I have a mobile app which allows a user to login with his username/password credentials via an oAuth2 API. In addition to this flow, I would like a new app user to be able to sign up for a new account.
Is that something I could/should handle via the oAuth API?
I suggest you try to use a third-part API, like facebook, is very simple to implement and provides a great level of security.
Related
We're working on a new API that we wish to secure with api tokens. These tokens are tied to a user and an application. These 3rd party applications use OAuth to authenticate themselves (using and app_id and app_secret). This works great.
However, we have our own mobile app which will also consume this API. Obviously I'd like to avoid having the user get asked the familiar "would you like to allow this app to use your account" when performing a login. Obviously we can't embed a secret in the app, (hence pure OAuth would be unsuitable for this). However, I don't want to create an API endpoint to which a username and password can be sent since this would effectively bypass the OAuth scheme entirely.
On the web site, we can just dump the api token into the DOM after a regular form submission, and allow the Angular app to use it from there; but this simply isn't practical in a mobile app.
So my question is; how can we securely identify login requests from our own mobile application? How does (for example) Facebook know that it's the Facebook app supplying the username and password when authenticating, and not some 3rd party application?
I'm using Rails to write an API for mobile application and OAuth seems like a standard way to handle user authorization.
If I understand Doorkeeper docs correctly it requires user to be signed in with the website before it grants access for the mobile app.
The issue in may case is that there really isn't any website (it may be in the future but for now it's just api). I would like the user creation/signing in etc be handled in the ios application.
This makes me wonder if OAuth is the correct solution here?
The OAuth "Resource Owner Password Credentials Grant," according to rfc6749 Section 4.3, will grant an authorization token and optionally a refresh token given user name and password. Thus the mobile app doesn't have to store user name and password to gain authorized access. It becomes like a long running session using token and refresh token. OAuthClientSetup an iOS example that runs against a doorkeeper api.
So there is the OAuth method for gaining authorization without having web site login authentication and access grant.
What is left is how to register new users from your mobile app. Agree that does not look to be covered by OAuth. OmniAuth will let you register a user authorized by a third party site. You allow the user to be the user they are on Twitter or FaceBook, StackOverflow or GitHub or wherever else. Maybe that would help.
Just need a very basic detail clearified.
If I'm trying to implement au OAuth authentification system for my website, it mean my website is REQUIRED to have a facebook, google and twitter account ?
For example: I have no intention for my website to have a twitter presence, but I want twitter users to be able to use OAuth to login on my website without registering manually.
I really need to open a twitter account to get my clientID and secret key code ?
Yes, it looks like you need a Twitter account in order to create a Twitter application, but it doesn't have to be an account for your website. For instance, if I want to create a "Sign in with Twitter" button on my, page, I can just log into the dev site using my personal account and create an application. Follow the steps here. In particular following the "application settings" link will prompt you to login, and then you can create an application.
Facebook likewise requires you to have an account and create an application. They then provide API keys that can be used in the OAuth login flow. They have two ways to get a token: a server side flow that provides a longer lived token, and a client side that gives a shorter one. For more details see this page.
With Google, if you use their OAuth 1.0 flow, you can do a login without creating an application (https://developers.google.com/accounts/docs/OAuth). However, it looks like their preferred way is their OAuth 2.0 flow through Google+. See this page.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.
Is there a way to authenticate to Facebook / Twitter using basic authentication? the application I am working on requires posting to those two sites without the need to open the oAuth Dialog.
Both twitter & facebook don't support basic auth.
No, thank goodness.
Basic authentication requires that you take the user's password, which is a secret between them and Twitter/Facebook. You shouldn't be asking for it.
If your app is physically unable to display the dialog, OAuth 2.0 (not available on Twitter) offers a way (last I checked) for an independent web browser on another computer to perform the OAuth authorization process to your app running on some limited device.