I'm new to Laravel.
I already have an API that authenticates users and creates a JWT token for it. Now in my new app, I want to outsource authentication and authorization to this API.
this new app acts like a front-end for the API, and API handles the logic of app.
I'm not completely familiar with this type of architecture, but I think it's a 3-layer architecture that has been divided physically.
the main problem for me is to handle authentication of users and how to turn the stateless logic of API into a web app.
Should I create a custom auth provider?
How? could you provide an example!
thanks to everyone,
But the final solution was Creating a middleware that handles authentication. for example, the middleware authenticates user through a form and saves the JWT token on a session.
this easy step solved my all problems.
I think what you're looking for is creating a custom guard. See docs here.
Related
I managed to successfully complete the OAuth flow and gain access token for the user. The OAuth is on a separate server & identity provider (OpenID Connect).
Now, I need to add middleware to check that the user is authenticated throughout his session in the application.
Any idea/directions on how I can manage this? Quite lost.
Seems like Pathfix does exactly what you are looking for. It is a Serverless OAuth Middleware, If you want to try it out. Might save you a whole lot of time setting up and deploying a middleware.
Disclaimer: I am part of the Pathfix Team :)
I currently have an asp.net Web API that uses identity authentication which an angular client then uses to authenticate users using an access token.
I want to have a another separate restful API that deals with the logic, crud operations etc side of things but I want this to have [Authorise] on the controllers to ensure it is secure.
What would be the best way to achieve this? Do I have to install identity on this logic API too?
Any help on this would be really appreciated.
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs
I am building a mobile app in which the users need to be authenticated via TrueVault which is a HIPAA compliant data store. TrueVault offers a REST API and generate an access token post basic authentication. They have endpoints to check token validity etc too.
We need to do 2 things:
1) Authenticate all users via TrueVault and store the auto generated TrueVault id in Parse to facilitate data mapping.
2) Setup an interceptor in Parse which verifies the access token with TrueVault before serving any protected resource.
What would be the simplest and most efficient way to implement the above? I have gone through the tutorial to add Third Party oAuth to the mobile apps, but TrueVault does not have oAuth in place yet and thus needs authorization requests via Basic Auth only. Also, would we need Cloud Code for the above or Custom Web Hooks?
Thanks
Sameer
i would suggest you to use retrofit, Gson(or jackson) and rxjava(rxAndroid) in order to handle all api calls, i made a quick overview to the api documentation and this libraries should work for this problem.
links:
https://github.com/square/retrofit
https://code.google.com/p/google-gson/
https://github.com/ReactiveX/RxAndroid
Cheers.
I am building WebAPI on OWIN that needs authorization. I implemented OAuth 2.0 and I am really happy with it. For now, there is a grant_type "password" authentication implemented and now I need a way to use external authentication systems, i.e. Facebook, Google, etc.
The scenario I am trying to figure out is this:
iOS/Android app authorizes user with Facebook using native libraries and get Facebook access_key
I should get that access_key to my OAuth OWIN backend
Test the access key with Facebook API
Get user_id
Then map the user_id with a user in my system
Issue Identity Token for that particular user
Am I conceptually right and if so, how should I implement this in OAuth pipeline?
That is how I would do it. To implement it, you will need the Microsoft.Owin.Security.Facebook nuget package.
Here is a nice article that explains how to use the package.
http://blogs.msdn.com/b/webdev/archive/2013/10/16/get-more-information-from-social-providers-used-in-the-vs-2013-project-templates.aspx?PageIndex=2
Basically, in your owin startup class, you add a call to app.UseFacebookAuthentication();
Then get the IPrincipal from HttpContext and configure it.