I have:
a Node.js app that uses the Box Content API, and...
a Box app, just so I can register an Oauth2 client_id, client_secret and redirect_uri with my Box repo.
My current redirect_uri is "http:/localhost:3000". The app works fine if I run locally, It fails miserably if I deploy to Bluemix (e.g. "https://myapp.mybluemix.net").
I believe you can register multiple redirect_uris for a single Oauth2 client_id/client_secret in Facebook and Google, But I can't see any workaround in Box. Except to create a second app...
These posts are similar, but I don't need to authenticate TO a separate OAuth2 server ... I just need to authenticate FROM two different ENVIRONMENTS (my Node app locally, vs. the same Node app on Bluemix).
Facebook login - how to develop on both localhost and in production?
Using OAuth for both development and production environments
Q: Is there any way that I can register multiple redirect_uris for the same Box app?
ADDENDUM:
Thanks to Murtza Manzur for his reply:
Box does not support multiple domain redirect URIs. To use different
domains (localhost and mybluemix.net), you would have to create a
separate app for each domain.
This means I need two Box apps, and I need to configure my Bluemix/Node app to use one or the other.
Here is an excellent discussion about how to do that efficiently and securely in Bluemix:
Keeping secrets – how your cloud application should access credentials and other private data, Patrick Mueller
Box does not support multiple domain redirect URIs. To use different domains (localhost and mybluemix.net), you would have to create a separate app for each domain.
Related
First let me explain the problem:
We have an Android app and multiple customers. Each customer has their own endpoint (Kubernetes cluster of microservices basically) that the app should communicate with. To prevent us from having to deploy multiple versions of the app (one for each customer) we are looking for a solution that will use one app but allow for multiple endpoints.
I am interested in knowing if, and if so how, others have solved this.
We have tried:
Automatic endpoint resolution within the app based on user's domain. This fails our requirements because we then need to build a new app for every customer, which is not optimal with 10's of customers appearing every week.
Microservice that gives the user and endpoint based on user's domain. This fails because it creates a Catch 22 problem... how do we know the endpoint to this microservice?
Keycloak User Attributes. We use Keycloak for SSO. Using the REST API in Keycloak requires an admin user, but we do not want to expose such an admin user from any external application.
Manual endpoint insertion in the app. Highly user-unfriendly!
I'm just starting a new project. The result will be an API server and a progressive web app. The API server is implemented with TypeScript and the NestJS framework, the client with Angular 6.
I've been flirting with keycloak for some time. Still, I'm not quite sure it's right for me yet. But I don't want to worry about things like token renewal anymore and find it sexy that Keycloak tells me how to create user roles.
What bothers me, is the following - integration. For my use case it is necessary that the login and all features like password reset and so on are part of my application. That means I want to create forms myself in order to be able to do this perfectly in my own design and not have a second translation process, etc. Keycloak themes are not an option. So is it possible to hide keycloak in such a way, or is it so complex that I shouldn't use Keyloak in the first place? Afaik there is already an issue with password resets - I can't request it from the user side but have to make an REST call to the admin endpoint - which is okay but not ideal since it requires me to do more server side logic ( and that is not why I want to use Keycloak).
In addition, Keycloak is too much about the GUI - which makes it difficult for me, especially during development. Because I also want to provide my team with a local instance of keycloak during development. But what is the concept to import the initial data into realms, apps and also users into Keycloak? I found some JSON imports - but so far only for realms and apps. Is there also a function to import a whole dumb?
So that my team builds on a pre-built setup and has a user for each role. A reproducible setup with Vagrant or Docker which contains the import of initial data - that would be the goal.
So in short my questions:
Is it still worth the effort using Keycloak if I want to use everything via the API or should I simply use Passport and JWT?
Can I have a reproducible setup during my development that includes realms, apps, users, user roles, etc?
So, the question asked few months ago, but I also faces with that question, and I want to answer on it.
I think that you don't need Keycloak, it is fairly enough for you to use OAuth2 and JWT.
Let's justify my answer:
You have just one client - Angular application. Keycloak useful, when you have many clients (web-js, mobile platforms) and you want to create and manage them dynamically. But, I think that, in your case, you create your client once without modification in the future.
