I have a standalone Blazor WebAssembly app that communicates with a few backend Apis (ASP.NET Core REST). One of the Apis has an identity store (using ASP.NET Identity), and it serves JWT bearer tokens for users signing in from the wasm app.
Now; I would like to enable authentication using social identity providers Facebook and Twitter. Anyone got experience with doing this for this kind of architecture? I am considering two alternative flows:
User calls a method in the Identity Api from the wasm app, which again challenges Facebook auth. On redirect, auth details are picked up by the Identity Api, which handles this and issues a JWT to the front
The wasm app itself challenges Facebook, and upon successful auth sends the auth info to the Identity Api, which creates the JWT and sends back to the wasm app
Hope someone has experience with this, I have spent a lot of time trying to solve this :-)
Related
We have a Spring Boot Web Application serving some REST API and the client consuming these API is a mobile app developed in React Native.
Now we need to secure the APIs and we're going to use Keycloak with Google as Identity Provider.
The integration between Keycloak and Google auth it seems pretty straight forward but I'm not able to understand the entire flow among parts and how to join the Browser login (on Keycloak page that redirects to Google authentication) in order to get a valid access token to perform API calls from mobile app.
I'll try to exaplain in another way, I supposed that:
Mobile app shows a web page (with Its browser) in order to perform the Keycloak login.
The end user using the mobile app press the Google button on Keycloak web page and begin redirect to Google for the authentication.
Google authentication the user and send a redirect URI with identity token and access token to the browser
...
then
...
is it correct to get the access token from the URI and use it form the subsequent API calls?
Is it supposed to work in this way?
I have to say that We also have and API Gateway (Ambassador) in front of our Web Application (containerized in a Kubernetes cluster).
I read different articles online but I'm still confused with the best approch.
Any suggestion is welcome.
Thanks.
I'm trying to build a application based on RESTful API and I'd like to provide a method for authentication both JWT and 0auth (JWT for user access and 0auth for app access).
In short I'd like to do:
User Access (Web App, Mobile App - JWT)
------------------------> /
-----------------------> /api/login
-----------------------> /api/logout
Client's app (API KEY - 0auth)
------------------------> /services/getInfo
/services/getProducts
A user can use the web application and could wish to integrate some functionality of its app with my services, like Facebook, Github and so on..
I ain't sure about this approach because it's the first time I design a big application.
The questions are as follows:
Should I also use JWT for authentication by app?
Using JWT, can I trace how many request the apps do?
Can I revoke a JWT token?
Is 0auth protocol better than JWT for authentication by app?
Oauth 2.0 is an authorization protocol and it shouldn't be used for authentication. Consider using Openid Connect for your scenario. It works on top of oauth so the flow would be identical with some improvisations for authentication.
In this case, you can register your application to use the same protocol for both end users as well as for calls within your applications.
Please explore client credentials flow for app access and implicit/hybrid flow for Web App.
Openid connect uses jwt tokens for authentication and authorization.
Identity server 3 is a certified implementation of Openid connect. Their documentation is good and they have an active support forum to help you with queries.
Please Refer :
https://www.safaribooksonline.com/library/view/identity-and-data/9781491937006/ch04.html
https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/
https://github.com/IdentityServer/IdentityServer3
https://github.com/IdentityServer/IdentityServer3.Samples
I'm building an app that supports credentials authentication, facebook and google oauth on both Android and iOS.
My backend are written using ServiceStack.
For authentication using a browser we typically call /api/auth/facebook and ServiceStack handles the callbacks and exchange of information from the social provider such as facebook for a person logging in the first time and it also handles signing in a returning user via the same api endpoint.
When trying to connect to add support for facebook authentication or google in Xamarin app how do I call the ServiceStack endpoints to properly authenticate. How are the callbacks handled on mobile?
I'm a bit stuck with this
Have a look at the TechStacksAuth repository which provides an example of how to use the Xamarin.Auth component to authenticate with a ServiceStack OAuth backend like Twitter.
I know this question has already been asked by someone else, but I didn't found the answers to my exact question.
I'm building a backend that provides its API written using Django REST Framework and integrates Facebook using Django Social Auth.
The frontend consumes the API using AngularJS.
I used a simple Token-based Authentication and everything went well, when somebody authenticated with Facebook I could retrieve the simple token (which never expired) from the DB and return it to the frontend, which will use it for subsequent calls to the API.
My problem now is that I want to publish my APIs and use oAuth2.
In order to do this I am using Django OAuth Toolkit.
If a user uses the native login there is no problem, because I use resource owner password based grant type (giving only client_id because the frontend is a JS app).
Now, if a user authenticates using Facebook there is a problem! I have no password to use!
This fact made me reconsider everything about authentication in my backend.
I thought this:
Is it sensed to make my "official" frontend app consume the APIs using oAuth2?
Isn't it better to use Token-based authentication (or Session-based, if you prefer) only for my frontend app and let third party apps consume APIs using oAuth2?
And, if I do like this, how can I tell my "official" app from other apps? Wouldn't it become a leak in security (for some reason, I don't know...)
I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.