Is there a way to authenticate to Facebook / Twitter using basic authentication? the application I am working on requires posting to those two sites without the need to open the oAuth Dialog.
Both twitter & facebook don't support basic auth.
No, thank goodness.
Basic authentication requires that you take the user's password, which is a secret between them and Twitter/Facebook. You shouldn't be asking for it.
If your app is physically unable to display the dialog, OAuth 2.0 (not available on Twitter) offers a way (last I checked) for an independent web browser on another computer to perform the OAuth authorization process to your app running on some limited device.
Related
I have a first-party authorization server and I'm developing a first-party native mobile app and a SPA as a client. I noticed that the latest version of OAuth 2.0 no longer supports the "password grand type" and recommends using the "authorization_code grand type" instead, for mobile apps and SPAs.
My app has a native login screen and my SPA has its own unique login screen, and I want to avoid redirecting the user to the authorization server's login page or prompting a popup for login credentials since the authorization server is a trusted first-party server.
I'm wondering if OAuth 2.0 is still a good choice for first-party mobile app clients or SPA in this situation, and if there is a way to directly request a token through an HTTP request flow using user credentials obtained from the native mobile app login screen?
Any advice or insights on how to proceed would be much appreciated. Thanks in advance!
I found these two articles on this topic.
https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/
https://www.ory.sh/docs/hydra/concepts/before-oauth2
I have been working on implementing OAuth in my project's API. As a part of this project, we have a mobile app that authenticates a user via this API, using a password grant (this grant actually sends the given credentials on to an upstream authentication server that doesn't implement OAuth - so it is required).
This mobile app also has the functionality whereby it opens a webview to some pre-determined websites. The idea is that these websites would be able to authorize on behalf of the user using the authorization_code grant.
This is where my question comes in. When authorizing the websites, we obviously require that the user be authenticated with our API. However, the user authenticated via the password grant in the app, and not in the webview.
How would we transfer the authentication from the app to the API when the authentication was done in the app? My thinking is that setting a cookie containing the token on the API's domain would be the best way of implementing this?
Apologies if the question is not as clear as it could be. I'm struggling with how best to phrase and explain my question.
Good question - I have implemented this in the past via a strategy pattern:
When webview is hosted in a browser (which was an SPA in my case), handle tokens in a standard SPA manner - eg token renewal on an iframe / full screen login redirects
When webview is hosted in a mobile app, detect this via the user agent and call back the mobile app to do things like refresh a token or initiate a new mobile login
It is tricky but makes sense since web / mobile have very different solutions for token renewal / storage / login
It is the sort of practical real world use case where you find pretty much zero guidance online. Happy to answer any follow up questions.
so i have an application based on the ionic-framework and a server side based sails.js.
my application uses data like username, passwords, user image etc.. so i though i'll be a good idea to use google sign up using OAuth 2.0.
I have no idea how to implement that to my application. could you please give me a wide detailed explanation with some examples on how OAuth 2.0 is working with sails?
Have you tried using sails-generate-auth ? It is based on passport and it generates whole authentication layer for your sails.js application including OAuth2.0 and OpenID.
Edit
More information about accessing third-party user's profile details:
next step after the oauth authentication - sails
Google recommends migrating from the deprecated Clientlogin to OAuth 2.0. Let's assume I've got OAuth 2.0 working.
How can I then give the user a link that grants him authorization to one of his google pages without having to enter all login data again? (How to skip the login process?)
With Clientlogin this was possible - you could receive all needed tokens and start a TokenAuth. This was tricky because it wasn't documented, but worked.
How can I do this with OAuth 2.0?
Just to make it clear - I'm developing an installed application.
You cannot do that in OAuth 2.
But if you open the link in the default external browser then most likely the user already has an active session. If not, then the user will have to login only once.
Okay, I've found a way.
I'm switching to OAuth2 and in the process hijack the google cookies.
OAuth 2 isn't more secure than the older ClientLogin. At one point, the user has to enter his credentials and once authenticated, I gain access to the SID and LSID.
With SID and LSID I can go the old way with TokenAuth OR directly merge sessions.
I'm developing a mobile app that will interact with a rails app that's essentialy a json api. Is it possible to use an external identity provider such as facebook or googleplus to secure the access to my API?
Users will upload a photo to a json rest service but the rails app would only allow the upload if the uses is authenticated with one of those providers.
I've checked omniauth gem but I don't know if that's the path to do it. I don't understand very well how oauth works so I'm trying to know if this would be possible to do.
Regards
Fak
The answer, in part depends on how you're going to provide Identity via the mobile app. The user's authentication, and their identity are de-coupled.
My guess is you're wanting the user to authenticate to the mobile app using the Google/Facebook sdk app side. To do so, you'll need to use that sdk to generate a token, which can then be saved to Rails. The token can then be required as part of each API request - which rails will validate.
The topic is a bit complex to fully describe the flow....but in essence: 1) Create the token on the mobile app using the mobile sdk, 2) save the user and token to Rails/database, 3) as part of every request check the access_token provided.
Since the topic of Oauth and request/identity providers takes some time to understand, I would first watch he following railscasts on securing an API. Once you're done with that one (and understand the concept), you can also watch this railscast.
Hope this helps.