I have a C# desktop application that works against a server(play framework 2.5 if it matters)with REST API calls.
I want to authenticate the calls from the client(desktop app) to the server using gmail accounts.
now before displaying the flow, some clarifications:
the client app is sometimes unattended(I receive the username+password from somewhere else) - meaning displaying a user consent screen is not an option
I have no interest in any Google APIs! I only want to access my server REST API.
I only need Google for the authentication stage
the wanted flow:
In the client:
get the username and password from the user(as mentioned can be done non interactively)
authenticate the user against google and get a token
send a request to the server including the token
In the server:
"decode" the token back into username
check if this user is authenticated to do the call and act accordingly
if possible - how would you do it?
You'll first need to setup a new project on the Google API Manager (that's where that content Guid is coming from below in the meta tag).
On the client side, here's how you can use Google's Sign-In button template to initialize the login & grant of permissions process:
<meta name="google-signin-client_id" content="29chqvu3ghgtte1.apps.googleusercontent.com">
<script src="https://apis.google.com/js/platform.js?onload=onLoad" async defer></script>
<div id="google-signin-button"
class="g-signin2"
data-width="170"
data-height="30"
data-onsuccess="onSignIn"
data-onfailure="onSignInFailure">
</div>
function onSignIn(googleUser) {
var profile = googleUser.getBasicProfile();
var idToken = googleUser.getAuthResponse().id_token;
}
Then you can simply send this idToken to the server/api, from where you can do a GET on Google's endpoint to verify this token https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}. There are of course numerous other ways in which you can validate the token (and actually get a handle on it, of course).
This would be the gist of it (excluding the non-interactive user login - keep in mind you'll also need the user to grant permissions).
Related
I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login.
One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to use defined client/server technologies to illustrate my question:
1) User uses React component on the client to authenticate with Facebook.
2) React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
3) The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token.
4) Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
My question is, should Node.js take the email that's also coming back from Facebook's access token verification payload, and verify that it is what came back from the React client? Would this not prevent someone from brute-forcing an accessToken and require them to not only have an accessToken but also know who the accessToken belongs to? This could prevent a user from submitting a bunch of HTTP POST requests to the Node.js server attempting different access tokens. They would not only have to guess an access token assigned to the application's clientID, but also know the e-mail it belongs to. Is this an over-engineered approach?
Really the best way I can think of to make your OAuth accessToken and 'code' value less prone to brute-forcing is using a Cryptographic Number Generator to create a 128-bit length string of random data and encoding it with base 64 to use as your code. It's extremely unlikely that it would be guessed by a computer or by someone redirecting to and from the authorization endpoint and the redirect-uri with query parameters.
Another method of fortification is limiting the rate of authorizations by IP address (which you can do instead of email through Node.js) but that is usually not a problem for most well-equipped hackers. I highly advise the first method for creating a more secure service.
Your approach to validate the email as well as the token is a bit superfluous because Facebook's opaque user access tokens are inherently tied to email.
From Facebook
An access token is an opaque string that identifies a user, app, or Page
"opaque" is defined by Auth0 here
Opaque Access Tokens are tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage
In your case, the identifier is the user's email, and the server belongs to Facebook.
I will elaborate further. Here is your step by step with some edits:
User uses React component on the client to authenticate with Facebook, inputting both their email and password directly to Facebook. React component gets the token from Facebook on login success.
React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token because the access token is already tied to the email.
Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
This is Facebook's bug bounty program. If their OAuth was really as cracked as to require a second email validation, it would have been patched almost immediately by this incentive.
I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.
I am building a REST API as the backend for a mobile app. I would like to check if the requests made to the API are coming from our mobile app. However, the API will require end users to login in order to access certain endpoints.
My questions is, how could I authenticate all incoming requests to make sure they are coming from our own app, while also authenticating the end users for some requests?
I was thinking of sending an API key with all requests in the Authentication HTTP Header to authenticate the mobile app, and (separated by a comma) also send along a JWT for authenticating the end-user. While this could work, it seems a bit "hacky".
What is the standard way of authenticating both the mobile app and the
end-user of the mobile app at the same time?
Using an application token and a user-specific session token is one method of separating authentication of the two. The application token would be unique for your application, and should be obfuscated so that inspection of the client's binary would not lead to easy detection of the token. The user-specific session token should be generated when the user is logged in. The client adds this user session key to future API calls, the server will check if the session key is valid, and can use it to look up any session state stored for the client.
However, optimally, you would implement the full oauth2 spec. as outlined in this ultimate guide to mobile API security:
Here’s how OAuth2 token authentication works from a user perspective
(OAuth2 calls this the password grant flow):
A user opens up your mobile app and is prompted for their username or email and password.
You send a POST request from your mobile app to your API service with the user’s username or email and password data included (OVER SSL!).
You validate the user credentials, and create an access token for the user that expires after a certain amount of time.
You store this access token on the mobile device, treating it like an API key which lets you access your API service.
Once the access token expires and no longer works, you re-prompt the user for their username or email and password.
What makes OAuth2 great for securing APIs is that it doesn’t require you to store API keys in an unsafe environment. Instead, it will generate access tokens that can be stored in an untrusted environment temporarily.
This is great because even if an attacker somehow manages to get a hold of your temporary access token, it will expire! This reduces damage potential (we’ll cover this in more depth in our next article).
I'm evaluating whether to use Ionic's cloud Auth service and it seems like it's relatively easy to implement client-side, where you can check this.auth.isAuthenticated. You can also set the user info from the client side as well.
However, if I want to do check their identity server-side, such as check that a user is authenticated when they call my custom api to post a comment - how can I get some sort of token (preferably a JWT token) that I can use to validate their identity server-side? Assuming we are using email/password authentication.
Also - using their send notification on a user's birthday example, how can I query the user data in ionic cloud's database to say find all users who have a birthday today. Can I export out the user data in any way if I want to migrate away in the future?
You should implement a JWT authentication service server side.
In other words when the user is authenticated, the app can send a JWT token to the server which should be evaluated to trust the remote user.
For more info reads: https://docs.ionic.io/services/auth/custom-auth.html
A php example here: https://github.com/driftyco/custom-auth-examples/tree/master/php
Regards from Italy
I want to create an app that will authenticate with my server using oauth.
My question is how will this work?
My client side will communicate using HTTPS with Facebook and get an Access Token. Then it should send it to my server side to authenticate? My server should save the token in the db? How it can validate the token?
how will this work. ?
When the client needs authorization to access some information about the user, the browser (user agent) redirects the resource owner to the OAuth authorization server. There, the user is faced with an authentication dialog (this dialog is not shown if the user is already authenticated), after which he or she is presented an authorization dialog explaining the permissions that the client is requesting, the information that it needs to access or the actions that it needs to do on his or her behalf.
Access Token should send it to my server side to authenticate? or server should save the token in the db?
From what you describe I'd suggest to use a server-side login flow.
-so that the token is already on your server, and doesn't need to be passed from the client. If you're using non-encrypted connections, this could be a security risk.
(after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.)
-See
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
How to validate token ?
you can follow this link , you will get your step by step solution for an app.
Facebook access token server-side validation for iPhone app