I have a code which helps me to successfully authorize my application by pinterest.
My application gets listed in my pinterest app settings, but each time I login, pinterest asks me to authorize the app.
Is there a way to avoid it ? Can I check if my app is authorized by the user and skip this procedure every time I try to login with pinterest?
I use Oauth 2.0 for authentication.
Related
I have developed an app that is using Auth APIs of Facebook and Gmail. as you know we don't need any email password to login just click on facebook or gmail button and auth API generates authentication token to login into app.
So I am submitting that app on playstore but they are rejecting and asking for login credentials. I have provided them my gmail account login credentials but they using those credentials to login into facebook account and rejected my app again.
what I should do to avoid rejection again?
Trying to get my head around the Identityerver4 setup for my project. I have a mobile app where users should be able to login with either facebook or username/password. Facebook login is implemented using the native facebook if available on the device. This results in a token from facebook. With this token I want to request an access_token and refreshtoken (hybrid flow) to access my api (resource). At the same time, some users will also log in unsing username and password.
As I need some info about the user, my plan is to user ASPNET Identity but I'm not sure how to make it wotk together with IdentityServer and If user profiles should be created in Identity based on both logins (registration). It seems obvious for the username/password login, but what about my social facebook login. Later there might also be a web client. So my basic question is how to handle the user registration with both setups
In my web app, I'm integrating a "Sign In With Google" button with Google Api Client (JS), in order to then integrate with some other Google services.
So far I've already implemented the login logic: the user is able to click the button and proceed to the application, the flow is this:
the user accepts to connect the app to its google account
then I send the response token to my backend (PHP) to check the token and store in the DB the Google UserID (sud)
If the user had already an account with my app, I update the profile to add the google sign in option.
If the user did not have an account I ask him to register client side.
from now on the user can access my app both with my app's login credentials, and with "Google Sign In".
I send back to the client the access authorization to my app.
My problem is, how to sign in the user automatically the next time? At least two scenarios my happen:
the user opens my app from the computer of a friend in which another google account is already logged in. The user chooses to login in my app with my app's credentials (not "Google Sign In"), so once he/she is logged in, by refreshing the token I would get the wrong Google account. Displaying the authorization window again wouldn't be ideal and would surely offset the user seeing someone else's account.
the user opens my app in incognito (private) mode on a friends' computer, and he/she chooses to login using his/her email and password, not the google sign in. Again, I wouldn't know how to re-sign in the user with the google api client.
Since I know in my backend what Google user is "my user", is there a way to pass such information to the google client api, so that it logs in the right user?
I am looking forward to integrate logging in users using Facebook's authentication. I have my app protected by OpenAM and the users are already registered there. I have my own login page and would not like to move this to OpenAM and retain it in my app. As of now, I am using REST calls to authenticate users in OpenAM. Now, I want to integrate login using Facebook. My idea of implementation is as following:
User logs in using original credentials and is authenticated in
OpenAM.
User is asked to associate his/her Facebook account with the
OpenAM account.
User authenticates his/her Facebook account
(https://www.facebook.com/dialog/oauth?app_id={app-id-as-created-in-fb-developers-console}&redirect_uri={my-rest-service}).
This will return the code and that can be used to recheck against
Facebook to ensure that the user was authenticated against my app
and this is not a hacker intervention
(http://graph.facebook.com/debug_token?%20input_token={code-returned-from-facebook}&access_token={my-app's-access-token}.
The response will contain the app ID that can be verified against my
App's ID. On success, I shall call OpenAM to associate the user in
OpenAM with his/her Facebook credentials (Not sure what all to use
here.)
Next, whenever the user wants to login, he/she can use Facebook
login where in the redirect URL would be my REST service and the
code returned from Facebook can be rechecked from Facebook and then
OpenAM will be called to authenticate.
My queries:
I am not sure if this approach is feasible.
How do I pair an existing user in OpenAM with the Facebook account?
How do I authenticate the user in OpenAM after Facebook login, with
the userID?
Is the Facebook userID (numeric,returned from Facebook graph in JSON
response), unique and permanent?
I would also want to give the users an option to de-associate the
existing Facebook account and associate a new one-how do I do this?
Apologies for asking too many questions, but I am new to OpenAM and OAuth and keen on following the approach I have mentioned above.
Thank you.
As an aside, it will probably be much easier in the future if you delegate all of the login to OpenAM, and let it deal with local login and social. This will make it really easy to add more social providers.
If you want to keep your current architecture, you can create a new authentication chain in OpenAM that just has social (facebook) login. You should be able to redirect the user to that chain. Once the social login process is complete, you can have OpenAM redirect back to your application page.
To link local and social login you are going to have to offer some kind of account claiming in your application. After they do a social login you could ask them to link their local account by providing the username and password. You can call OpenAM's REST API to validate the credentials.
This kind of linking can be confusing for users - so sometimes it is better to treat them as separate accounts, or have a migration process for the user to migrate to social only.
I am reading the docs in the Stormpath website. They have documentation about how to create account, application...
But I cannot find the overview the big picture of the Stormpath
especially how can my web application can integrate with it.
I need a picture that describe the flow of the authentication between my Web Server, browser, and stormpath API.
I have a web application and a login page.
My specific questions are:
When a user clicks the submit button of the login page, should I call the RestAPI to Stormpath to authenticate or I need to send username and password to my web server, and web server will send it to Stormpath to authenticate?
If when a user clicks the submit button and I need to call the RestAPI of Stormpath from JavaScript, after login successfully do I have a returned Access token? And what can I do with that token.
Please help me.
Heyo -- I work at Stormpath, so hopefully I can explain this for you a bit.
If you're building a website, and storing your users with Stormpath, here's how authentication works:
A user visits your website, and clicks the login page.
You show a login page and collect the user's email and password (or username).
The user clicks Login, and that form data is transferred to your web server (not Stormpath!).
On your server-side code, you would then use one of the Stormpath libraries to authenticate the user's account. You would take the form data the user submitted to your server, and then call the proper Stormpath method to authenticate the user.
Stormpath will log this user in, by creating an access and refresh token, and securely storing cookies for your user in the browser.
This is how the flow typically works.