Im having tough time getting a good understanding of how to setup SSO for our app. We're developing a web app that has a Flask-Python backend with a React frontend and its hosted on Heroku. We need to setup SSO to SFDC as the app needs to fetch the users list of opportunities in SFDC upon a successful SSO. I would really appreciate it if someone could point me to the right direction. I've setup a connected app in SFDC but not sure if we should use SAML or OAuth for the SSO to SFDC.
Many thanks.
-Sol
Related
I have a Rest API developed with Spring Boot and neo4j as a database. There is no Frontend in the Spring Boot App. It only serves as a Backend. The Frontend is developed in Flutter.
In my app, the end user has to sign up and login with theis user credentials. The user management is currently handled with Spring Security and JWT, generating and storing the tokens with AuthenticationProvider, UserDetailsService and so on.
Now, we are migrating our whole infrastructure to Microsoft Azure. We already managed to get the DB, the Backend (as the Spring Boot App) and the Frontend there.
The question now is whether it makes sense to migrate the User Management to Azure Active Directory. Is this the right use case for that, or is Azure Active Directory actually there for other use cases?
Also, I want to use my Login and Signup Forms built with Flutter. I only found solutions so far where you get redirected to this Microsoft Login Form. I want to signup/login directly from my Flutter App, and then use the token for my requests in the Spring Boot App.
Does this even make sense? If yes, how can I realize that? I was searching for hours but I didn't find any proper solutions.
If you use AAD you will have to use the OAuth redirect based Microsoft login experience. There is no way around that.
If you can't think of any way you or your users will benefit by migrating to AAD, then there's no reason to do that. You're doing a bunch of work, and incurring risk, for no real benefit.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
I'm an Android newcomer - just starting learning the system by writing my first mobile application for personal use.
I faced an issue with the Rest API developed by Spring and secured by OAuth. What OAuth flow should be used to authenticate the client and fetch the access token to the API?
What I'm trying to achieve is the user experience offered by Google or Facebook mobile apps - just login into the app without any redirects, approval screens.
I'm looking for a solution for a few days - no luck - that's why I've decided to ask a question.
We publish an app that use OAuth 2.0 API access on Google Apps Marketplace. It got reviewed by Google and they said our app is invalid because it shows permission screen when a user first runs the app. (The app will be removed from the Google Apps Marketplace if our app is not fixed within 30 days) To solve this issue, we have some problems.
Our app uses OpenID Connect to make users login.
Our app also uses Spreadsheet API and Calendar Resource API (OAuth 2.0 Web Application Flow)
So our questions related above is the followings:
1.
Although our app uses OpenID Connect for login, using OpenID Connect forces our app to show the permission screen. Doesn't it meet the best practice below of Google Apps Marketplace?
https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on
We followed the OpenID Connect document provided by Google:
https://developers.google.com/accounts/docs/OAuth2Login
2.
Since Spreadsheet API and Calendar Resource API don't currently support the authentication method using Service Account with OAuth 2.0, we chose to use the method of Web Application Flow. Our app get the token when users login, but Google said to us that it fails to meet their SSO requirements. To solve the issue, we are thinking to change our app to authorize AFTER login within the app instead (use Web Application Flow method as it is). Does the way meet the SSO requirements? In other words, is it OK to show permission screen if after login?
We will applicate if anyone can tell us good solution to solve these problems.
Thanks,
If you register your scopes in the Google Apps Marketplace configuration screen, and then only request those scopes in the OpenID Connect flow, then the permissions screen should be automatically skipped. Please ensure the scopes match between these two locations.
I have the task to build a new API. The API will mainly be used by tablet applications.
I'm thinking of using the new ASP WebApi.
My biggest concern however is the security part. Because the apps will be build by third-party companies, we do not want that usercredentials will be entered in their application, but redirected to our site (authenticationserver).
I have done some researching and I came accross OAuth 2.0. For working with mobile devices and tablets it's probably the best to work with the 'autohorization code flow' principle -correct me if I'm wrong-.
Am I thinking in the right direction or are their simpler authentication systems to achieve my goal?
Are their any frameworks (.NET) available (or documentation) how to create an Authentication Server and how to use it in the Asp webapi?
Is it easy these days to implement oauth2.0 in an IOS app?
Thanks for any help!
OAuth 2.0 authz code based grant is suitable when client app is a Web application. Will the apps that are going to be built by third party all be Web applications? There are HTTP redirects involved in that flow.
In OAuth 2.0, there is a client, there is a resource server (Web API in your case) and there is an authorization server. There is no such thing as Authentication server. Are you referring to some thing else?