I want to create a OAuth app for my application, and took a quick look on how Twitter does this. Works great, you enter username and passoword and it was game on.
But I tried ReactiveOAuth and it uses a webcontrol to show a authorize page and it feels a bit dated. not the way twitter does it.
Are there any other librarys for wp7 working with oauth?
For OAuth to be efficient and trusted, your user must sign in on the back-end platform via the website through HTTPS. Your application must never have the user's password in memory, all you got is an authorization token when the user has successfully authenticated itself.
Related
I have an app idea and need to implement authentication. Because of the nature of my app, I only want linkedin users to be able to access my app.
After reading a bit about spring oauth / spring social / etc, it seems its definitely possible to use something like Linkedin to access MY app. I want a user to see linkedins login button on the first view of my app, create my own version of this user in my app, and then allow the user to use my app.
After my findings I have found the generic flow
*user authenticates via social login button
*client app redirects user to service provider to receive a token
*client uses token and makes another request to service provider to receive auth token
*now my client app can make calls to service provider with auth token of user(this is the part where I am a bit confused)
*I want to use this token to validate calls against MY api NOT linkedins(is this wrong)
I don't really care to make calls to Linkedin on behalf of the user(except to pull user information). I ONLY want linkedin auth so that I know that users who use my auth are valid linkedin users. I thought something similar to Tinder where you MUST have a facebook account, I want to copy that design but couldn't find any hints from google. It seems the examples I find online all use the social login to ultimately use the service providers API.
I also read some stuff about SSO which sounds like what I want, but I definitely plan to add at least 1 more social login down the road. My clients will use a browser or mobile app.
I guess the main question here is once I authenticate a user using social login, am I supposed to use his existing connection to make calls to my API or create a new connection somehow. My goal is when a user does a social login, he now can access MY app, I want to reuse their existing connection without authenticating them into mine(only store their info). I want to follow best practices.
I've implemented Omniauth for Twitter in a rails app I'm working on. With the users who sign in using that I can get OAuth tokens and secrets for them. That's all working.
What I can't figure out is how to get OAuth tokens and secrets for users who don't sign in using Twitter?
I'm sure I've used sites where you can "Authenticate" them so that they can get OAuth tokens and secrets for you without signing in using Twitter. Twitter seems to suggest that you need to use 3-legged authorization but I can't seem to find anything much about that.
Is 3-legged authorization the way to go about it?
What I would do is modify your controller action that handles the Omniauth callback for Twitter. If when that action is accessed the user already has a session (i.e. they logged in through your alternate mechanism) then you just grab the Twitter token/secret and store it just like you do when creating a new user that signed in via Twitter. If there is no user in the session, then do what you already are doing.
Now, you can just add a button to your site that people who are logged in but do not have Twitter token/secret can see. The button links to the exact same /auth/twitter you use for your sign in with Twitter link.
After they authenticate with Twitter they will be sent to the callback URL where your app will see they are already signed in (the user is in the session) and will just add the Twitter token/secret.
I'm reading this article http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/ and I understand how HMAC works I think.
The issue is that HMAC seems to authenticate the third party (relay party) only. What if the third party wants to pass a user of my system and his/her password to extract the user's specific data? I don't want to use OAuth 1.0 nor 2.0 because various issues with them. It seems to me, I need to authenticate the user too, not just authorize?
For instance, Evernote mobile app, it asks me for username/password and I'm sure it's calling some sort of Web API in the background. It's not using OAuth 2.0 right? Because I don't see myself redirect to the provider site to "authorize". In this case, how did my username/password got passed to the back end service?
[Edit]
After thinking about it a bit, I'm assuming SSL is the solution? Once you have SSL, you can pass username/password to my web api in plain text and then I do whatever to authenticate the third party PLUS authenticate the user and respond with user's data?
In that case, the downside is I have to trust the third party? So they don't store my user's username+password, is that correct?
First, just because you don't see redirects, it does not mean OAuth is not used. I'm not saying Evernote uses OAuth. I do not know their architecture but Resource Owner Password Credentials Grant which is part of OAuth 2.0 is suitable for first-party applications and it does no redirects.
Secondly, if you want to ensure your users do not share their credentials with the third-party app that consumes your web API, OAuth 2.0 is a great option and not sure why you do not want to use OAuth. You can also try WS-Federation with the help of WIF, though it is SOAP-ish. The last option will be coming up with your own redirects based mechanism by which your users submitting their credentials in a web page of yours is ensured but this is highly risky and not recommended. Why to reinvent the wheel? Other than these, you must only trust the third party.
I am building a WP7 Twitter client. The normal OAuth 1.0 flow involves obtaining a request token by navigating a web browser to https://api.twitter.com/1/oauth/authenticate with my app's consumer key; this page will show a login prompt and ask the user to authorize my app to perform actions on their behalf. Upon completion, this page will redirect to a callback URL supplied by my app, with the request token supplied as a parameter.
For web apps this makes sense. I don't understand how this is supposed to work for a standalone mobile/desktop app, though. The Twitter API documentation seems to imply that this should be a feasible option. They do offer an alternative xAuth mechanism that allows an app to gather username/password itself and then supply that directly to obtain an access token. The API documentation points out that this is an inferior option (as it requires the user to trust the app, not just Twitter, with their password), but I don't see how I have any reasonable alternative?
(there is also a PIN-based option, but that's a pretty burdensome solution for the user)
I just want to make sure I'm not missing anything obvious.
"For web apps this makes sense. I don't understand how this is
supposed to work for a standalone mobile/desktop app, though."
Just embed a web browser control in your app, and navigate to the twitter authentication page. Then detect the redirection to the callback url (using the Navigating event) and retrieve the parameter. Many twitter apps do that, it's basically the same as asking the user for the login and password, except that instead of your own controls you're displaying twitter's page.
Nope, you're correct. The option for a mobile/desktop application is either a pin-based option or to use xAuth. Once you have an xAuth application has an access token it is indistinguishable from OAuth (it only changes the authorisation workflow). One thing it does change, and this is very specific to Twitter, is that if you do use xAuth then your application will not be allowed to read or write Direct Messages. See Twitter's The Application Permission Model page for more information.
I'm currently writing a web application, which should access user facebook data.
The problem is, that many users access via proxy (all facebook urls are blocked) and therefore it's not possible to use the default oauth mechanism provided by facebook. Any ideas?
Best Regards
Markus
The user must be able to access facebook's servers to authenticate your app.