In my app I have implemented Login module auth security by implementing security realms. But i am thinking of implementing a OAUTH2.0 authentication where user will be authenticated once I will get a token and re-validate than on app starts.
So please one guide what are the prerequisites to implement this. Can I achieve this by creating a custom authentication module ? Any guide sample code will be really helpful.
There is an article that was published that shows how to use OAuth with inappbrowser and Worklgiht using LinkedIn found at the following location:
http://www.ibm.com/developerworks/library/mo-worklight-linkedin/
This article is a great sample to getting you started using Worklight and OAuth. Let me know if you have any further questions
Take a look at this SO answer:
https://stackoverflow.com/a/18172484/440934
Hybrid apps do not have a public URL that an OAuth provider can redirect to, but there are some tricks you can do with the child browser plugin to 'hack' around them (see the first link). You can have your OAUTH provider redirect to a dummy URL that the child browser can intercept and parse the token from the URL (there are even some security concerns there). OAuth2 gets even trickier when configured not to place a token in the redirect URL and instead placing it in the body or in a header. Child browser does not expose these details which means some more custom native work to grab them if that is your only route.
Related
I'm using the Amplify CLI to create a Cognito user pool for my React web application. I've found the withAuthentication UI doesn't meet my needs because I can't customize the signin form (say to remove the phone number field) or protect just part of my app.
Instead, I would like to use the Hosted UI provided by Cognito but am struggling with how to implement the Authorization Code Grant flow. Is there an easy to use the npm library to help me with this?
I've tried directly calling the /authorize endpoint as described in the docs but get a cors error when calling from localhost. I've also tried using window.location.ref to redirect to the hosted URL that the Cognito Console provides a link to. This works but when arriving back on my specified page (following the callback), parse the code from the query string, and send a POST request to the /token endpoint as described in the docs, I get a 400 status code back. Is there more I need to be doing here?
I'm very new to OAuth so would appreciate any simple explanations or pointers to basic materials a noob can understand would be great!
My resources use code flow with Cognito and will give you sonething to compare against:
Code Sample
Blog Post
A couple of pointers:
Register an OAuth client in your user pool to fix the CORS error
Trace OAuth messages from the browser and focus on getting them the same as mine
My code sample is easy to run against my Cognito endpoint. It does not use React or Amplify though - but once you understand principles it should be easy to port them to your own technology choices.
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
I'm working on a native Swift iOS app. I've done a lot of reading recently about OAuth 2.0, including this answer, a fair bit of RFC 6749, and several other tutorials. There are lots of comments about how using an embedded webview isn't ideal, because cookies can't be kept secure, hence SFSafariViewController and ASWebAuthenticationSession.
But I haven't seen much talk about a login without a webview/browser at all, collecting user credentials through a UIView form, using a Resource Owner Password Credentials Grant and sending data directly with a URLRequest. I'm building my own application, with my own resource server, and my own authentication server (or using something like Auth0), which is only handling access to my app's protected resources. So everything is 'highly trusted' here. But I've seen notices like the following concerning a resource owner password credentials grant (from here):
The authorization server should take special care when enabling this
grant type and only allow it when other flows are not viable.
Technically, using another flow is 'viable' - I could build it. Does using an external user-agent, SFSafariViewController or ASWebAuthenticationSession still offer security benefits that can't be matched with a native login in this scenario?
One benefit of using an external user-agent that comes to mind is upgrading to 2-factor or multi-factor authentication in general.
I am building an OAuth2 API for my program. But I don't know how the flow works for using the same API on the main website for the app? Would I just use the normal authentication route? I think it would seem odd to see that the trusted name app is wanting access to information, when its not a third party.
I'm developing an iOS app that uses the Magento REST API, I'm following the documentation provided by Magento for the OAuth authentication (http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html)
I use the initiate endpoint to get the request token but then when I want to authorize this token I need to use the "authorize" endpoint and there I get redirected to a URL where I have to provide customer credentials to authorize the request token. This is not the behaviour that I was expecting since the user would be already logged in using the app's login (not implemented yet). Is there a way of making this "authorization" step transparent for the user? Like calling some service passing it the user's credentials provided in the login screen of my app?
If there is no way I'll use the Magento's SOAP API
I did that too really really painful Magento use OAuth1.x, basically you've got three options:
Do it yourself
Use some oAuth consumer lib, you can find them on github
Use MKNetworkKit with this add-on
I used the 3rd because oaf MKNetworkKit, and anyway there was still a lot of work to do, if you want to hide some passages injecting js.