My team and I are currently developing an iOS app that connects to our Spring Boot backend, unfortunately there is little to no documentation online on how to manage authentication between the two.
Here is what we aim to achieve:
User opens app and is prompted to sign in with Apple.
App then sends some sort of token that can be used to retrieve the users email to the backend with all requests.
Backend then verifies email using token with each request.
Is this possible to do? If so, a resource on how to do it would be greatly appreciated! I have spent hours looking online to figure out how to do this with not much out there.
Related
I’ve got a set of APIs written in ASP.NET. These are to be accessed by a web app and native mobile app, and should be protected by the SSO.
I would like to be able have a SSO, where the user can login online and access the web app, and can also login on the native app (via the browser), and it’ll remember their login details (ie with an authorization_token).
I’ve been looking into IdentityServer4 but I’m a bit stuck on which authorization flows I would need for this.
Any help is appreciated, as it’s starting to hurt my brain! Do let me know if I need to explain it better.
For flows, there are today only two flows you should consider.
Authorization code flow, this flow is for clients where you want a user to login/signup, like a mobile app or web-application. Meaning, you have a user and a browser involved here.
Client credentials flow, is all about machine to machine communication, where you have no user involved.
I have a mobile application built upon Ionic Framework which uses many Cordova packages. We are upgrading the app from Ionic3 to Ionic5. In the Ionic3 application our .NET API was responsible to managing user logins. Going forward, in the Ionic5 app we will NOT be managing user credentials - we will be using 3rd party Identity Providers such as Google, Facebook, and Twitter.
We have implemented the Cordova packages to handle external authentication with Facebook and Google and it works fine. How do we tie the token that is received from Google/Facebook to our .NET API? When we try to use the token provided from Google/Facebook we - of course - get a 401 because our .NET API doesn't know about that token as it was issued from an external source.
I am aware of the process of how to enable the schema described here (External Authentication Services w/ASP.NET Web Api) but in this case the user agent browses to the Web Application in the browser. This is not true in my case as the user agent will be using a mobile application not a web site.
But I hope the principal is the same. But I'm missing something here.
The user will open the mobile app, authenticate with Google/Facebook and be issued a token. Now, what needs to happen to get that token to be recognized by my ASP.NET Web Api?
For example. When I registered my mobile app with Google Developer's Console I selected that the type of app is an Android application and was issued a Client ID for Android now how can I use this token in my ASP .NET Web API? There MUST be some way to tie the two together or some article out there.
Thanks in advance for your assistance!
Also, I looked at this post and see its 11 years old. Is there something here that I should be doing? Please help point me in the right direction. how-can-i-verify-a-google-authentication-api-access-token
It is about data ultimately, and identifying users in a consistent manner, then tracking their history with your app / business.
SOCIAL LOGIN PACKAGES
These are often cheap and nasty solutions that add complexity to your apps as you are finding.- especially when you need to look things up by user.
OPTION 1 - COMPLEX APPS
Your API could look at the token issuer (ISS claim in the token) and download token signing keys from either Facebook or Google - if JWKS endpoints exist. Then create a user from the access token's sub claim if required.
OPTION 2 - SIMPLER APPS
Deal with only a single type of token in your UIs and APIs, which will work like this. It moves the complexity to your Authorization Server (AS):
You have an Authorization Server (use Google maybe) to deal with token issuing and other central OAuth concerns
You have multiple Identity Providers (eg Facebook + Google) to support different login methods for users
During login Facebook posts a token to the AS
Then the AS issues its own token to your UI
The AS may be able to use Account Linking to provide a consistent user id regardless of login method
There is a learning curve in getting this working, but once done it can easily be scaled to many apps with zero code changes.
The proper answer is Auth0... see the below sequence diagram!
I have a microservice which is running in docker container, can I integrate app id into my application? and do not change the application code.
Also, I only saw google and facebook login item on the log in widget,
how can I add IBM w3id to the widget?
can I store a username and password into appid? then clients can login using the pre-stored credential. how to implement this? thanks.
There should be no any problem to secure your application using App ID, but you need to update the application (backend) code if you need to protect REST APIs. If you need to authenticate your mobile app users only, there is no need to change the backend code (you can review our iOS and Android onboarding samples available in the service dashboard).
IBMid is not released to production yet, so currently there is no option to add it.
About customer credentials - we're working on Cloud Directory feature now, this scenario will be supported once we release it to production.
Thanks,
Vitaly
We are developing a hybrid mobile app (code is written in HTML and runs on browser shell as a native app on the device). We need to authenticate the user against an external security manager. I've seen the Gmail App in iPhone which opens a browser to authenticate the user. We are also looking to do something of that sort. We just need to gather your thoughts on how authentication can be done with some external security manager in a mobile app.
Also I noticed that Dailymotion website was able to know if the user is authenticated with Facebook. This looks like a cross domain authentication.
Can you please share your thoughts on how Google and others have implemented it?
What you are looking for is OAuth and OpenID services to federate your login. Depending on the architecture of your system you can implement whichever one you like or even a hybrid of both.
Take a look at this link: Federated Login for Google Accounts
It provides all the useful information you need.
Hmm this question seems old but in case you haven't found an answer here's how I did it with my hybrid apps :
open url on client side with the provider's (facebook/twitter/instagram) url for login
the user logs in and is redirected to the server's callback url (my server is written in nodejs)
once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.
Download the apk and test it.
If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic
And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server
Cheers
I am working on an iPhone application that uses Google app engine to host the backend. I need to authenticate with Google but I can't seem to find a way to do it from my app. It seems I am down to making a UIWebView to have a user sign in to the redirected login page I am getting from Google, but I would much rather have the user enter there credentials one time and then have it persist, unless the user signs out.
Is this possible? Should I be looking at other options or am I just not handling the redirect correctly?
Any suggestions or info would be appreciated.
Thanks
O-Auth is available on App Engine.
Just insert GTMOAuth in your projet and present the GTMOAuthViewControllerTouch. You'll be able to store the auth token in the user's keychain.
Then authorize your NSURLMutableRequests via [auth authorizeRequest:myNSURLMutableRequest]...
I think it might be easier than reusing and managing cookies.
This page has pretty complete information on how to access the built-in Signin flow that is included with the generated app-engine endpoint library:
https://developers.google.com/appengine/docs/python/endpoints/consume_ios