Also, Keycloak very useful, when you have a lot of integration with third part systems (Google, Fb, Twitter and etc) because Keycloak has them out-of-box. Or you need to integrate with some SAML or LDAP provider.
You may use Keycloak, if you need some Identity and User management platform, and when you have complicated user access flow.
In the end, you could consider Keycloak, if you need SSO (Single Sign On) feature. Once logged-in to Keycloak, users don't have to login again to access a different application. But, by your description, you have just one application.
Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.
It's an out of box solution for rapid security layer development of application.You could have single common security layer for multiple application .
You can implement you security mechanism without using keycloak.
Want to access data from external service for a facebook application. Not getting a solution on how to do the same.
Facebook apps are iframes inside Facebook. If your application has it's own server-side code, you can access that external service from the server and send the results to the client.
If you don't have your own server-side code, relying on Facebook objects for persistence, than you can access the remote service from the client via JavaScript - but there is a "but". Browsers usually only allow JavaScript to send requests to the domain where the page came from, and obviously your app is not served from the domain of the external service(otherwise it wouldn't be "external"). That means your users will have to set the security options in their browsers to allow access to remote domains - which means you'll have to supply instructions on how to do that, and we all know how good users are at following instructions... Also, having to change security options might scare away some users.
So - if possible, try to do it from your server-side.
I'm developing an intranet-based web app that integrates with Facebook via the Graph API. I am struggling to get OAuth working, and I think it's because I'm using an IP address rather than a domain.
I've registered three apps with Facebook, one for dev, one for staging and one for live. They are all configured identically, and for each one I've specified the Site URL in the Developer portal accordingly (I've masked some parts - they're real numbers in Facebook):
Dev - http://localhost:XXXX/
Staging - https://192.168.XXX.XXX:XXXX/
The URLs for the OAuth dialog output as you would expect - only the App ID and redirect URL are different on the three systems:
http://www.facebook.com/dialog/oauth/?response_type=code&display=popup&scope=create_event,publish_actions,publish_stream,read_stream,offline_access,manage_pages,read_insights&client_id=XXXXXXXXXXXXXXXX&redirect_uri=http://localhost:XXXX/path/to/redirect
The dev version works fine but staging and live do not - I just get
"An error occurred. Please try later".
Am I right in thinking that Facebook's OAuth doesn't accept using an IP address rather than a domain for Site URL, and if so is there a way around this?
You are correct, you cannot use IP addresses. You can use domains or even subdomains, but IP addresses won't work.
we are looking into implementing Facebook Connect on our wiki service, http://www.wikidot.com. User-created sites span the *.wikidot.com domain, but also custom domains (like mine http://michalf.me), all handled by our single service.
We have a centralized account system. Users always log in (and create accounts) at www.wikidot.com and they are automatically logged in in all subdomains (cookie domain set to .wikidot.com - easy) and custom domains (automatically, via a series of redirects).
We would like to add FC into our login flow. Now, it would be great to get some clarification about FC Terms, which suggests using one App ID for every domain. In our case however user-created sites are not separate applications.
So, is it OK to use FC on one centralized website where our users log in (on www.wikidot.com) and expand user status on other domains connected to our service? This is how it works right now, without FC.
It would be great if we could get clarification from someone from FB to make sure we will not be violating any terms or policies.
Thanks!
It isn't possible (as far as I know anyway) to use the same app ID on multiple domains. FB allows use across subdomains, but I have found some difficultly with this even at times with the cookies. When you set up an app, you are asked to provide the domain for it. The domain you put here is the only domain that your app will work for. If your users are only ever signing in on wikidot.com, then I suppose you can use what you have already to move those sessions onto the other domains, but once you are on the other domain, you won't be able to use any of the facebook api features; any requests you make will fail.
I think the 'one app id for every domain' condition is more to target people who are trying to use multiple app ids for one domain. I think so long as you aren't transferring any data about the user to different domains/adverts etc, you should be ok. Essentially what you are doing is adding FB connect to your wikidot site, then a separate feature of wikidot is to keep you logged in on other partner sites?