I need to build a server with Basic or Digest authentication. I can not use any other authentication, this is my requirement and a limitation of the client applications that I am using (Microsoft miniredirector, Mac OS X Finder, iCal, Microsoft Office, LibreOffice, davfs2, etc).
I do not want the user to create any new accounts in my system. Instead I want him to utilize his existing Facebook, Google+, LinkedIn or any other account. However as far as I know this systems require the application to show the login web page, which is not possible in my case.
Is it possible to implement Basic or Digest authentication using Facebook, Google+, LinkedIn or any other social network API?
Related
I have a mobile application built upon Ionic Framework which uses many Cordova packages. We are upgrading the app from Ionic3 to Ionic5. In the Ionic3 application our .NET API was responsible to managing user logins. Going forward, in the Ionic5 app we will NOT be managing user credentials - we will be using 3rd party Identity Providers such as Google, Facebook, and Twitter.
We have implemented the Cordova packages to handle external authentication with Facebook and Google and it works fine. How do we tie the token that is received from Google/Facebook to our .NET API? When we try to use the token provided from Google/Facebook we - of course - get a 401 because our .NET API doesn't know about that token as it was issued from an external source.
I am aware of the process of how to enable the schema described here (External Authentication Services w/ASP.NET Web Api) but in this case the user agent browses to the Web Application in the browser. This is not true in my case as the user agent will be using a mobile application not a web site.
But I hope the principal is the same. But I'm missing something here.
The user will open the mobile app, authenticate with Google/Facebook and be issued a token. Now, what needs to happen to get that token to be recognized by my ASP.NET Web Api?
For example. When I registered my mobile app with Google Developer's Console I selected that the type of app is an Android application and was issued a Client ID for Android now how can I use this token in my ASP .NET Web API? There MUST be some way to tie the two together or some article out there.
Thanks in advance for your assistance!
Also, I looked at this post and see its 11 years old. Is there something here that I should be doing? Please help point me in the right direction. how-can-i-verify-a-google-authentication-api-access-token
It is about data ultimately, and identifying users in a consistent manner, then tracking their history with your app / business.
SOCIAL LOGIN PACKAGES
These are often cheap and nasty solutions that add complexity to your apps as you are finding.- especially when you need to look things up by user.
OPTION 1 - COMPLEX APPS
Your API could look at the token issuer (ISS claim in the token) and download token signing keys from either Facebook or Google - if JWKS endpoints exist. Then create a user from the access token's sub claim if required.
OPTION 2 - SIMPLER APPS
Deal with only a single type of token in your UIs and APIs, which will work like this. It moves the complexity to your Authorization Server (AS):
You have an Authorization Server (use Google maybe) to deal with token issuing and other central OAuth concerns
You have multiple Identity Providers (eg Facebook + Google) to support different login methods for users
During login Facebook posts a token to the AS
Then the AS issues its own token to your UI
The AS may be able to use Account Linking to provide a consistent user id regardless of login method
There is a learning curve in getting this working, but once done it can easily be scaled to many apps with zero code changes.
The proper answer is Auth0... see the below sequence diagram!
I am working on a Soundcloud XBMC add-on. The add-on is open source, and written in Python. I would like to allow users to login to their SoundCloud account via the add-on, however it's possible to have XBMC instances running in an environment without access to a typical web browser (e.g. raspbmc, which provides no window manager or graphical browser by default). Is there a way to still allow users to authenticate with this add-on without requiring use of the 'SoundCloud Connect Screen' and without violating the SoundCloud API TOS?
This is not provided in theirs API, but after some digging into the libraries i figured it out.
Make a POST to: https://api.soundcloud.com/oauth2/token
with these params
grant_type=password&client_id=YOUR_CLIENT_ID&client_secret=YOUR_SECRET_ID&username=USERNAME&password=PASSWORD&scope=non-expiring
this will return non expiring token that you can use for future authenticated requests.
I am trying to use the google drive SDK with a metro app. The metro app connects to google drive using REST services. The first problem I am facing is in authentication. Metro app has a redirect URI which follows microsoft specific scheme like "ms-app://s-1-15-2-1527804777-383724396-285855344-2678584489-1963608684-3789894444-799666712/".
