I just created a new Ionic app and using Auth0 for user login and registrations. I have .net core backend.
I am following the Ionic quick start guide https://auth0.com/docs/quickstart/native/ionic4/01-login and everything is working ok. I use new Universal login.
The issue I have is users get logged out after the access_token has expired. I previously used Silent Authentication and refresh tokens in two different apps, however I am unable to find a sample code like quick start guide for either. I have an angular website too. Hence my users can either use mobile app or Angular website to login. I would appreciate any help to keep my users loggedin, in both website and ionic mobile app please.
Many thanks
Last I checked, Auth0 doesn't have many samples for acquiring refresh tokens from application frontends, which is typically what I would consider ionic/angular to be used for. Obviously, you could be building a "native" style application with either of those, but frontend auth is sometimes a little messy and insecure because the client has your code and you usually need to implement some kind of middleware.
It looks like the ionic quickstart uses auth0-js which defaults to an implicit flow, which would confirm my hunch above.
I personally pass the refresh token logic off to my backend, and let the backend function as my "middleware". You can find some basic code samples for backends/native apps here. I use the code-grant flow typically, but you could use PKCS.
The long and short is, I don't think you're going to find sample code on that, but you could hack something together with something like axios if you wanted to go the middleware route, or you could go backend with your auth.
Related
I’ve got a set of APIs written in ASP.NET. These are to be accessed by a web app and native mobile app, and should be protected by the SSO.
I would like to be able have a SSO, where the user can login online and access the web app, and can also login on the native app (via the browser), and it’ll remember their login details (ie with an authorization_token).
I’ve been looking into IdentityServer4 but I’m a bit stuck on which authorization flows I would need for this.
Any help is appreciated, as it’s starting to hurt my brain! Do let me know if I need to explain it better.
For flows, there are today only two flows you should consider.
Authorization code flow, this flow is for clients where you want a user to login/signup, like a mobile app or web-application. Meaning, you have a user and a browser involved here.
Client credentials flow, is all about machine to machine communication, where you have no user involved.
I watched the recent Youtube video intro to Keycloak and have been following along with the examples used here: https://github.com/stianst/keycloak-containers-demo
I have it all working fine, and I am trying to test what this might look like with more applications. So I have added an additional Jenkins app to the mix and configured it to use the OIDC plugin for authentication. Was easy and works great. So now I have one realm with two clients, jenkins and the js-console. I am seeing some unexpected behaviors and wondering if I am doing something wrong or just have a fundamental misunderstanding about what Keycloak can provide.
I am not getting SSO. If I access the js-console app and login and then open the URL for Jenkins I am redirected to Keycloak and have to login again. I was expecting SSO to happen here. Doesn't Keycloak set a cookie or something so that I would be logged in to the second app? Thinking out loud .. could the fact that I am not using SSL be the issue? Maybe the cookie is marked as secure?
I went ahead and added Github login like in the demo. From what I can tell this will only work with one client. Both my clients get the same login screen so both have the login with Github option available, but the redirect URL's can only be configured for one of the clients. Is there a solution for this so that you could have many clients sharing the same realm and allow login via social login?
I would like to eventually test a SAML provider like Okta and am wondering if I will run into the same problem with that as I did with Github?
I hope you can direct me with my query.
I wish to create my own authentication method for users in my Google Apps for Work account. Currently I am using built in Google Authentication, however I wish to build my own authentication method in PHP, Phyton or .NET; language doesn't matter really. So I want users to go to the page I will create, then they will need to pass authentication and be logged to Google Apps.
I know SSO is the way to do it but after my research I found very little about how to achieve it with Google Apps. I mean there is tones of third party platforms like OneLogin etc but I would like to have something I build myself. Ideally I would like to have some examples of SSO which works with GAFW so I could figure out the rest myself. I read somewhere that building own SSO portal it's not a piece of cake and also found an article that you can create something based on oAuth2.0 instead. So tried research about oAuth2.0 but all documentation I found is about authenticating to the application that I build using Google Apps Credentials, where I want the opposite; to be able to access Google Apps using the app that I build.
