Single Sign On Chrome extension and website ASP.NET Web API - asp.net-web-api

I've a website ASP.NET Web API which have scaffolded auth code (I used built-in google auth), it's has both api vĂ  mvc view. Then I'm building a Google Chrome Extension which to be a client of the website.
I'm looking for solution / best practice to have single-sign-on among this system. Should my website have to auth first and store token in cookies. And chrome extension will send request with token queried in the specific website cookies. If no token has been found, the chrome extension will open website auth form (google login form) to the user and continue website auth flow. the flow end will trigger chrome extension's callback to repeat the request. My design is very manual handle and I hope there's a better practice I can learn.

Related

Which OAuth2 Grant to use when developing SPA, Mobile App with Laravel as backend. Will not be using third party login

I'm developing a mobile app + SPA using Laravel as a web service. I'm not sure which grant flow will be good for this. I would avoid any third party login like facebook, google, etc. Id'like to handle user login simply with email and password. I want user to login only once on mobile app.
I had gone through some articles. I'm very confused. I found out 2 flows which might work here. 1st is implicit Grant & 2nd one is password grant.
If SPA is built inside your Laravel project you can handle user login simply with standard laravel authorization method.
For external use (mobile app or external SPA) you should authenticate users with API.
Laravel Passport mainly offers two way to handle this.
Personal Access Token
Fresh API Token
I suggest using the second one cause is the "Standard way" to consuming your web app with a nonsecure source.

Get list of applications in OKTA using Jquery

Hi is there a way to get users applications list in OKTA via jquery? Right now we are using Okta Iframe on our page, problem is that the okta content cannot be changed.
The operation that lists users assigned to an application is part of the Apps API, which requires an API token. For security reasons, you can't call it from jQuery code.
If you have a backend or API component to your application, you can use that to call this API securely and then pass the results to your frontend.

how to prevent yammer to open new tab for authentication

I am using yammer REST API to get group data in sharepoint from yammer, it is opening a new tab for authentication. Is there any way to prevent this new tab?
I tried to open yammer in a hidden iframe, which gives me error - "Refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin'."
It sounds like you're using the JS SDK to make REST API calls. It needs a way to authenticate those calls so if it doesn't have an OAuth token to use from another source, it prompts you to login. Take a look at this blog post that describes how to preauthorize the JS SDK so you can start making API calls scoped to the user loading the page without requiring any interaction from the user.
https://blogs.technet.microsoft.com/askyammer/2016/11/04/preauthorizing-the-yammer-js-sdk/

Progressive Web App Authenticate to API

Usually when I build a new website I create a .NET or PHP website. These website either connect to a MySQL DB or an external API. To do this I can securely store my credentials to these services and the back end will authenticate to them. Now since I want to build a Progressive Web App which is front-end only, how can I securely auth to these? Does my PWA have to have a login page that returns an API key that is dynamic? Thanks
Progressive Web App (PWA) is not front-end only. You can see the definition and the PWA Baseline too clearly understand what makes a PWA.
The problem you have mention is authentication on Single Page Web apps (which is front-end only). Here is the first article from Google with keyword "Single page web app authentication".
Token Based Authentication for Single Page Apps

Login with Yammer credentials using API

I am trying to login website with yammer credentials using REST api. I have registered in yammer API. Now i have got developer token and Client ID from Yammer website.
Could you guys please let me know what is next step to login with yammer credentials from our application using c# in visual studio. Because i am beginner in using API.
Thanks!
You have a couple of options:
The JS SDK approach -
https://blogs.technet.microsoft.com/israelo/2014/10/21/yammer-rest-api-for-dummies/
The ADAL approach -
https://blogs.technet.microsoft.com/israelo/2016/07/05/yammer-apis-and-adal-tokens/
The first open will request users to login via a browser pop up, and the second option can utilise IWA, but there are some pre-conditions and limitations as it is still in preview. Details are in the blog.

Resources