Simplified background:
Website that allows users to upload and comment some content, let's say images (classic CRUD web application).
Three ways to sing in into the system: classic username/password form, Facebook Conntect, OpenID (Google).
Public API that allows to read data from the system and create content (authenticated users).
Mobile (iOS/Android) application that uses API.
Problem:
Just like the website, the mobile application should provide FBConnect/OpenID authentication. However, I have absolutley no idea how to authenticate such an user in the website's public API.
How to create a secure authentication mechanism for mobile application that uses FB/Google for its authentication and on the same time uses my API for authenticated users?
Related
Here is the scenario:
I have a web app with some RESTful APIs, the users are using an IdP to do SSO. I registered my web app (as well as many others 3rd party web apps) to the IdP and when the users want to use my web app, I will redirect users to the login page of the IdP and do normal SAML 2 stuff to authenticate the user. This part has been done already. Now once logged in, users can freely use any web app registered to the IdP. The next to do is to authorise some of these web apps (not all) to be able to use my RESTful APIs.
Different from the normal OAuth 2 granting flow, it is not the users allowing their 3rd party web apps to use my APIs, instead, I want to control which 3rd party web apps can use my APIs. Something like the user will request from me to grant a certain web app of his/hers to use which of my APIs. Or any other good suggestions I am all ears.
You could take a look at this spec, which provides more control of the distributed access tokens.
I am developing a website, where users will can login using their Google account. When i was about to develop this feature i came to know about two things
Gmail api
Google+ api(social)
I want to know want is the difference between these two apis, why google is providing two different apis for authentication. I tried using google+ api, and if the user doesn't have an account in Google+ then google is forcing user to register into google plus and then login to my website.
Which one is better to use for authentication into our website google or google+?
If you will use Google plus Api for authentication process then user need to have google plus account and If user is not having google plus account then He need to create it
I suggest you to use Google api for authentication because you can get basic information with it but if you want to get all social media data of google plus then you have to use google Api
Simple - API calls do not access any private user data
Authorized - API calls can read and write private user data, or the applications own data - API key plus OAuth 2.0 credentials (different for different application types)
I'm building a web service for use as an api component in web sites or apps built by others.
I am building a set of functionality that my clients can use on their sites for their users, but which are served by my application.
One of these services is user login. I intend to support multiple types of logins, and provide the client application a user token once the user is logged in. So the client application only has to implement one login interface, but they get a variety of oauth2 strategies for it.
To make this work with their google or facebook accounts, they would have to provide my app with their application id and secret key. Entering a secret key on someone else's site, even for integrating with your own site seems dangerous. They call it a "secret" key for a reason.
I have found one web service which seems to be doing something similar to what I am planning to do:
https://www.authic.com/documentation/google_oauth2
They have a configuration page for client accounts where the user enters oauth2 credentials to enable the Authic oauth2 login pages on behalf of the client app.
What are the security concerns to be aware of with this kind of service, and can the client app use a service like this safely? If it can be used safely, what is required for safe use? I think the app doing the oauth2 interface would be able to do other things on behalf of the client app, since it has an app secret, and the client app owners would have to trust that this was not happening.
The alternative to this strategy seems to be using my own application id with oauth2, and having the client apps redirect to my app's login page. Then the user will see the oauth2 permissions page with my app's logo instead of the app they were intending to log in to.
I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.
I am developing a Facebook application for mobile platforms. The mobile part is being developed with PhoneGap and the server side is Python / Django.
The mobile app should be able to query Facebook API directly. Server should be able to query Facebook API on the users' behalf too. Thus the user should be authenticated both with Facebook and on the server (Django), and the server should have the user's Facebook authentication token.
What would be the best flow for authenticating the user on both sides? Is it reasonable to authenticate on Facebook via mobile app, then send the token to the server and create a django session on the server?
I had a similar requirement: jQueryMobile app with Ruby On Rails backend. In my case, I implemented the Facebook authentication on the backend using omniauth. The backend retrieves the Facebook access token and passes it to the jQueryMobile frontend. The frontend then uses JSONP to retrieve the user's friend list. The advantage of this approach is that there is a single point of authentication -- Facebook auth at the backend.
You can find a demo of my app and the full source code at http://csgrad.blogspot.com/2011/07/jquerymobile-app-with-facebook.html