How can I register this URI with my Google app profile? Google has made it compulsory to register the redirect URI, I don't know why. No other provider (like dropbox/skydrive) does this.
Could anyone please help?
Thanks in advance.
The redirect URI is part of the OAuth 2.0 spec, which is an open standard and critical to the security of the system. If other providers are performing OAuth 2.0 without this, they are insecure. Worse, if other providers are forcing apps to get usernames and passwords from users, that is bad too.
For installed apps, you can use the Installed Application Flow, with a local web server (localhost URI), or with the "out of band" URI, urn:ietf:wg:oauth:2.0:oob. Having said that, I never tried with a metro device, perhaps others can suggest how to perform OAuth 2.0 on metro.
As per the OAuth 2.0 spec:
When registering a client, the client developer SHALL:
o specify the client type as described in Section 2.1,
o provide its client redirection URIs as described in Section 3.1.2, and
o include any other information required by the authorization server
(e.g. application name, website, description, logo image, the
acceptance of legal terms).
I like to distribute content from within our Content Management System to several online channels like the website, twitter, linkedin and, last but not least, Facebook. Editors can create items and, eventually after a worfklow process, distriute them amongst the different channels.
Off course the website is no problem (it's still a CMS, isn't it). Twitter integration was rather simple. But now I like to create a connector with Facebook.
The approach is like this.
Create a Facebook app: TheCMSFacebookConnector
Give it permissions to write on a wall, create events, add photo
collections, etc. A customer buys the CMS
Within the CMS Manager there is an action to connect the
TheCMSFacebookConnector app to the customers' (corporate) facebook
account
The OAuth dance is performed and the accesstoken en accesstoken secret are stored
From now we use the REST API to add content to the customer's corporate wall. This is exactly the way i did it for the Twitter integration.
But.........
choosing the right integration type
When I create the Facebook app, the Facebook asks me to tell how the app integrates with Facebook. The integration types that seems to fit the best are Native iOS App or Native Android App. In fact the CMS acts as a Native App as well. Has anyone a clue which App Integration type i have to choose?. And are there other parameters that are important to set in a, maybe, different way?
Choosing the authentication flow
A second question is about the OAuth dance. If we distribute the CMS amongst our customers, they host the CMS Manager environment in their DMZ with their own (mostly) corporate URL or, better, they host the CMS Server within the LAN and the Publication Server in the DMZ (we provide some tools to synchronize those servers)
When I do the OAuth dance, the CMS Manager (which is a webapplication) has is own URL. So in the definition of the app i cannot name an unique value for App Domains. From within the "OAuth dance"" code the redirect URL seems to have a connection with the App Domain and cannot be set in a dynamic way. So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Hope that someone can help me with, especially, the first question. Thanks in advance
E.
So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Not necessarily – you could always have an address from your app domain set as redirect_uri, and have that redirect to the CMS users web address afterwards (via a GET parameter in redirect_uri or something like that).
We are developing a hybrid mobile app (code is written in HTML and runs on browser shell as a native app on the device). We need to authenticate the user against an external security manager. I've seen the Gmail App in iPhone which opens a browser to authenticate the user. We are also looking to do something of that sort. We just need to gather your thoughts on how authentication can be done with some external security manager in a mobile app.
Also I noticed that Dailymotion website was able to know if the user is authenticated with Facebook. This looks like a cross domain authentication.
Can you please share your thoughts on how Google and others have implemented it?
What you are looking for is OAuth and OpenID services to federate your login. Depending on the architecture of your system you can implement whichever one you like or even a hybrid of both.
Take a look at this link: Federated Login for Google Accounts
It provides all the useful information you need.
Hmm this question seems old but in case you haven't found an answer here's how I did it with my hybrid apps :
open url on client side with the provider's (facebook/twitter/instagram) url for login
the user logs in and is redirected to the server's callback url (my server is written in nodejs)
once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.
Download the apk and test it.
If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic
And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server
Cheers