We have a Spring MVC & JSF based web application which uses Spring security to do user Authentication using LDAP provider & after successful authentication user profile is fetched from oracle database.
Now I need to integrate facebook, gmail & yahoo mail with this application.
The expected behavior is after doing the login into this web application the user should automatically be logged in into facebook , gmail & yahoo mail as well. The user profile in the oracle database will contain the login id of gmail, facebook & yahoo mail.
The menu in the application will contain links for gmail, yahoo mail l & facebook & while user will click on those menu the corresponding site will open as logged in for that user in a iframe without asking user id & password of that website. It is good if password of gmail, yahoo mail & facebook account of the users are not needed to keep into database. Please let me know if there is any way to achieve this.
I started thinking to use OAuth2, but don't know whether that is right way to go forward or not. Please help me with some relevant single sign on solution to solve this.
[Note: Web application uses Java 6, Tomcat 6, jsf as FE & hibernate as ORM & Spring MVC & Spring security framework for security]
Facebook, Gmail and Yahoo are themselves identity providers. Most of the documentation out there (e.g. using OAuth) explains how to use FB, Google or Yahoo to login into other apps.
The scenario you want to implement is the opposite: using your own identity provider to log in into Y!, Gmail and FB as apps (referred to RPs or SPs depending on the docs you read). In general this is not possible because they have not enabled this.
Google can (if using Google Apps) because they have enabled SAML integration. So you could potentially do it, but probably not for consumer focused gmail accounts.
Related
I want to know if there is any API/Webservice in side Liferay that allows one to use mobile apps especially built with Ionic to do remote authentication and pull data from database
There's no special API for Login/Logout out of the box.
Complete list of Out of the BOX Web Services and detailed information on each can be found at
whaterver-url/api/jsonws
Example : https://www.liferay.com/api/jsonws
Why there is no Out of the Box API For Login/Logout.
All API's mentioned in above Link needs a basic Authentication. So in each request you need to pass username & password which will throw permission denied, if credentials are not valid.
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
I have a requirement in Liferay to do Facebook SSO to all my portlets (eg: Socialcom) after a successful login.
The Socialcom portlet will display the contents of socialcom website (as of now)
Steps
User logs in to portal using his facebook credentials
Portal displays Socialcom portlet & some other portlets (supporting Facebook SSO in their website)
Each portlet should get authenticated automatically via the facebook SSO.
I have enabled facebook authentication for liferay which works fine.
Any help for doing SSO for individual portlets will be appreciated.
Thanks,
Siby
I assume that you want your portlets to use the facebook API to get more information or to trigger action/activity?
While I don't have too much experience with this, keep in mind that this is a different usecase: In SSO we only want to have the user's identity. As Liferay is not doing anything in addition with this information, I expect that there's no more information that you'll find here. The portal's job is to let you know who is currently logged in. You typically don't worry about the login process - e.g. if they're signed in through Facebook, OpenId, locally or through any other means. Then their account can have the relevant facebook identity, but you don't want the portal to keep the permission to make arbitrary calls to Facebook: After all, there can be other portlets that are deployed, that also make use of this connection.
I'm assuming (hoping it is this way) that you'll have to get the credentials and permissions for Facebook-calls yourself and share them with all portlets that make up your own application.
If my expectation is not met, I'd expect this to be a quite big security issue: Just because you want your portlets to be able to call into facebook, you don't want mine to be automatically authenticated as well. Trust me, you don't ;)
Simplified background:
Website that allows users to upload and comment some content, let's say images (classic CRUD web application).
Three ways to sing in into the system: classic username/password form, Facebook Conntect, OpenID (Google).
Public API that allows to read data from the system and create content (authenticated users).
Mobile (iOS/Android) application that uses API.
Problem:
Just like the website, the mobile application should provide FBConnect/OpenID authentication. However, I have absolutley no idea how to authenticate such an user in the website's public API.
How to create a secure authentication mechanism for mobile application that uses FB/Google for its authentication and on the same time uses my API for authenticated users?
in my website, I want to add a "invite friend of my contacts book" functionnality.
I would like that the user fills the loggin form in my website. Then the website contacts Google Mail, Yahoo Mail, Live Mail and retrieves the contact list.
In the Oauth protocole supported by Google and Yahoo, the user is redirected to a Google or Yahoo page (like Facebook) in order to permit the user to give permissions.
But I saw two websites which didn't any redirections to get the contacts book (LinkedIn for a Google mail account and Theauteurs with a live mail.)
Do you know how I can get a contacts book without redirect the user to Google, Microsoft or Yahoo website.
Simple. Neither of them are using OAuth to access contact data. That means users don't get the benefits (such as not having to share passwords and easy revocation).
The motivation behind OAuth is to avoid users to input their credentials of site A in site B (this would be you).
If you follow this path (and I believe you should not), you are not doing OAuth at all.
PS: Why Facebook doesn't use OAuth is something that puzzles me still...
Facebook will be dropping Connect in favor of oAuth. Outlined here-> http://www.pcmag.com/article2/0,2817,2362920,00.asp