How to I implement normal doorkeeper oauth2 flow after the user authenticates through facebook through my mobile app?
PS I am using doorkeeper gem to implement an oauth2 provider for my mobile app. I use resource owner password credentials flow to implement authentication through user's username and password.
So if a user authenticates through facebook through the mobile app first, how do I authenticate a user through doorkeeper with the facebook access token. So no username/password present in this case(which doorkeeper throws out an error of missing params).
What is the correct way to implement this flow.
1. User authenticates from facebook through the mobile app.
2. Facebook access token is passed to the API server.
3. If the access token is valid, the api server returns the
doorkeeper access token.
4. In case the access token is not valid, the api server returns 401 Unauthorized.
What is the correct approach to implement this flow? Some guidance in the right direction is very much appreciated.
This extension to the existing doorkeeper grant flows, solves exactly this problem:
https://github.com/doorkeeper-gem/doorkeeper-grants_assertion
The assertion flow is an exchange between a provider's access_token, for an access token from your oauth provider.
There is a pull request to fix "NoMethodError (undefined method 'resource_owner_from_assertion' for #)":
Change your Gemfile:
gem "doorkeeper-grants_assertion", github: "Inittec/doorkeeper-grants_assertion", branch: "master"
Related
I'm currently unfamiliar with the OAuth2.0 Authorization Code Flow and I've read many articles about it and currently I still don't know how to properly implement it. So far, what I know about the flow:
User Logs in using OAuth
User is redirected to the authorization server for authorization code
Callback for permission/scope
Redirected to authorization server for access token in exchange for authorization code
Redirect back to the client with the access token
Client uses access token to access resource server.
Right now, what I'm still confused is that where should the login validation come (Login of username - password)? Is it a separate validation before going to OAuth flow and once the user is valid, it should go back to the flow?
I have some resources that explain OAuth 2.0 using Google Sign in as an example. Let me try to rephrase it according to your question.
Let's use the example of a user logging-in to Intercom using "Sign in with Google".
The user presses the button "Sign in with Google". This will redirect to the identity providers /authorize endpoint (could be different for each provider) which go to their login page.
The user is redirected to Google's accounts page. If not already logged-in, the user can enter their Google email/password here.
Google redirects back to Intercom with an authorization_code (for example, it redirects to https://intercom.com/authcallback?code=XYZ...)
Intercom's backend server sends this authorization_code with the client_id and client_secret (from their project in google), and receive an access_token (usually to the /token endpoint)
Intercom can then use the access_token to access the user's profile from Google.
So to answer your question, the user can enter their email/password inside the OAuth provider's page. Keep in mind that OAuth 2.0 doesn't specify how the provider is authenticating the user. This means, that the OAuth provider can authenticate their users in different ways, like email/password, email magic-link, SMS OTP, etc. Your website is just supposed to trust the OAuth provider that they are authenticating the user for you correctly.
Some extra resources that would help you understand OAuth 2.0 more:
How to store the OAuth 2.0 access and refresh token in your front end
Picking the right OAuth 2.0 flow
login validation come (Login of username - password)?
OAuth 2.0 NOT an Authentication protocol
The OAuth 2.0 specification defines a delegation protocol
Any use of username - password is outside of OAuth 2.0 and you should be looking at Open ID Connect which is an authentication protocol built on top of OAuth 2.0.
Best current Practice for Authorization Code flow is to use PKCE on OAuth or OpenID Connect.
The usual solution is to externalise both OAuth 2.0 and Open Id Connect from your code by using a mature security library. When you're new to this type of security there is a learning curve. My resources will give you an idea of how it all fits together:
Code Sample
Tutorial Blog Post
The libraries you integrate depend on the technology stack you are using. The resources above are for a Single Page App and NodeJS API.
We want to use the Doorkeeper gem to implement an OAuth provider in our app. However, we use 2-factor auth in the login process, so we need a way to modify the password grant to accept email, password, and a 2fa token (and respond with an appropriate error if the 2fa token is required and missing). We also allow Google social login, so we also need to use a password-like grant which accepts an OAuth 2 code from Google to issue an access token, rather than username/password.
Will this be possible with the Doorkeeper?
I've got a Rails API that is using Doorkeeper with the password grant method for Oauth2.
Doorkeeper requires both the client_id and client_secret to be sent to the token request (/oauth/token), alongside the user's login details and scope.
How would I go about doing this in an Angular app? I don't like the idea of storing the client id and secret client side...
The client_id and client_secret should only be used when your app code is secured, i.g. inside your web server.
For browser web apps and mobile apps the oauth implicit flow or the password flow should be used.
In the implicit flow, you only use the client_id.
In the password flow, you exchange the username and password for an access token.
I am using Rails with omniauth plugin to authenticate my application via LinkedIn. Currently, I store the linkedin token which omniauth returns if the user successfully authorize the application:
oauth_token"=>"9dd623ad-1e21-2cec-9ede-107e1f8e9e18"
I am also using linkedin plugin to get user's Linkedin information. The problem is; the plugin requires two tokens like the following:
client.authorize_from_request(rtoken, rsecret, pin)
c.authorize_from_access("OU812", "8675309")
How can I use the omniauth's token in linkedin plugin? Any idea?
OMNIAUTH is for Authentication only. AFAIK you wont be able to use the API with that oauth token alone. Youll still need to send the user off to linked in to authorize API access by doing something like
client.request_token(:oauth_callback =>'your callback url')
See example here:
http://pivotallabs.com/users/will/blog/articles/1096-linkedin-gem-for-a-web-app
Update:
I was able to reuse access token and access secret that I received upon Omniauth callback from LinkedIn and pass it on to client.authorize_from_access and got access to LinkedIn API that way. Your mileage may vary as I had to customize linked_in gem to fit my workflow a bit, but once Omniauth gets access token and secret you no longer need to call client.authorize_from_request
I'm building a Rails web app. I use OmniAuth for authentication.
I would like to provide API access but only after the user has authenticated themselves with OAuth (via twitter mainly).
Any suggestions of where to start?
EDIT: add more context as requested
Not trying to become an Oauth provider, but simply use the same login tokens. For example, you log into my app through twitter. You have both the token and secret OAuth tokens. I want to use those tokens to allow a user API access to the site.
I have a similar question: Retrieving OAuth tokens (on server) from Faraday OAuth module (from client)