I am trying to make a mobile app in React-Native and Server in Spring-Boot which have a OAuth2 implemented API endpoints.
My question is how can I integrate Social Logins into my React-Native app which in save a user in my user table. apart from Social login I am using naive register/login flow which require username/password to provide access token from OAuth2 Server. How can I do the same with Just Social Login without prompting user any password or other extra information.
any general solution for this will help regardless of tech I am using.
Thanks
Usually when using social networks to login/sign up you'll get a token returned in your app which you can send via your REST API and on your backend it can then retrieve the users information from the social platform used depending on the granted scopes(e-mail, username, etc...) and store the retrieved values in the database.
Thats basically how it works in general, but if you want to have more information you probably still need to share some more info about your tech used.
Hopefully that helped you out ;)
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I have an app idea and need to implement authentication. Because of the nature of my app, I only want linkedin users to be able to access my app.
After reading a bit about spring oauth / spring social / etc, it seems its definitely possible to use something like Linkedin to access MY app. I want a user to see linkedins login button on the first view of my app, create my own version of this user in my app, and then allow the user to use my app.
After my findings I have found the generic flow
*user authenticates via social login button
*client app redirects user to service provider to receive a token
*client uses token and makes another request to service provider to receive auth token
*now my client app can make calls to service provider with auth token of user(this is the part where I am a bit confused)
*I want to use this token to validate calls against MY api NOT linkedins(is this wrong)
I don't really care to make calls to Linkedin on behalf of the user(except to pull user information). I ONLY want linkedin auth so that I know that users who use my auth are valid linkedin users. I thought something similar to Tinder where you MUST have a facebook account, I want to copy that design but couldn't find any hints from google. It seems the examples I find online all use the social login to ultimately use the service providers API.
I also read some stuff about SSO which sounds like what I want, but I definitely plan to add at least 1 more social login down the road. My clients will use a browser or mobile app.
I guess the main question here is once I authenticate a user using social login, am I supposed to use his existing connection to make calls to my API or create a new connection somehow. My goal is when a user does a social login, he now can access MY app, I want to reuse their existing connection without authenticating them into mine(only store their info). I want to follow best practices.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.
I am kind of new when it comes to fetching users data from social networks,
i need to extend my application and develop some kindof users data collector module
which in generally will be responsible for fetching data on my application users from social networks.
lets assume i have a user X which sign into my application with his facebook account.
can i fetch data on user X from facebook social graph only when he logged into ( my application/ facebook / both/ when ever i want )?
i was reading a beat on spring social framework, at first look it seems exactly the framework i need for my module.
the thing is that in all the examples i saw that each time fetching is required the user should manually allow it or it might be every time he logged into the application , also when looking at the code i think i saw that for each user a service provider
should be created, all the examples implies that spring social is not ment for background daemon which will fetch users data with minimal users attention.
does spring social can answer my requirements?
there are other java open source options?
You can use Spring Social to access a social network on a user's behalf as long as you have a valid OAuth authentication token for that user. It's up to the provider (e.g. Facebook, Twitter, etc.) to dictate how long the tokens remain valid and how you can get new valid tokens. You'll have to read the provider's documentation to determine if the kind of background access you want is allowed by the provider. If it is allowed by the provider, than you ought to be able to use Spring Social to perform the operations you want to perform.
One example is Facebook. Facebook used to let you ask for a permission called "offline_access" which would result in your application receiving an authentication token for the user that would never expire (or at least wouldn't expire for a long time). They are deprecating this, though. For more information about Facebook specifically check this thread on the Spring Social forums:
http://forum.springsource.org/showthread.php?123685-Facebook-offline_access