The site i am currently working on has been build in grails 3. The previous developers have build the majority of the front end in gsp, The end goal is to use react on the front end and just use grails as a rest api.
I am currently tasked with creating a new edition for the site and it will be the first component in react that needs authentication credentials to interact with users data.
this needs to be done before the rest of the site is transitioned here and there too react.
is there a way that i can gain access to a user's information that has signed in using gsp pages in react?
So i need to somehow securely pass the users information that is currently signed in on the non react site to the new react section without them having to sign in again. is this possible?
The best option is your grails backend issue a JWT token. This token identifies the user and can be used to securely access your API. Then you can have an API endpoint that returns detailed user information, if you need.
Related
I have a Rest API developed with Spring Boot and neo4j as a database. There is no Frontend in the Spring Boot App. It only serves as a Backend. The Frontend is developed in Flutter.
In my app, the end user has to sign up and login with theis user credentials. The user management is currently handled with Spring Security and JWT, generating and storing the tokens with AuthenticationProvider, UserDetailsService and so on.
Now, we are migrating our whole infrastructure to Microsoft Azure. We already managed to get the DB, the Backend (as the Spring Boot App) and the Frontend there.
The question now is whether it makes sense to migrate the User Management to Azure Active Directory. Is this the right use case for that, or is Azure Active Directory actually there for other use cases?
Also, I want to use my Login and Signup Forms built with Flutter. I only found solutions so far where you get redirected to this Microsoft Login Form. I want to signup/login directly from my Flutter App, and then use the token for my requests in the Spring Boot App.
Does this even make sense? If yes, how can I realize that? I was searching for hours but I didn't find any proper solutions.
If you use AAD you will have to use the OAuth redirect based Microsoft login experience. There is no way around that.
If you can't think of any way you or your users will benefit by migrating to AAD, then there's no reason to do that. You're doing a bunch of work, and incurring risk, for no real benefit.
I have to implement OAuth for graphql API in Magento, I went through the documentation of Magento but I found that only we can authenticate by using username and password
https://devdocs.magento.com/guides/v2.4/graphql/authorization-tokens.html
https://devdocs.magento.com/guides/v2.4/graphql/mutations/generate-customer-token.html
We are creating a PWA application and web application is going to use it directly
Is there any other way to authenticate means any other authentication layer
Including this below to this very old question, if in case some others coming across this question.
Magento Graphql in the core implemented currently to handle more of frontend user request which will be in the form of either asking for some data that's either only to read or submit personal data (such as placing order with address)
There are modules available with the support of Graphql to handle E2E ERP sync (products & order fulfillment) , OOTB does not support everything that you might able to do with the use of oAuth Integration token + REST API.
You would want to determine the actual outcome or scope to decide on the authentication / authorization mode and then decide on the API layer medium. If in case of Integration token based approach is what decided for data / access security reasons then REST API will be easier option for the most of the OOTB functionalities.
I am trying to make a mobile app in React-Native and Server in Spring-Boot which have a OAuth2 implemented API endpoints.
My question is how can I integrate Social Logins into my React-Native app which in save a user in my user table. apart from Social login I am using naive register/login flow which require username/password to provide access token from OAuth2 Server. How can I do the same with Just Social Login without prompting user any password or other extra information.
any general solution for this will help regardless of tech I am using.
Thanks
Usually when using social networks to login/sign up you'll get a token returned in your app which you can send via your REST API and on your backend it can then retrieve the users information from the social platform used depending on the granted scopes(e-mail, username, etc...) and store the retrieved values in the database.
Thats basically how it works in general, but if you want to have more information you probably still need to share some more info about your tech used.
Hopefully that helped you out ;)
We have a web application with Rich Client Architecture.
We use React for our client side and Java/Spring for our back-end.
Now the question is should login page be a part of our react program or not?
As I know, if we do so, the downsides are:
The UI is not protected and everyone, even those without any access, can download the whole UI app.
Everyone, even without access must download the whole UI application before logging in.
And the upsides are:
The page need not to be refreshed when someone logeed in.
Front-end and back-end parts can be totally separated without any shared sessions.
In most known apps such as gmail, slack, etc. the rich client app (angular, react, etc.) is just after logging in and I just don't know any application with the first approach.
Frontend is generally not protected. There are potential ways to make it harder to brake code, but it will be always possible.
Because of 1 -> you should not keep any sensitive data in frontend.
As an secured way of transfering data from Spring backend to React(or any other like Angular,VueJS etc) you should probably use JWT or OAuth2.
You can decode your JWT on frontend (but only backend can verify if it is valid token so don't worry) to get encoded scopes,roles etc to use them e.g. to show admin only options.
To answer your question - login page definitely can be part of React app, as it will send login credentials and get back JWT from backend
When user is logged in - you will attach JWT in headers with every request, so your Spring Security can check it and authorize request.
I've integrated Spring Security OAuth in my JAVA backend so that my mobile Android application (using the Facebook Login SDK) can benefit from Facebook Login. In the current flow, the APP uses Facebook Login SDK to fetch an access token from Android, and then passes to the JAVA/Spring backend. Then, another OAuth access token (specific to our backend) is issued and sent back to the application.
I wish I could automate the testing, in other words being able to generate fresh Facebook access tokens. And then test the whole stuff into the access to resources on my backend. My entry point is a Facebook access token.
I've failed in generated on-the-fly access tokens, then looked into never expiring tokens, I could hard-wire in my tests.
However, I've failed in generating never-expiring tokens : at best, changing a short-lived token to a long-lived token returns a token valid for 2 months only.
I've also tried https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxxxx&redirect_uri=http://www.xxxx.com&granted_scopes=email,public_profile , but this only works when my cookies are available (only works from my web browser).
Also tried getting a device code, but I was stuck at the point where I had to "simulate" the user submitting the code into the web form.
Is there a known way to automate the testing ?
As #The1Fitz explained, "you cannot get a never expiring token anymore. You will need to make do with the maximum 2 month expiry date."