We are facing an web application integration challenge that I could describe in great detail but an example is easier. We would like to link accounts of 2 very separate applications exactly how spotify accounts can be linked to facebook accounts. I'm not referring to how you can create a spotify account with a facebook login but linking your spotify account with a facebook account when separate accounts exist.
My understanding of OAuth is that the authorisation / authentication tokens are stored on the end user device (browser / cookies, app storage on mobile etc.) and that it is secure. It seems to me that spotify seems to be storing facebook authorisation tokens on their servers which seems to me to be a large security risk. The reason why I think this is that after I link my spotify account to my facebook account it is linked regardless of which client / device is used.
I have tried to find out in the internet how this works and have also inspect the browser application storage but cannot find out much information this way.
Related
Following up on the design outlined in Design for Facebook authentication in an iOS app that also accesses a secured web service, and specifically the concern listed in https://stackoverflow.com/a/12912616/5154090: what would be the mitigation?
Specifically, I have a web server that exposes a REST API which is consumed by a mobile app. I'd like users to authenticate to the server (via the app) using Facebook.
Now, an apparently common flow is for the app to redirect the user to Facebook, where they will login with their credentials. The app will then get a token which it will send to the server, and the server will validate the token using the graph API.
But how can the server make sure that the token really came from the app? Specifically, what's to prevent a malicious app vendor from re-using my app ID? After all, the app ID is hardcoded into the app and can therefore be extracted and used by a malicious app. If users log into that malicious app with Facebook, then the malicious vendor can get tokens with my app ID and can impersonate users of my service.
How can one protect against this?
To summarize for anyone else who happens to contemplate this - there is indeed no way to prevent the client ID from being spoofed. This is one reason that developers are discouraged from using the OAuth implicit flow in native apps as pointed out by Andre D in https://stackoverflow.com/a/17439317/5154090:
the use of the Implicit Flow with native apps is NOT
RECOMMENDED.
(see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-09#section-8.5).
In practice, if anyone mounts this attack, then the user will download App A (a malicious app) and will then be asked to authorize App B to make actions on their behalf. As far as I can tell, this is generally the only indication that an attack is taking place.
Does anyone know of a way to use social logins without having to create an account with a social media website? For Example, I want to use Facebook's Login on my website, but I do not want to create a Facebook account nor an app just to use their login.
Far as I know it pretty much requires (facebook) an App to be created (on developer site for facebook) in order to utilized services with a website.
Unfortunately, in order to maintain a safe development environment, and to prevent the creation of spam apps, it is required that Facebook manage its developer users. This is to allow them to block apps that act maliciously, and to allow permissions to be managed on their server for the app access token. For a more detailed answer, I'll refer you to one on StackOverflow by Lix.
Assuming it is possible to transfer the Facebook API access token from some web app to my mobile app (via physical storage or network), will my mobile app be able to use that token as a regularly acquired token (as if the mobile app itself requested the token from Facebook)?
Is this procedure allowed in the Facebook API's terms of service?
Will the mobile app be able to cache that transferred token and use it as its own?
Basically, what I want is for the user to do Facebook Login and authenticate on one machine, and use the acquired token on a different one (e.g mobile app).
Is there a better way of doing this?
You can set your mobile app to go through facebook's oauth steps onload and if the user has already authenticated the app, he will get logged in right away, since you'll get an access token at this point of time, save that in the mobile app.
Automatic login triggers are now being used on both stackoverflow and quora. (if you sign up here through facebook, when you visit the site, you'll get signed in again - same for quora).
Also, access tokens grant access to a particular 'facebook app'. If your mobile app uses the same app id, then you can certainly reuse the same access token on the mobile device.
yep, we can reuse it. I got an access token from mobile app then it's applicable on web browser.
I have a web application that's going to be available for all users on my google domain.
Is there a way of allowing the application to manage user's emails, calendar, etc without requiring the user authorization using the fact that all users are part of the domain?
You will need to have a look into Google Apps 2-Legged OAuth APIs, they will allow you to access/manipulate users data without their authorization.
You can find the list of available 2-Legged OAuth APIs here.
Unfortunately you will see that you cannot do as much with the 2-Legged API as you can with the 3-Legged API. However, 3-Legged OAuth requires the users consent at least once.
Consider the following situation: internet provider has a selfcare site that is integrated with facebook, i.e. user can login toselfcare site using his facebook credentials.
However, when user has not paid for the internet access, he is limited to the provider's only sites (ex. selfcare.provider.com). In this case, facebook integration stops working due to access restrictions.
Question is: is there a way of restricting access to facebook in such a way, so that only login can be enabled?
You want to allow users to authenticate against your app without allowing them to access Facebook itself?
I don't think that will be possible short of applying some custom logic on your end to try to determine if a request to Facebook is for login purposes or to access Facebook itself - there's no API for this.