (say App A) in another (say App B). For the app that's accepting login credentials (App B), I think the best option is to use OAuth. But for the app whose user credentials are being used (App A), how do I allow the user's login information to be used by another site? Do I use OAuth as well, or something like Doorkeeper? As you can tell, I'm very new to user authentication, so any advice would be helpful!
One possible way to solve the problem is to create a doorkeeper-based standalone app that would contain all of a user's credentials. Then your client apps would actually connect with this "auth app" (using Oauth.) Then when the client is authenticated on the Auth App, they get returned to the Client app. Of course, from a UI perspective, you make this seamless, so your login page would actually be on this Auth app, but it would look seamless to the user. This way, you can add as many apps as you want and the credentials would all be in one place. To answer your specific question, you would use Oauth2 on your Client apps and Doorkeeper on your Auth App.
You'll need to tweak the doorkeeper configurations to make this process "clean" to the user. For example for internal apps, you can safely use the skip_authorization method in doorkeeper. Learn more about that here
This doorkeeper/oauth system has the added benefit of decoupling your authentication logic from your main application, which is fundamental to good Service Oriented Design. There are certainly other ways to approach this problem, but given the context of your question, yes, Doorkeeper and Oauth2 would solve your problem.
Is there a sample of the Facebook C# SDK with ASP.NET MVC 3 (non-canvas application) that:
Allows the user to register through the website's registration form
Allows the user to login through Facebook Connect, and register the user if it's his/her first visit
Subsequently allow user to login/authenticate through the website's login form, or through Facebook (if the user registered through Facebook Connect).
It seems like this would be a common scenario that would benefit many others, but virtually all the samples I've seen do not go beyond authenticating the user with Facebook. I'm thinking a sample that can perform the basic login/registration scenario would help in not having to re-invent the wheel.
Many thanks! :)
I am currently doing this on my website. However note that the Membership provider does not align properly with FB Authentication. In my project I have 2 controllers one for FB authentication and the other one is for Forms authentication. The Forms Authentication code is pretty much the standard one provided in a new project except that I am encrypting my password with BCrypt after adding a Salt value.
Please refer to my blog http://theocdcoder.com/tutorial-integrating-facebook-authentication-asp-net-mvc-3/
for the FB integration. The reason I didn't include the other Forms code is that it is independent of FB code.
Also in the FB login method in the Controller, you will have to handle the scenario if the user was already registered through Forms method if not then create a new record for the same.
I hope it helps.
Can we build applications on top of the twitter user base?
Is it just another open id or something more?
I noticed when using twitpic and some MUD type game 14mafia.com that it uses my twitter login (it tweets on your behalf).
If they are using my login/password that's pretty crazy, I mean what kind of security is that?
Anyhow, just want a developers who has expereince to tell me if we can re-use their membership like openid?
Can we build applications on top of
the twitter user base?
The Twitter API is described at http://apiwiki.twitter.com/
Is it just another open id or
something more?
Twitter is neither an OpenID consumer nor provider.
I noticed when using twitpic and some
MUD type game 14mafia.com that it uses
my twitter login (it tweets on your
behalf).
If they are using my login/password
that's pretty crazy, I mean what kind
of security is that?
Awful security. Don't give out your password to third party sites. Some just use the password anti-pattern, others will steal your credentials for purposes you don't want.
Twitter supports OAuth today. If a site wants to do things with your Twitter profile, it should use that.
Anyhow, just want a developers who has
expereince to tell me if we can re-use
their membership like openid?
No, you can't.
Twitter offers both OAuth and simple username/password authentication in its API. Originally they only had the basic authentication API so many early apps were built using it. Later, they added the OAuth support, but since it was easier to use the basic authentication, many twitter clients and apps still use it.
You can tell which one an application is using, because if they are using the simple authentication they will ask for your password. You have to trust them with it in that case. You're right that it's poor security.
I imagine they are using the Twitter API.
I am using Dotnetopenid for login.
I am logs in my application by using dotnetopenid provider suppose google.
At the time of logout I am ending the my application user's session by FormsAuthentication.SignOut(); but if I am not closing the browser and logs in using google it will not ask me for id-password and land me on secured page of my apllication.
Also, if i will try gmail.com it will directly lands me user account without asking id-password.
So how could I logout completely from my application and google too ?
thanks in advance
I think you are mistaking the Relying Party and the OpenID Provider. Using StackOverflow as an example, SO is the Relying Party and other sites (e.g. Google) are the OpenID Provider(s).
The Relying Party (e.g. SO) has no say in when the OpenID Provider (e.g. Google) chooses to "forget" the user for their own purposes.
EDIT: I was not familiar with the PAPE extension. However, if I understand correctly, it does not provide a way for the RP to say to the OP, "On your end, forget this user's authentication", which is what I think rehan wants. It just provides a way for the RP to demand another authentication for the RP's purposes.
I still see no way for (e.g.) SO to log a Google user out of Gmail after SO logs them out.
It sounds like what you're looking for is a Logout feature that will allow the relying party to also log the user out of the Provider at the same time.
DotNetOpenId doesn't offer this feature because OpenID itself doesn't have this feature in its spec. There's simply no way to do it right now. The OpenID community have had conversations about spec'ing out such a feature, but so far it's not there. If and when OpenID adds such a feature to its spec, DotNetOpenId will add support for it.
i had the same issue. So tried this.....when i logged out of my website which uses dotnetopenid, i also made a call to the following gmail logout link https://mail.google.com/mail/?logout&hl=en. This logged me out of gmail also.
https://www.google.com/accounts/Logout
try this one....