I'm working on a Windows Phone 7 application with C#.
I want to implement my login page using Facebook account. To do that I'm using codeplex Facebook C# SDK.
How can I do that?
Thanks.
You can use ACS for that. See here. (answered your other question too)
In short (assuming you are writing a native app):
Your app (e.g. REST services) trusts ACS. For this you expect a SWT (Simple Web Token) that is issued by ACS
In your app, you embed a web browser that navigates to the app, to ACS and Facebook
Once the token negotiation happens in the browser, you extract the SWT and you pass it to the native app
All subsequent calls to your API include the SWT
If you are writing a "web" app for the phone, then it all just works.
In both scenarios, you would use WIF in your backend. It it is a REST API, you need the OAuth extensions mentioned in the link. If it is a web site, it all works OOB.
Related
I have a website which uses an identity server to authenticate a user, though OIDC, I think. Inside the Xamarin Forms application, I have a facility to log in a user through an identity server via a token.
The website itself uses cookies to handle access tokens which difference to the application. (Note: the website was not written by me). I have so many features to write, so I decided to use WebView to handle those features using React, etc., so I don't need to rewrite the code in native and easy to manage at runtime when people using the application.
What is the logic behind having the mobile application log into the authorized page silently without the user needing to authenticate within the WebView?
Is it possible to handle this scenario?
On Android you can use the CookieManager to add/remove cookies that your private instance of Webview will use.
On iOS, UIWebView has NSHTTPCookieStorage and on the newer WKWebView (11+) you have WKHTTPCookieStore
Is or will MSAL be compliant with the new RFC 8252 OAuth 2.0 for Native Apps best practice?
It depends. The native applications for iOS and Android, using the new MSAL Preview library, follows this framework for the Browser handling the authentication flow. The Windows .NET library, from the documentation, indicates that it is using something similar to a webview. In iOS, per the documentation:
Calling the acquireToken method results in a browser window prompting the user to sign in. Applications usually require a user to sign in interactively the first time they need to access a protected resource, or when a silent operation to acquire a token fails (e.g. the user’s password expired). Azure AD V2 iOS Getting Started
As for Windows Desktop .Net, that library results in a Window prompt AAD v2 Windows Desktop Getting Started. In Xamarin applications, that will just follow the pattern of the environment, iOS/Android, get the native browser, Windows Desktop will get the Window prompt from the App.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
Usually when I build a new website I create a .NET or PHP website. These website either connect to a MySQL DB or an external API. To do this I can securely store my credentials to these services and the back end will authenticate to them. Now since I want to build a Progressive Web App which is front-end only, how can I securely auth to these? Does my PWA have to have a login page that returns an API key that is dynamic? Thanks
Progressive Web App (PWA) is not front-end only. You can see the definition and the PWA Baseline too clearly understand what makes a PWA.
The problem you have mention is authentication on Single Page Web apps (which is front-end only). Here is the first article from Google with keyword "Single page web app authentication".
Token Based Authentication for Single Page Apps
I'm using Azure ACS to deal with the user authentication in my site, now I'm building a Windows Form App where the user needs to authenticate with the credentials that are used in the web site.
There is anyway to implement Azure ACS with windows forms application?
Yes, use Azure Authentication Library (AAL). Here is an example. The client application is WPF, but it could just as easily be a Windows Form App.
http://code.msdn.microsoft.com/AAL-Native-App-to-REST-de57f2cc
i am not sure if you can do this directly from the application but i suggest doing so through a WCF or a web services. you can work with ACS with WCF,
http://msdn.microsoft.com/en-us/library/windowsazure/gg185912.aspx