I'm an Android newcomer - just starting learning the system by writing my first mobile application for personal use.
I faced an issue with the Rest API developed by Spring and secured by OAuth. What OAuth flow should be used to authenticate the client and fetch the access token to the API?
What I'm trying to achieve is the user experience offered by Google or Facebook mobile apps - just login into the app without any redirects, approval screens.
I'm looking for a solution for a few days - no luck - that's why I've decided to ask a question.
Related
I want to build a feature where I want to sync users outlook calendar with my app. Any event which users create/reschedule/delete from my app should reflect in users outlook calendars. First step for this however would be getting access token and refresh token for the users by authenticating them. How can I build APIs to authenticate users and get the token for further use.
I have checked there is MS-Graph API, which can be used in my use-case. But I'm unable to find resources regarding how to use this APIs from my spring boot application. Also, this is not regarding the login/signup flow. I have another login flow. I don't want users to login to my app via their outlook email.
To Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform:
Overview:
This sample demonstrates a Java Spring Boot web app that signs in users and obtains an access token for calling Microsoft Graph. It uses the Azure AD Spring Boot Starter client library for Java for authentication, authorization, and token acquisition. It leverages Microsoft Graph SDK for Java to obtain data from Graph.
For more information: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph#enable-your-java-spring-boot-web-app-to-sign-in-users-and-call-microsoft-graph-with-the-microsoft-identity-platform
Hope this helps.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
I'd like to validate the following scenario:
ADFS (win2016) is acting as an Identity Provider in a setup where
a single mobile app is consuming 2 api's
api.contoso.be
otherresource.contoso.be
These three applications are grouped together in a ADFS Application Group:
mobile app as a "Native application"
api.contoso.be and otherresource.contoso.be as "Web API" applications
The mobile app gets an access token when authenticating succesfully against ADFS.
The access token is provided with een aud-claim for "api.contoso.be".
Problem: I'm currently unable to reuse that same access token to access the second api "otherresource.contoso.be".
Question: at this point I'm not 100% sure that ADFS ApplicationGroups are meant to support such a scenario.
If so, I'm probably overlooking something in the ADFS-configuration.
If not, what's a better ADFS setup to support this scenario?
We publish an app that use OAuth 2.0 API access on Google Apps Marketplace. It got reviewed by Google and they said our app is invalid because it shows permission screen when a user first runs the app. (The app will be removed from the Google Apps Marketplace if our app is not fixed within 30 days) To solve this issue, we have some problems.
Our app uses OpenID Connect to make users login.
Our app also uses Spreadsheet API and Calendar Resource API (OAuth 2.0 Web Application Flow)
So our questions related above is the followings:
1.
Although our app uses OpenID Connect for login, using OpenID Connect forces our app to show the permission screen. Doesn't it meet the best practice below of Google Apps Marketplace?
https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on
We followed the OpenID Connect document provided by Google:
https://developers.google.com/accounts/docs/OAuth2Login
2.
Since Spreadsheet API and Calendar Resource API don't currently support the authentication method using Service Account with OAuth 2.0, we chose to use the method of Web Application Flow. Our app get the token when users login, but Google said to us that it fails to meet their SSO requirements. To solve the issue, we are thinking to change our app to authorize AFTER login within the app instead (use Web Application Flow method as it is). Does the way meet the SSO requirements? In other words, is it OK to show permission screen if after login?
We will applicate if anyone can tell us good solution to solve these problems.
Thanks,
If you register your scopes in the Google Apps Marketplace configuration screen, and then only request those scopes in the OpenID Connect flow, then the permissions screen should be automatically skipped. Please ensure the scopes match between these two locations.
I have the task to build a new API. The API will mainly be used by tablet applications.
I'm thinking of using the new ASP WebApi.
My biggest concern however is the security part. Because the apps will be build by third-party companies, we do not want that usercredentials will be entered in their application, but redirected to our site (authenticationserver).
I have done some researching and I came accross OAuth 2.0. For working with mobile devices and tablets it's probably the best to work with the 'autohorization code flow' principle -correct me if I'm wrong-.
Am I thinking in the right direction or are their simpler authentication systems to achieve my goal?
Are their any frameworks (.NET) available (or documentation) how to create an Authentication Server and how to use it in the Asp webapi?
Is it easy these days to implement oauth2.0 in an IOS app?
Thanks for any help!
OAuth 2.0 authz code based grant is suitable when client app is a Web application. Will the apps that are going to be built by third party all be Web applications? There are HTTP redirects involved in that flow.
In OAuth 2.0, there is a client, there is a resource server (Web API in your case) and there is an authorization server. There is no such thing as Authentication server. Are you referring to some thing else?