I am developing a web application where i wish to achieve stateless communication between the client and the server.The server serves out a web page template to a client.Now from the client side i wish to know the identity of the user of the application so that i can print his name on the page.
Since it is a facebook app so i am not providing the option of user to login or logout through my application.
How would i be able to do it?i can not use JSP to serve dynamic web pages and also i can not use cookies.
That leaves localStorage, I guess.
But I do have to wonder what the point is of said application, with only client-side state.
Related
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
I'm try to implementing SSO in my existing web applications with using OpenAM by refer following link
http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity_21.html
PS. my web applications have their own login page already
Now what is got after implementation is, openAM login page are protected in my web applications and i need to make login again to my application
what i need is, want to skip the login page of my application to become single sign on.
so, can anyone tell me what tasks need i do left?
do i need to revise my Login page of my application?
do i need any database or datastore to keep user login information?
Now that an OpenAM agent is in place on top of your app, your web app can work under the assumption the there is already a valid logged-in user - you need to remove the login page from your web app.
To get the current user details just alter your OpenAM agent config to set HTTP headers with relevant fields like username, full name, etc. Then instead of a web app login page you just check HTTP headers (should be safe from spoofing as long as the only route into your web app is coming through the OpenAM agent).
Another way is to grab the OpenAM cookie and use it to make REST calls directly to the server. Makes things a little more fragile though because you now need to maintain additional config.
You don't necessarily need any additional user tables / datastores for your web app, only if you need to map their login name to whatever it is your web app is doing (saving preferences, etc) in which case you need to check that the username you've been given already exists inside your app. If not then add it.
We were able to implement single sign on using openam with a JSF web application using Spring SAML extension and Openam.
Instead of agent we used fedelet that way we can port to ant application server
Please see my articles on generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
-Ram
I'm creating a Hybrid iPhone App that contains a lot of separate UIWebViews that point to specific pages on a website. These pages are secured, so I show a page with a standard .NET login form first. This login succeeds.
However, if I load the subsequent pages in other webviews it still redirects me to the login page. I requested all the cookies that are set for the URL and it contains a .NET session ID and everything. Is there some other reason that these kind of sessions wouldn't be shared between UIWebViews?
Can you control the server side? I suspect that new instances of Safari are triggering new server sessions, perhaps you need to create some kind of recover session function and call it via a web service for each UIWebView.
I am building a mobile app with jQueryMobile and I intend to deploy it onto iPhone thanks to PhoneGap.
My question is : how can I authenticate myself with Foursquare using the OAuth2 protocol in my jQueryMobile app ? One solution would be to use the useragent flow of OAuth2 but this would force the iPhone to launch Safari and thus not stay within the app. Are there any better solutions than this ?
For an iPhone-based or client-side application like you would have in PhoneGap,
Foursquare recommends one of these methods.
If you have no substantive server code, you can embed a web browser and use the token flow, redirecting the user to a dummy page on your domain. You can then grab the token off of the URL and close the browser. We have sample Android and iOS code for your reference.
If you have a server as part of your application, you can use the server flow above, possibly in an embedded browser. Similar to the Facebook API, you can add display=touch to your authorize or authenticate URLs to get a mobile optimized interface.
An alternative to the above is to use the server flow and an external browser, but redirect to a custom URI handler that brings the user back to our application. You can embed the secret in your application and exchange the provided code for an access token. PLEASE take steps to obfuscate your client secret if you include it in released code, and be prepared to rotate it if needed.
https://developer.foursquare.com/docs/oauth.html
This could probably be handled with the ClientBrowser plugin for PhoneGap or just adapting the sample code they have provided into PhoneGap plugins.
One of the core intentions of OAuth2 is to not allow browserless authentication flow like we did with XAuth in the past. Service providers want consumers to see what permissions they are signing off on, and want control of that process.
I'm not very experienced with Phonegap, as I'm a native developer, but if there's a way of instantiating a UIWebView and showing it to the user, you could at least keep the web interaction 'inside' of the application. Given phonegap is basically showing a UIWebView this should be possible. It is possible to examine the source of the html within a UIWebView using
- (NSString *)stringByEvaluatingJavaScriptFromString:(NSString *)script
I wan the following functionality in my iphone application
User Register/signup form my application to the website(mysql/php)
User login to the site from application.
User write comment on pictures from application.
Please help me out.
The easiest way is to extend your website to support some flavor of web service (REST, SOAP, etc) Then your app can simply call the web service methods to do the various operations you listed.