I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/
Related
I have a Web API developed with ASP.Net Core. I also have a client app developed with Next.js and it uses NextAuth.js to handle the authentication.
In the UI, when a user is authenticated, I have access to the access token from Facebook.
My question is how can I use this access token to authenticate the requests sent to the back-end API.
This is the back-end code used to register the Facebook authentication scheme (it is all standard):
builder.Services.AddAuthentication()
.AddFacebook(
facebookOptions =>
{
facebookOptions.AppId = "<my_app_id>";
facebookOptions.AppSecret = "<my_app_secret>";
});
I want to construct a Postman request that can authenticate my user using a specific access token but I do not know where to put this access token and whether this is possible at all.
Just sending the request like this (without any modifications) results in visualizing the Facebook login page.
Your Asp.NetCore project integrates Facebook login. After logging in, the token you get can only access protected resources in the current project, such as: [Authorize].
If you want to access Facebook's resources, you need to write your own code to get the token and then access the resources.
1. How to Get Facebook Access Token in a couple of minutes: 2020 guide
2. How to get current user access token from Facebook SDK in C#? Not the App access token
After you get facebook access_token, then you can access Facebook's resources.
I'm trying to develop a React application that will allow users to login with their Azure AD accounts and their Facebook accounts.
The first thing is that I didn't understand about the 2 tabs "User
Pools and Federation Identities". Do I need both to get it done or
just the User Pools is enough?
My goal is just the authentications. I don't want to allow users to access any AWS service. I just want the authentication token.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth. Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Do I need both to get it done or just the User Pools is enough?
No. Userpool is more than enough if you just need authentication and do not need to use AWS services.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth.
What user data do you need to save. If you want User's profile data to be saved in Cognito, you need to use Cognito Userpool & not Federated Identities. Add Facebook directly to Userpool. Upon using Facebook login, a user is auto-created in the userpool based on all user data available in the token. See this doc on how to add Facebook to a userpool directly.
Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Depends on your use-case. If you just want to add authentication to an app, the best way would be to Add Facebook to a Userpool directly, create an app client in the userpool for your application; enable Facebook for that app client & use Cognito Userpool's built-in UI to login using Facebook. This feature (built-in UI) is called App Integration. After successful Facebook login, a valid token will be sent to your app. Do note that the token sent to your app would be from Cognito.
Client--> Userpool built-in UI --> Redirect to Facebook --> Login using username +password --> Facebook sends its token to Cognito ( https://your-user-pool-domain/oauth2/idpresponse)-->Userpool vends its own token & redirects to the URL mentioned in the redirect_uri.
I'm investigating how to use id server to provide auth services for a native mobile app that will talk to a Web API that we are developing. I started off with the flow as described in the MVC walkthrough - so the user is redirected by ID Server to FB (with acr_value/idp) and then redirected back after sign-in, where I can do the claims transformation and issue a token for our application.
The developers of the native client have concerns about this though, and would rather use the FB sdk to log the user in to FB, instead of having id server issue the token after redirections. The following issue on the previous version of ID server explains this well:
https://github.com/IdentityServer/IdentityServer2/issues/503
How would I go about doing this with id server 3?
This is a perfect use case for a custom grant.
1) first do native FB login
2) send FB token to IdentityServer token endpoint using custom grant
3) write a custom grant validator that validates the FB token
4) return JWT token for your APIs
Documentation:
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html
How can I use the existing facebook access token without additional authentication. I have a server system which will give valid facebook access tokens to clients.
The flow looks like this:
Client redirects user to facebook through server API
User authenticates
Server API handles redirect
Server API sends access_token to client (via WebSockets)
Client does job with graph API
Is this possible when using parse.com? (IOs and Android SDKs)
I need to obtain a facebook page access token on the server.
From what I've read to obtain a page access token you must first obtain a user access token with the manage_pages permission then make a separate call to "me/accounts" to get the page access token.
The problem with this is the application I'm developing will automatically be publishing content to a Facebook page from the server. That being said obtaining the user access token from the backend is a problem.
Ideally I would like to programmaticly obtain the user access token then the page access token completely on the backend for the ability to automatically publish content to the page.
Any suggestions on how this can be done from the server side?
Thanks
It is not possible to get page access_token without authentication of user and manage_pages permissions granting.
Authenticating as a Page guide states:
First you need to authenticate a User, and obtain a User Access Token. To do this, please follow the server-side or client-side auth flows for the mobile web and desktop web, or the native iOS or native Android authentication flows.
Refer to Authentication documentation and Authenticating as a Page guide for details.