Related
I find setting up the auth services for every website is cumbersome.
This is my scenario: I have currently three websites for example example.com, example.org and example.space and their mobile apps respectively.
I found it's tiring to configure auth for each of them separately. What I want is to create a centralise auth service running on a different port with a different database. For example on example.net:7000.
Whenever users request to be authenticated by sending their email and password to example.com/auth, example.org/auth or maybe just example.net/auth they will receive a JWT token which can be used to access the protected resources on the respective sites or their mobile apps. And it should be without opening any website from the browser in case of the mobile apps.
I mean users shouldn't be aware of this process that their credentials is being handling by a single server. It's kind of like Google where user can login on to gmail.com and also gets logged in to google.com.
I have taken a look to Openiddict but found out that it has some redirections involved (to auth a user, the user is being redirected to the auth server and then send back to the previous url). I want it to be like machine to machine communication with no user interactions involved rather than sending an JSON containing their credential in a simple HTTP POST API request.
How can I achieve this? Is there any example repository.
Note: I am using Flutter for the mobile apps.
I'm supporting an installed application, a standalone desktop application. I would like to enable people whos use this application to send out emails using their Yahoo email account.
I know that I will need to create an application in Yahoo Developer Network, then generate a URL to request a Yahoo OAuth2 token first and then use this token, I can use SMTP or OpenID API to send out emails.
I've encountered a lot of problems while creating my application in Yahoo Developer Network, and requesting the token. I've compiled them and I'm listing them below:
Confidential client or public client:
Yahoo explains that one should choose confidential client for traditional web application and choose public client for mobile apps, native apps, or single-page apps.
If confidential client is selected, there will be client secret generated; and if public client is selected, there will be no client secret generated. Plus, if I choose public client, which I did for my application, when I request OAuth2 token, I can choose to not include client secret as one of the parameters and it looks like that that is not causing any problem.
API Permission:
I took it as scope. But the strange thing is that it does not include anything like Google. Google states "Send email on behalf of customer", but similar choice in Yahoo is like OpenID Connect Permissions-Email, which has a brief introduction as "Access to email address and verified status".
There is another possible choice for OpenID Connect Permissions, as well. It's called Profile, having a brief introduction as "Access to common profile information (eg. first/last name, gender, etc.)".
Another strange thing about permission is that when I started to request OAuth2 token by opening a generated request url, after logging into my yahoo account, the page stated the permission as "Read Profile", which does not meet our expectation, as I took it. Plus, it does not have anything like sending email on behalf of customer.
Redirect URI:
In Yahoo developer center, for the application I created, I set it to localhost, port 55555, the same as I set for Google OAuth2.
I have reviewed some code examples, the code uses the secret, the stuff that only exists for confidential clients, or traditional web application, and stated that I need to develop a redirect web page in our website, which redirects to localhost, port 55555.
Redirect URI is also a required parameter when generating the OAuth2 token request url. If I state localhost as the redirect uri inside the requesting url, Yahoo page says "Oh, no. There had been some problems, please try again. Developer: Please send a valid request."
If I set the redirect uri to "oob", which means "out of boundary", as stated in Yahoo OAuth2 Guide, the generated url will succeed, but the same page shows up again after I login to my Yahoo account and grand the permission requested. Well the permission is also wired. It's "Read Profile", nothing about email sending.
I have searched Internet to find out what exactly those settings should be set for my scenario and read thoroughly through Yahoo OAuth2.0 Guide. But nothing is clear enough for me to do my coding job. Could anyone shield some light for me? Thanks in advance.
Plus, I'm thinking of getting help from Yahoo regarding this task, but it seems that they do not have any communication channels for developers like me. Anyone knows more about that and would like to share with me? Thanks, again.
My company distributes an application with a background service component that sends and receives mail from a single email account using SMTP/POP3.
The app uses basic authentication, but we need to implement OAuth 2.0 now due to Microsoft's planned rollback of basic auth for POP3 (and likely SMTP in the future). We have been investigating the account setup and API permissions necessary to achieve this in Azure AD.
Our current understanding is that it is possible to implement the 2-legged client credentials flow by getting an access token and then sending requests to the Graph API (eg. https://graph.microsoft.com/Mail.ReadWrite). However, our application is built to send and receive with the legacy SMTP/POP3 protocols and changing the mail features to send HTTP requests to the Microsoft API endpoints requires a partial redesign.
It appears that only 3-legged flows are supported for the legacy SMTP and POP protocols. These permissions are only available as "delegated permissions" on the Graph API. There are no equivalent "application permissions" that would allow us to use these protocols from our background service without a user present to do the initial authentication.
Integrating a browser redirect into the app for the initial authentication also requires a significant update to the application. The app is 14 years old and the original programmer is no longer at the company. Due to that fact as well as limited resources, we're hoping for a solution that doesn't involve implementing browser integration or major changes to the sending and receiving functions.
Is it possible to implement a 2-legged OAuth flow to authenticate an account for sending and receiving over SMTP/POP3?
Might any of our assumptions be incorrect?
No. It's impossible.
OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported.
Currently the supported flows are:
OAuth2 authorization code flow
OAuth2 Device authorization grant flow
See details here.
If you have this requirement, you can post your idea on Microsoft Graph user voice.
I have am writing a REST API (using ASP.NET WebApi) and it will be used by my single page web app via client side JavaScript calls mobile apps that anyone can install and eventually I would like it to be used by thirst party developers to write their own apps.
I have looked into HMAC to secure the API but not sure how to get the private key onto the clients securely (I.e. browser client side, on mobile app?
I am trying to make it so only my apps, the 3rd party dev apps and my client side JavaScript can access the api.
In your use case, I would use two different authentication mechanisms. For the SPA running in the browser, I would authenticate the users using forms authentication, and I would rely on ASP.NET to validate the credentials stored in the cookie when the browser makes a call to the Web API using AJAX. For the third party or mobile apps, I would use HMAC authentication. You can exchange that key out of band as many of the cloud providers like Windows Azure or AWS do. I created an implementation of HMAC for Web API that you can use. It's available here,
https://github.com/pcibraro/hawknet
You can also exchange the key using SSL on the first call when the user is authenticated with username and password, but that's up to you.
Regards
Pablo
I'm starting to create an iPhone/Android app that will need to use Plone users (i.e. register on the website and then enjoy the app on your mobile).
What's the best approach on doing this? I've seen some apps using OAuth or other techniques, which ones currently supports Plone4 (4.0.3 exactly).
I have the users on a LDAP server (OpenLDAP) but even that I still have to log them on Plone to be able to send and retrieve data from there to the mobile phone.
You have 3 options, and what you choose is dependent on what your skills are and how much time you are willing to invest:
Basic auth
Have your user enter a username and password into the app, and just use HTTP BasicAuth headers to access the site. Plone supports Basic auth authentication out of the box.
This is not the most secure method; passwords are basically sent base64-encoded, so you may want to use HTTPS to communicate with the server. A good idea in any case for authentication anyway.
Cookie authentication
Send a POST request with __ac_name and __ac_password items to '/login_form' on your Plone site, and capture the Set-Cookie header on the response, containing the __ac cookie. That's a tk-auth authentication token you can use on any subsequent request. This is a secure cookie, but any attacker sniffing the HTTP communication stream could re-use this, so again HTTPS is the secure way to communicate.
OAuth
Plone does not (yet) support OAuth out of the box, but integrating with python-oauth should be trivial. This would most likely require a PluggableAuthSystem (PAS) plugin to be written.