Currently I have an rails 3 application which uses devise plugin for website authentication. But now I'll be adding an iPhone app as well so I will be exposing the api calls to the client device (iPhone). How would I implement auth module so that iPhone client can authenticate to the rails site and access some api?
Should I be creating a oauth provider, token base auth or simple http auth works?
In this situation, HTTP Basic authentication would work fine. If you'd like it to be more secure, you could create an OAuth provider and create your own implementation of Twitter xAuth to make it more user friendly. Essentially, you'd create an API call that would accept a username and password and then return an OAuth request token for that user. You'd store that request token on the iPhone and use it to authenticate subsequent requests.
Related
We have an Angular SPA and Web API which is hosted in IIS - standalone server.
Our Web API uses user ID and password OAuth token authentication.
One of our client wants to use their Azure AD instead of our application's user id and password.
How to pass their AD token in our /token API call? Is there any easy way to implement this?
We can do this by two ways.
Approach 1# using ADAL.js in SPA
For SSO Clients
Get AD Token using ADAL, then pass it to /token with custom grant_type and decrypt AD token and generate your own token
Apporach 2# using SAML approach
For SSO Clients
Get SAML response, and pass it to /token with custom grant_type and decrypt SAML token with certificate you received from AD SSO then generate your own token
My aim is to authorize browsable API(first app) using the JWT token generated(second app).
I have two apps created,
1. API - has all the data
2. Authentication - generate JWT tokens after validating the user.
Now, when I try to access the API after generating the token it says,
Authentication credentials were not provided.
Trying to access the API (passing the bearer whatevertoken)
I mean, is there a way to authenticate the Browsable API using JWT token? Instead of creating a user session.
Passing Authorization header as,
"Authorization: JWT token"
authenticates the user.
But, limits me to browse the API in a browser. Is there any way we can implement Browsable API using JWT authentication?
UPDATE
A thorough reading on
Authentication classes
Permission classes
Django settings
Helped in understanding the core concepts and apply appropriate solutions.
We would like to have REST APIs with OAuth2 using our own user table for Authentication. Also, we need to allow Social Login. Below is the flow for social login,
Our OAuth
Client makes auth and access token URL for our servers to receive
the access token
Client sends access_token for further calls in the header as bearer
token
Social Login
Client makes auth and access token URL to Social Login server(For
ex,https://accounts.google.com/) to receive an access token
The client sends access_token for further calls in the header.
We have implemented our OAuth with Spring and working perfectly. We have questions on social login,
How to identify our own Oauth access token and social login access
token. We may have many social logins and we should able to identify corresponding social login.
How to validate and integrate with Spring Boot?
If the access tokens are just random strings, you probably cannot tell the issuer of the provided token and you cannot validate it.
I would suggest you to extend your OAuth2 server to accept third party providers (Google, Facebook ...) for authentication. This way would support both local and social users, but in your application, you would always deal with your own tokens. It would make the application security much easier (which usually means safer) and you could also configure your own scopes for access tokens. There are also ready to use solutions for it - e.g. Keycloak.
I have built a website with vuejs front-end and laravel back-end.
Only way to login is via Facebook Login using Socialite
All that works fine.
Now I am building some React Native apps (Ios/Android) that also use Facebook login but need to interact with the same web api.
I want to use JWT to secure the API for React Native -> Laravel API
I set up JWT w/ Dingo on Laravel side and I am able to generate a token using the JWTAuth::fromUser(). And I have established some API endpoints that use the token to authenticate.. so far so good.
Now here's the part that becomes sticky. I understand that on the Laravel side of things you can create JWT token with any user.. right now the JWT "identifier" is simply "id".. and it's my understanding that the token I generate from JWTAuth::fromUser() simply has no idea or care that this user doesn't have conventional credentials and instead used a Facebook Login.
On the React Native side however.. when a new user first authenticates via the Facebook Login.. it has no idea what the "matching user" is on the Laravel app, all I have to go on is basically the unique Facebook Provider Id.
So the question is as follows:
How can I generate a JWT token on the React Native side using only the Facebook Provider Id and the JWT Secret, and more importantly, how do I modify my JWT code on the Laravel side so that it can understand tokens that were generated with the Facebook Provider Id and JWT Token
In other words, I think my Laravel JWT implementation needs to be modified so that tokens are created/parsed purely on the basis of the Facebook Provider Id because otherwise it won't match up with tokens generated on the React Native side.
Many thanks!!
Ok after doing some reading I think this flow might work. Your thoughts please?
1 User authenticates via Facebook on in on Android/Ios app
2 Retrieve facebook access token
3 Do api call to public endpoint on web server and pass FB Access Token and FB ID
4a Web server makes Facebook Graph Api call w/ Access Token and verifies token is valid, is authenticated with Facebook App, and matches Facebook ID
4b If user doesn't exist on web first.. create user
5 If above matches, then web servers generates JWT token from user model and returns JWT token to app
6 App now uses JWT token for future API calls
I have a website that uses Twitter Oauth for Authentication. I plan to break out the site to use a service approach where the website communicates with a backend via JSON. Since the front end is responsible for going out to Twitter to validate the account and as a result, sets the session, I'm trying to figure out how to still have the path and use a service backend with something simple like Sinatra.
Problem is that there's no password to authenticate against for the API backend, just twitter key and secret. What's the best way for the website to authenticate the request to the API back end having come back from Twitter login?
You could exchange the Twitter OAuth creds for an API session with your Sinatra back-end. So the Sinatra API knows the Twitter user associated with the API session.
You can obtain the initial API session key by authenticating with the back-end using an API key (a shared secret, really). This assumes that your front-end API client is itself a server-side application rather than client-side - you don't state which.