Implementing cross domain single sign on (OAuth or impelementing my own) - oauth

I need to implement a single sign on solution for a couple of websites in my company. I want to have the minimum interaction with the user during this process. It should look like its the same application.
I have studied OAuth , stack Exchange and youtube If I understand correctly OAuth the user has allways to give permission to the app right?.
Do you think I could use OAuth or should I implement a similar mechanism like youtube or stack exchange myself? In the begining I was more inclined to that idea but I dont want to reeinvent the wheel. Also I dont have many time to impelement this.
Thank you for your help.

Of course you should not "reinvent the wheel".
You can use oAuth, even though it is not defined as SSO solution (and you wrote that you are interested in SSO solution - are you sure about the meaning of SSO?).
Have a look at SAML, which IS defined as Single Sign On, etc. But you have to be more precise about your requirements - do you want to implement the identity provider by yourself, or can you use Google Accounts, for example?

Related

Where can I find more information on how to sync up accounts to an APP?

When I say that, I mean if I'm creating an APP that I want to work in conjunction with say instagram, twitch, or facebook, etc, where they log in with their account first, how could I go about that? I'd want to essentially do an ADD-ON and make it more accessible/easy for users. Where could I learn more about how to do that?
It sounds a big vague I know, but I'm not sure how else to explain it.
You are looking for an OAUTH API from any of those providers, if I am understanding your post correctly.
You would read the documentation at their relative websites and then apply what is necessary to your project.
More info on facebook here: https://developers.facebook.com/docs/reference/dialogs/oauth

Vicidial direct call in my web app

I need to implement direct call feature via vicidial in my web application.
Let me explain the flow to better understand what I need to do. user would be able to login in vicidial via a webpage of my app. then can call on any number by entering number.
Is there any doc or wiki available to implement this feature. Guidance in simple steps would also be appreciating.
Thanks in advance :)
We implemented something like that using a product called WombatDialer that offers good APIs and is quite easy to set up (well, easier than ViciDial).
See http://www.wombatdialer.com/manuals/WD_UserManual-chunked/ar01s08.html for an API reference.

Some questions about dotnetopenauth

I have a couple outstanding questions mainly reguarding twitter and facebook
In the FacebookGraph class there are properties such as Id,name,etc. I am wondering how do I add to this list? Like what happens if I want a users hometown? I tried to add a property called hometown but it always is null.
What should I store their id(1418) or the whole url(http://www.facebook.com/profile.php?id=1418) for lookup later in my db to grab their data and to see if they have an account with my site?
Is it actually good to use this id as it seems like it is common knowledge. Can't someone just find the profile id or whatever and do a fake request on my site?
how do you setup dotnetopenauth to deal with the case when a user goes to facebook and deletes access to my website. I know you can send a deauthorization code to your site and then delete their account but I don't know how to do that through dotnetopenauth
Twitter
Is it possible to do number 4 with twitter?
Ajax
Is it possible to make the openid stuff ajax? I don't see a sample anywhere in the dotnetopenauth samples.
I'm no pro at Facebook. But the FacebookGraph class is in the ApplicationBlock, which ships as source and is fully intended for you to customize or extend within your own application. Hopefully people more familiar with Facebook in particular, or the Facebook docs, can help you with those questions.
Since Facebook is not OpenID, what you store whether ID # or the whole URL, is less critical. People should not be able to just craft requests to log in as others because your site should be verifying signatures, etc. If you're using DotNetOpenAuth appropriately this is probably being done automatically for you. But without seeing your code it can't be said for sure.
Assume the id is common knowledge. It certainly isn't a long random number so anyone can guess it. The ID must be accompanied by a signature that verifies that Facebook sent the ID, just now, for you.
I suspect the deauthorization code isn't going to be relevant to DotNetOpenAuth -- that's probably just some URL that you respond to. But again, I haven't read the FB docs on this.
Here's the real answer I can give you. Yes, OpenID works with AJAX reasonably well. You can see some samples of this at nerddinner.com or a sample of a blog post comment system. The most complete AJAX demonstration for standard login may be in the web forms or MVC project templates available on the Visual Studio Gallery.

using APIs with oauth for single user

I'm trying to make use of various APIs including twitter, youtube, etc because we want to embed recent entries (tweets, videos) on our website.
However, since I'm just retrieving my own data, I'm wondering how I can do this simpler than the multi-step process required by OAuth.
Twitter provides me with my own access token I can use directly, so that kinda works, but I can't find any such token in the YouTube documentation.
So how am I supposed to make use of the api if I just want to get a simple list of stuff? how exaclty am I supposed to authenticate my own website to use my own account?
I think i might have things all wrong and if so please point me in the right direction. I tried using rss feeds but they don't give me as much control over what I retrieve as using the API directly...
any insight or suggestions are appreciated!
see my comment above. summary: it depends on the requirements of the individual api

What is a good openid selector control?

Now that idselector has been upgraded to RPXNow and you can't "just use" the selector code, what is a good replacement?
I want to implement OpenId on a new website that I am using, but the users are going to be just dumb when it comes to logging in unless I provide an easy way for them to.
As a reference, I will be using .Net Open Id for the background in an ASP.Net MVC web application.
EDIT
After some cheap thought, what about using the rpxlib?
Jarrett Vance made a "version" of open-selector that is much more developer/designer friendly.
This selector is different because it does not hide the markup details in javascript. Therefore, you can easily add new providers or rearrange the existing ones without digging into the javascript. The login form will still work for normal OpenID logins if javascript is disabled
The best of all, is that it comes with documentation, demo, and lots of images both cropped and as raw .pdn files (paint.net)
Jarrett Vance's openid-selector can be found here
(source: jvance.com)
PS: I would suggest reading this article before implementing RPX.
Another one to consider is http://code.google.com/p/openid-realselector/ (which is a rewrite/update of http://code.google.com/p/openid-selector/)
I have done an implementation with RPXLib and RPXNow, and it is really pretty straight forward.
I wanted to minimize the amount of work done in the OpenId format, and the RxpLib definately helped with that one.
RpxNow also has a nice feature of telling me new users, number of logins per day, etc...
I've made Open-selector, which you just add to your site and switches the regular OpenID box into a provider list and a username text input.
The code is pretty simple (in case you need extra customization) and there is an inline mode so it doesn't alter your original layout.
I was using that one, but then I found a few people using a different one which made me investigate, and I found this OpenID selector. There aren't any instructions per se other than the demo.html, but it shouldn't be too hard to figure out. Just include the css and js, then call the javascript function with the right parameter.
Edit about rpx: I chose to stay away from rpx because I didn't want to have a 'central point of failure,' and a site that isn't my own that users would authenticate to/through. It seems kind of counter-intuitive being that I'm using openid, but if you consider that the openid provider that the user is using as part of the user, then it kind of makes sense.

Resources