I'm doing some Android app that needs API and users.
I'm planning adding login (and register) button via Facebook.
I'm wondering: how should the flow of such an operation look like?
My idea:
Request the Facebook token in the app.
Send the token to the laravel backend by POST request (is this even secure approach?)
Get the Facebook user by Facebook token using socialite
Create / auth laravel user using Facebook user.
Return laravel's bearer token to the app (do I need passport to get the token or laravel has something built in?)
Is this the best approach?
Related
We have a website that uses a remote Laravel API app to store its data.
Although the user appears to log into the website, it actually is authenticating to Laravel Passport on the remote Laravel app and then all data is requested on demand.
We would like to redirect the website user to the Laravel app on a web route, but without the user having to login again.
So what would be the most secure way to pass the user across, most likely using the bearer token, to the remote Laravel app and then authenticate the user based on that token ?
I am working on the backend for our two applications, which require sign-in and sign-up with a google account via REST - SPA app in Vue and Angular app.
I am thinking about this flow:
User from SPA or mobile application will log in google auth server with his credentials
App receive auth code from google
App request for sign-in / sign-up with this code to our auth service
Auth service fetch information about the user from google by this token, and generate jwt token for our SPA / mobile app which return back
Can you tell me if Spring Social module provides some endpoints to handle and generate this tokens via REST or I must implement it by myself? Thank you.
I want my users to be able to access my Laravel application from their mobile app (Android/IOS).
The application has authentication, as laravel requires CSRF in forms so I decided to use REST API. After searching I've found Laravel Passport, JWT-auth. (I don't need to use anything like Oauth, socialite).
As I dig into JWT-auth, I found anyone having "token" can access to user accounts that is very much risky.
What should I do? Is there any way I can request to server from mobile application for CSRF Token and send it to the server while requesting authentication. (My input fields are static to the mobile app)
I have built a website with vuejs front-end and laravel back-end.
Only way to login is via Facebook Login using Socialite
All that works fine.
Now I am building some React Native apps (Ios/Android) that also use Facebook login but need to interact with the same web api.
I want to use JWT to secure the API for React Native -> Laravel API
I set up JWT w/ Dingo on Laravel side and I am able to generate a token using the JWTAuth::fromUser(). And I have established some API endpoints that use the token to authenticate.. so far so good.
Now here's the part that becomes sticky. I understand that on the Laravel side of things you can create JWT token with any user.. right now the JWT "identifier" is simply "id".. and it's my understanding that the token I generate from JWTAuth::fromUser() simply has no idea or care that this user doesn't have conventional credentials and instead used a Facebook Login.
On the React Native side however.. when a new user first authenticates via the Facebook Login.. it has no idea what the "matching user" is on the Laravel app, all I have to go on is basically the unique Facebook Provider Id.
So the question is as follows:
How can I generate a JWT token on the React Native side using only the Facebook Provider Id and the JWT Secret, and more importantly, how do I modify my JWT code on the Laravel side so that it can understand tokens that were generated with the Facebook Provider Id and JWT Token
In other words, I think my Laravel JWT implementation needs to be modified so that tokens are created/parsed purely on the basis of the Facebook Provider Id because otherwise it won't match up with tokens generated on the React Native side.
Many thanks!!
Ok after doing some reading I think this flow might work. Your thoughts please?
1 User authenticates via Facebook on in on Android/Ios app
2 Retrieve facebook access token
3 Do api call to public endpoint on web server and pass FB Access Token and FB ID
4a Web server makes Facebook Graph Api call w/ Access Token and verifies token is valid, is authenticated with Facebook App, and matches Facebook ID
4b If user doesn't exist on web first.. create user
5 If above matches, then web servers generates JWT token from user model and returns JWT token to app
6 App now uses JWT token for future API calls
I am writing a RESTFUL API in Laravel 5.2 which will be rolled out to third party users.
Users will be given an API KEY upon sign up which will be used for authentication when api would be called. I want to use JWT-AUTH for authentication but that seems to be generating a token based on user's email and password. Is it possible that I could use JWT-AUTH for api key authentication?
Yes. JWT can be used for API authentication. OAuth is the standard for API authentication and authorization, which also use JWT, For more check here : https://auth0.com/blog/using-json-web-tokens-as-api-keys/