i'm getting confused trying to use OAuth (facebook/twitter) on a client and then authenticate with ServiceStack. all the examples i see for authenticating in a client use basic auth like so:
var response = _client.Send<AuthResponse>(new Auth
{
provider = CredentialsAuthProvider.Name,
UserName = model.Username,
Password = model.Password,
RememberMe = true
});
what would i need to do to authenticate my stand-alone client with facebook? i make a call to FB and get a UID,access token, email, etc. then what's the call to service stack to authenticate?
currently my thinking is to do the authentication with FB on the client, call service to check if the user exists (looking at email address). if they don't register and log them in using a hash of some of their data as a password. if they exist, log them in same way. is this reasonable/best practice?
thanks in advance
what would i need to do to authenticate my stand-alone client with facebook?
then what's the call to service stack to authenticate?
You can handle authenticating to ServiceStack and Facebook using the FacebookAuthProvider (https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization). Posting the request** to '/auth/facebook' (ServiceStack provided endpoint) will authenticate against ServiceStack and Facebook. Within ServiceStack you can access the Facebook 'tokens' using UserSession.GetOAuthTokens("facebook"). I would think you can share those tokens with your client or have your client go through your ServiceStack endpoints (which you create) to access Facebook. Similar to the way the TwitterGateway (https://github.com/ServiceStack/SocialBootstrapApi/blob/master/src/SocialBootstrapApi/Logic/TwitterGateway.cs) works in the SocialBootStrapApi example.
**{"UserName":"yourname", "Password":"yourpassword", "RememberMe":true/false}
Related
I have the following configuration in my ASP.NET Core Web API:
// Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
services.AddMicrosoftIdentityWebApiAuthentication(configuration);
services.AddControllers(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("email")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
I have an Angular client application that sends the AuthToken with each request.
Below is my asp.net WEB API controller
[Route("[controller]")]
public class UserController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
//Get User Email ID from Claims
//Get User details from Database
//Return the User Details
...
}
}
In the asp.net WEB API controller, I need to get the Email claim from the Auth Token.
Should the AngularJS application send the AuthToken or IDToken? When do use ID token vs Auth Token?
Update :
OpenID Connect is built on top of OAuth2.
WEBAPI:
An access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.
WEBAPP:
An id_token is a JWT and represents the logged in user. It is often used by your app.
CONSOLE/MOBILE APP :
A refresh_token (only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens and id_token
My question still remains the same? If the webapp or console app requires the claims, should we need AuthToken?
Update:#2
https://www.youtube.com/watch?v=M4JIvUIE17c
Please note that, access tokens are used to perform actions like authentication and authorization to protect the web APIs.
ID tokens are generated by authorization server and contains the claim of the user information, and these claims can be used for the UX in your application.
AFAIK as your application sends the AuthToken with each request you can use the same token to get Email claim.
Make sure to add email API permissions like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Api Permissions
Try to give the scope = api://{app id of the AAD app which represents the web api}/.default openid as mentioned by Allen Wu in this SO Thread.
I tried to generate an access token with above scope and got the claims successfully like below:
Please note that, you can get the email claim either by using AuthToken or IDToken.
Whats the best way to programmatically authenticate user using OAuth 2.0 Authentication Code Grant ?
Wondering if there is a way to combine step A and B as stated on the spec - https://www.rfc-editor.org/rfc/rfc6749#section-4.1, i.e pass user ID and password as part of authorize call ? Something like,
/authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&user_id=john.doe#mail&password=xxxx
I believe one way is to submit() the form returned by the Authorization server with user id and password. Taking this route would create a dependency on the form and any changes to it given it is not a public API.
The Authorization Code grant is designed to be used with a full browser i.e. should not be used to authenticate the user programmatically. In fact using it programmatically would defeat the purpose of OAuth 2.0 to not divulge the user's credentials to the Client.
Grants like Client Credentials and Resource Owner Password Credentials have been designed to be used with non-browser Clients.
Alternatively you could create an access_token and refresh_token for your Client in a browser using the Authorization Code grant, then pass the tokens to your non-browser Client so that it can use the refresh_token on its own to obtain a new access token when the old one expires.
I am in the process of designing an app that is supposed to let you login using either a username/password combination or facebook login. We have a custom OAuth server that uses user credentials to authenticate users. Now, the question is how to add facebook into this.
As I see it now, when the user wants to login with facebook, the client does all the work and gets the access token in the end. But how do we let our server know that this access token is a good one (and corresponds to a user in the database)? To me it seems like our OAuth server should be able to handle this as well, and I'm just missing the how.
OAuth supports different scenarios (flows). Client-does-all-the-work is so called "implicit" flow.
In your case it would be better to use authorization-code flow and extend your OAuth server. You put a "Facebook" button on your login page and instruct Facebook to redirect to a new special page on your OAuth server. Delivered authorization code then can be exchanged to the access token inside of your OAuth server and the server may issue its own session and tokens based on this.
I need to create a my own OAUTH Provider, to validate third party application requests, i do not want to use Google, Twitter, LinkedIn, Microsoft providers. I have to create my own provider to authenticate request and return an access token to the client. But all the help on the net is related to external providers(Google, LinkedIn,Twitter, Facebook..). Can anyone help me achieve in creating my own custom Provider?
As Roland said if you get through the spec it pretty straight forward.
At a high level this is what you will need to do to support AuthCode grant pattern :
Assuming:
Your application own the users.
Issue clientid/secrets to each of the 3rd Party applications.
On your server create end points for
authorize
token
When the client hits the authorize end point like below:
/authorize?response_type=code&client_id=<clientID>&state=xyz&redirect_uri=http://thirdparty.com
Redirect the client to a login page.
Validate the username/pwd provided by the user.
If successful, call the 3rd Party clients redirect URI with authCode.
If failure, call the 3rd Party clients redirect URI with error(pre-published).
Sample callback here
https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Client will then call on the /token URI with authcode with something like below:
/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com
Generate a token, store it against the clientID, UserId and respond back with the token.
Something like below
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
When the 3rd party access your services/resources validate the token against the client and userid and grant or deny access.
This is to get started but there can be a lot more customization that you can do with scope and other OAuth2 patterns.
I modified google consumer to use in my application scenario.
My scenario is to authenticate user on our client's website and then log them into our system. I am able to do the following:
1) Get Request Token
2) Redirect them to the client's site. User enters username and password and they come back to our URL.
After this step I cannot get the access token.
var accessTokenResponse = google.ProcessUserAuthorization(); is always null.
Our client told me that when they return back to us they don't include the verifier and signed request token. I am not sure if that is the reason why I can't get this working.
Can someone please help? I am new to this.
Thanks
If you're doing authentication then your use of OAuth is probably inappropriate. You should be using OpenID of you're authenticating via Google.
As long as you're using OAuth, yes, the verifier string is mandatory.