Hope someone could direct me to some examples or documentation or explain the process of learning curve to get my head around this project of building SSO for GAFW.
If you want to write your own Auth system and become the Identity Provider (IdP), you need to use SAML as that is the only supported method for now.
Here are the step by step instructions
I have been building out a server api for mobile developers to use for an iphone app. I have no experience with mobile development and they have no experience with ruby on rails. I have attempted to build a mobile authentication route for the app that allows users to log in via facebook. So far, it looks like this:
GET '/auth/mobile/fbtoken=:facebook_token&device_id=:device_id&time_zone=:time_zone&os_type=:os_type', to: 'sessions#fb_sso'
client = OAuth2::Client.new(
ENV['FACEBOOK_APP_ID'],
ENV['FACEBOOK_APP_SECRET'],
site: 'https://graph.facebook.com')
token = OAuth2::AccessToken.new(client, params[:access_token])
user_info = ActiveSupport::JSON.decode(token.get('/me').body)
The resources online for learning how to do this properly are very limited or nonexistant. The only information I have found on how to do this involves using Devise for authentication. Our app currently is equipped for Devise (it's been added and the migration has been made to the User model) but does not currently authenticate via Devise. One of the only specific examples that I have been able to find for what we're trying to do can be found at the bottom of the page on this post:
https://www.ruby-forum.com/topic/4409930
It led me to believe that I was on the right track with the way the route was set up, because everything is the same besides the last step "sign in using Devise method: sign_in #user, :event => :authentication." This is what motivated me to attempt to integrate Devise into our application.
After reading that, what I meant to do was implement Devise in a sort of limited state and use only the sign_in method. Unfortunately, Devise seems to be very opinionated and more of an "all or nothing" sort of solution. I'm very unsure of how to proceed and how to decide whether to completely rebuild a significant portion of our application to support Devise or to abandon it altogether and try to implement my own solution.
tl;dr
1) Is it worth re-doing a significant portion of the Rails app to use Devise?
2) Is it possible to make this route work without Devise? How?
If you are only going to have your users sign in through Facebook then Devise would be unnecessary as you would just be using Facebook's API with Koala or Omniauth to authenticate the user. On the other hand, I see no reason why you couldn't have both your own authentication and Facebook authentication by also using Devise if you want non-Facebook users to use your app; you would just need either form of authentication to create a session.
And if I understand correctly, the solution at the bottom of your link doesn't use Devise for Facebook authentication but it's used to create a session when a person's FB account has been authenticated. Seems like a reasonable way to go.
To answer your TL/DR:
1) Only if you plan on having both a Facebook login and a traditional login at the same time.
2) Yes. Just give those GET parameters to a gem like Omniauth or Koala and create a session once the user has been authenticated.
Documentation on the net seems to be VERY scarce. The only option I can think of at the moment
is to have my SPA app break convention and to have the (initial) logged out page be different to the logged in one (eg my app).
My app is built using Durandal 2.0.0.
In one of my OAuth tests app's I've managed to implement this link successfully. But as Durandal does not work in the same way (Server-side controller, & razor views), I'm thoroughly confused in how to achieve what I want to.
I'd like to have my app remain a single page app. But I've got little to no experience with the OAuth SDK
My only requirement is that the user log into my app using his FB account.
I've had an initial stab at this using the FB java script API, and got it working, but after discussions with another developer this side, it doesn't seem like the purpose of the java script API is to facilitate secure application login's? As the way we had it, would allow any user to pass a valid fb userId, then he would be logged into our app. :/
How would I go about achieving this process flow in a Durandal/Web API Single Page App?
User logs in using fb ->
then on the server we get his fb userId ->
retrieve our internal appID
I'm not asking for a complete answer/for someone to do my work....
But any documentation to get me started/less confused would be greatly appreciated.
Here is a sample project which demonstrates how to use OAuth with Durandal and Web API:
DurandalAuth.
However there are some modifications in viewmodels needed, since router changed in Durandal 2.0.0.