we are using SAML protocol.
I have some doubt on the SSO functionality in different browser.
If i enter my application url in chrome then it is asking for credential that is correct one and then we are on landing page.
Now i have enter same url on different browser i.e Mozilla then again it is asking for credential but that should not asked the credential once again.
Give me proper solution for this.
SAML 2.0 is typically a browser-based flow. That means unless Chrome and Firefox are sharing cookies, which I know of absolutely no way to do, that's not going to work. SSO is tied to the browser.
The behavior you're describing as a problem isn't a problem, it's a feature.
N.B. There are some ways to tie a single sign-on session to, i.e. a Windows login, but AFAIK getting that to work with Chrome isn't going to be easy (if possible), as you'd need to use Kerberos/SPNEGO. There are also very limited use cases for this, such as in a corporate environment, where you want AD users already authenticated to say, a company intranet site.
Related
I’ve got a set of APIs written in ASP.NET. These are to be accessed by a web app and native mobile app, and should be protected by the SSO.
I would like to be able have a SSO, where the user can login online and access the web app, and can also login on the native app (via the browser), and it’ll remember their login details (ie with an authorization_token).
I’ve been looking into IdentityServer4 but I’m a bit stuck on which authorization flows I would need for this.
Any help is appreciated, as it’s starting to hurt my brain! Do let me know if I need to explain it better.
For flows, there are today only two flows you should consider.
Authorization code flow, this flow is for clients where you want a user to login/signup, like a mobile app or web-application. Meaning, you have a user and a browser involved here.
Client credentials flow, is all about machine to machine communication, where you have no user involved.
I've a (WordPress) website that's secured using CAS. Single sign on is fine for most pages, but a few pages contain sensitive information and require a little more security. For those pages I would like to ask the user to re-enter their password. Is that possible with CAS?
(I did wonder whether I could somehow have those pages behave as separate applications that use the "renew" parameter, but that doesn't seem straightforward.)
It depends how WP is integrated with CAS. If it's able to submit renew=true for certain parameters, then yes you could. This is probably a limitation of the WP plugin.
As you can see on the image, spotify has a modified version of facebook login.
On the spotify app shown, user can login using either facebook or spotify account.
I wonder if its only on the looks or they were using other facebook authentication process.
I also wonder and worried if spotify could get facebook password entered by the user.
What facebook authentication they were using in here?
As you have noticed, Spotify is using a different Facebook login flow that is not listed anywhere in the official Facebook developer documentation. Since the Facebook password is entered into a closed source client, there is no way for you to know for sure what happens without heavy reverse engineering and debugging of the client. In that sense you should be worried. It goes against and devalues the good policy of "Please don't enter your password anywhere else". Thinking about differently, Facebook trusts this company enough to allow this. There might be a few more companies that have the ability to use this login flow, but I don't know.
I work at Spotify and was there when it was introduced (September 2011). We worked very closely with Facebook (I helped build some parts of the backend integration). It is not my favorite part of the client though. I would much prefer a standard Facebook OAuth 2 authorization flow. That was however one of the main technical problems in spring 2011 when we started to build this. We basically needed to embed a browser in the client to make it work properly or redirect the user to a browser and then back to the client again. There were also other reasons that I can't remember why we didn't do this.
Now when we have an embedded browser (since December 2011) it would be much easier to change. I believe this type of login flow will be phased out eventually.
Is it possible to have a client app which can authenticate using Facebook but without requiring browser(I mean no embedded browser in the code)?? User inputs the username/password and allow access to app using the client app only.
Any Suggestions will be of great help.
Thanks,
Tara Singh
Edit: I have created app in Python which requires browser interaction. Now I want to get rid of that and do it using my client app only. Any Links/Tutorials??
Thanks Again
I know this is an old question and it's answered but I thought 'horse mouth GET'. From Facebook: https://developers.facebook.com/docs/authentication/...
Our OAuth 2.0 implementation does not
include explicit desktop app support.
However, if your desktop app can embed
a web browser (most desktop frameworks
such as .NET, AIR and Cocoa support
embedding browsers), you can use the
client-side flow with one
modification: a specific redirect_uri.
Rather than requiring desktop apps to
host a web server and populate the
Site URL in the Developer App, we
provide a specific URL you can use
with desktop apps:
https://www.facebook.com/connect/login_success.html...[cont]
Actually the answer is absolutely not.
In order to authorize your app a user has to enter their facebook username and facebook password on facebook site and you need web browser for this. There is no way to skip this step (you can't ask what their username and password are and then exchange it automatically for access token). You can read more about this here.
absolutely yes, but, we'll need to know which programming language you want to use before we can give much advice.
For example, it's possible using httpclient for java and python to encapsulate all the functionality you need, others can chime in with libraries that they use for C, C++, perl, etc.
[edit]
search for httpclient and how it's used with python. if you run wireshark on your system, you will be able to watch the data interchange (if you don't understand the http protocol completely) and then implement that in your code.[/edit]
Some good links in this regard:
http://developers.facebook.com/blog/post/289/
https://developers.google.com/identity-toolkit/
https://developers.google.com/accounts/docs/OpenID
http://facebooktoolkit.codeplex.com/
http://csharpsdk.org/
http://blogs.msdn.com/b/appfabric/
Apparently now you can, if you're a beta tester for their newest feature: https://developers.facebook.com/docs/authentication/devices/ Reminds me of PIN's on Wifi
Yes and no,
I've had the same problem with my server. It was console only, so I had to make a solution. First I've logged in using the lobo java webbrowser. I've transfered the cookies of lobo to my server.
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.