I am building WebAPI on OWIN that needs authorization. I implemented OAuth 2.0 and I am really happy with it. For now, there is a grant_type "password" authentication implemented and now I need a way to use external authentication systems, i.e. Facebook, Google, etc.
The scenario I am trying to figure out is this:
iOS/Android app authorizes user with Facebook using native libraries and get Facebook access_key
I should get that access_key to my OAuth OWIN backend
Test the access key with Facebook API
Get user_id
Then map the user_id with a user in my system
Issue Identity Token for that particular user
Am I conceptually right and if so, how should I implement this in OAuth pipeline?
That is how I would do it. To implement it, you will need the Microsoft.Owin.Security.Facebook nuget package.
Here is a nice article that explains how to use the package.
http://blogs.msdn.com/b/webdev/archive/2013/10/16/get-more-information-from-social-providers-used-in-the-vs-2013-project-templates.aspx?PageIndex=2
Basically, in your owin startup class, you add a call to app.UseFacebookAuthentication();
Then get the IPrincipal from HttpContext and configure it.
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I have an app idea and need to implement authentication. Because of the nature of my app, I only want linkedin users to be able to access my app.
After reading a bit about spring oauth / spring social / etc, it seems its definitely possible to use something like Linkedin to access MY app. I want a user to see linkedins login button on the first view of my app, create my own version of this user in my app, and then allow the user to use my app.
After my findings I have found the generic flow
*user authenticates via social login button
*client app redirects user to service provider to receive a token
*client uses token and makes another request to service provider to receive auth token
*now my client app can make calls to service provider with auth token of user(this is the part where I am a bit confused)
*I want to use this token to validate calls against MY api NOT linkedins(is this wrong)
I don't really care to make calls to Linkedin on behalf of the user(except to pull user information). I ONLY want linkedin auth so that I know that users who use my auth are valid linkedin users. I thought something similar to Tinder where you MUST have a facebook account, I want to copy that design but couldn't find any hints from google. It seems the examples I find online all use the social login to ultimately use the service providers API.
I also read some stuff about SSO which sounds like what I want, but I definitely plan to add at least 1 more social login down the road. My clients will use a browser or mobile app.
I guess the main question here is once I authenticate a user using social login, am I supposed to use his existing connection to make calls to my API or create a new connection somehow. My goal is when a user does a social login, he now can access MY app, I want to reuse their existing connection without authenticating them into mine(only store their info). I want to follow best practices.
I'm new to Laravel.
I already have an API that authenticates users and creates a JWT token for it. Now in my new app, I want to outsource authentication and authorization to this API.
this new app acts like a front-end for the API, and API handles the logic of app.
I'm not completely familiar with this type of architecture, but I think it's a 3-layer architecture that has been divided physically.
the main problem for me is to handle authentication of users and how to turn the stateless logic of API into a web app.
Should I create a custom auth provider?
How? could you provide an example!
thanks to everyone,
But the final solution was Creating a middleware that handles authentication. for example, the middleware authenticates user through a form and saves the JWT token on a session.
this easy step solved my all problems.
I think what you're looking for is creating a custom guard. See docs here.
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs
I would like to access my own facebook news feeds using spring social facebook. I have registered my app and i could able to get app key and secret key. How to generate facebook access token for given app key and secret key using spring social facebook(programmatically)?
Now i'm using the link https://developers.facebook.com/tools/explorer generate the temporary access token which is valid only for 60 minutes.
How to generate the access token in my java application itself without having any login page redirecting to facebook redirecting back, etc.
If you're wanting to use the token to access user-owned resources at Facebook (e.g., the user's timeline, friends, etc) there's no way to get a token without involving the user. That's on purpose so that you aren't allowed to fetch data or write data to Facebook without getting the user's permission to do so.
But if that's what you want, then you must redirect the user to Facebook and back. This is OAuth 2's authorization code grant. Spring Social's ConnectController can help you with this.
You might be able to do it via the JS API, but it's been awhile since I've done it that way and I know a few things have changed at Facebook in that regard. And it probably relies on OAuth 2 Implicit Grant (which involves a redirect).
There is another way to obtain an access token without redirecting: Via OAuth 2's client credentials grant. But I don't think that's what you want. Such a token can only be used to work with non-user resources (such as Facebook's Insights API). But if that's what you want, then you can use OAuth2Template's authenticateClient() method.
Again, to be perfectly clear, it is very much by design that you can't obtain a user access token without involving the user. And with Facebook, that will require redirects.