on the client side I am using the flash API to sign in and auth the client
Facebook.init(MyFaceBooyKey, faceBookInit);
Then face book sends back to the client a Signed Request and other stuff.
I the client then sends this signed request to my server.
On my server I process the Signed Request and out pops a FaceBook User id (UID)
So now I am assuming that:
The client who sent the valid signed request is the owner of the Face book UID contained inside it, the client must know the password for that UID, and they are loged into facebook ?
Is this system safe ?
how can i safely use user client side facebook auth to then autho in to a second server, eg a sepreak facebook game server.
How can I make suer that the signed reques has not been coped in transit on the web,
and then sent to me by a thirs party, who now logs on to my server under a Uiffrent UID
How to all theas flash based facebook games auth the users ?
also I note that the same book auth vias the Desktop application dose not send a signed reques ? so how to do the auth to my server in this case ?
All of the auth flows with facebook use SLL (https) and so the data you send/get is secured.
The same goes for all of the graph api requests, if you try to make an api request in http while including an access token you'll get this response:
{
"error": {
"message": "You must use https:// when passing an access token",
"type": "OAuthException",
"code": 1
}
}
If you send the signed request and/or the access token to your server then you should do it by https as well and that way that communication will also be secured.
The client (and I assume you meany the flash client) is not the "owner" of the access token/signed request, your app is the "owner".
If you need the access token on the server side I suggest that you use the Server-Side Auth flow to get it.
If you then need the access token on the client side then you can use a client side auth, since the user already authorized the app and authenticated for sure (through the server side flow) the client side process should be completely invisible for the user, and at the end of it you'll have an access token on the client side as well (a different one than on the server).
"message": "You must use https:// when passing an access token",
"type": "OAuthException",
"code": 1
}
} "message": "You must use https:// when passing an access token",
"type": "OAuthException",
"code": 1
}
} "message": "You must use https:// when passing an access token",
"type": "OAuthException",
"code": 1
}
}
Related
I want to send emails with java and smtp using OAuth2 access_token
I am able to do it if I use OAuth2 type that prompts the user with a browser to allow access.
Now I want to use a google service account and send a jwt json file to get the access token
As documented here
https://developers.google.com/identity/protocols/oauth2/service-account
I get a response back from the token url (https://oauth2.googleapis.com/token) that has a access_token, but it does not return a scope attribute and also has a ton of trailing periods
When I use it to call the smtp it responds with a 400 error
My Question is does gmail api work with jwt tokens?
Do I need to also have a Google Workspace Account or can I just use a normal Gmail Account?
EDIT FOLLOW UP:
I called the token validator url and got this back
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxx
validateAccessToken response: {
"issued_to": "xxx",
"audience": "xxx",
"scope": "https://mail.google.com/",
"expires_in": 3599,
"access_type": "online"
}
Not sure if it is the issue but access_type = "online" instead of offline like when I do it with 3 leg auth that requires user approval for access. Doing the JWT way I do not see anywhere to define access_type when requesting token
Does keycloak provide a way to distinguish between logins by the same user on different devices (a user can be logged in on mobile device/s and also on desktop browser/s).
Does keycloak provide a way to identify when a user entered their credentials (whether through keycloak login or using an identity provider flow)?
Our use case is:
a user can request to reset their pin (from our app).
the user is logged out (a /logout using the 'keycloak-connect'
middleware).
following logout, the user is redirected to login and enters
credentials (keycloak or identity provider).
on login, the user is presented with the 'enter a new pin' page (our app).
To achieve this we want to be able to determine server side when to send the 'enter a new pin' page.
Our situation is that we don't easily know (for various reasons, including active keycloak session or other token expire/active states) when an actual 'credentials entered' login occurs.
Could the session_state from the keycloak access token be used to identify which keycloak session a client request corresponds to?
Could something like the following work:
the server receives the keycloak access token (containing the
session_state) from the keycloak login,
the server passes the session_state to the client (browser/mobile
app),
the client passes this session_state back to the server along with
the user requesting the action,
the server requests the session information from keycloak (something along the lines of making the following request to the admin REST API localhost:8080/auth/admin/realms/demo/users/{{user_id}}/sessions - then checking against session_state somehow?)
if the 'start' value of the session returned by the REST API is
recent, then maybe we have 'actual' login information?
We're still using Keycloak 6.0.1
Any help is greatly appreciated.
I wanted to update with how I'm proceeding, which I believe gives me all I want in terms of solving/answering my original question.
The keycloak access token includes: "sub", "auth_time" and "session_state".
{
"sub": "ae384e77-7588-444b-9c4f-3dc920750e1f",
"auth_time": 1590555910,
"session_state": "2d735372-1a5a-43de-8a6c-1a45deebf20b",
}
I can use the sub to query the Keycloak Admin REST API with https://my-domain.com/auth/admin/realms/demo/users/{{sub}}/sessions which gives a list like:
[
{
"id": "2d735372-1a5a-43de-8a6c-1a45deebf20b",
"username": "20000",
"userId": "ae384e77-7588-444b-9c4f-3dc920750e1f",
"ipAddress": "52.62.57.52",
"start": 1590555910000,
"lastAccess": 1590555910000,
"clients": {
"4eb676c2-94c3-4bac-a423-94a7bf57ece0": "demo"
}
}
]
I can then choose from the returned sessions list matching the id to the session_state from the access token (n.b., that start from the sessions list matches auth_time from the access token.
This gives me what I need. I can pass the original session_state to the client and request from keycloak matching that session_state :)
I'll update if I encounter issues.
Is there a way to add 2FA to Facebook's Oauth2 flow? The following error is returned when trying to hit the graph API's insights endpoint for a user that has 2FA enabled on their FB Business Manager account:
"error": {
"fbtrace_id": "HrY8K9KfT4U",
"error_user_msg": "Unknown error",
"message": "Two factor authentication required. User have to enter a code from SMS or TOTP code generator to pass 2fac. This could happen when accessing a 2fac-protected asset like a page that is owned by a 2fac-protected business manager.",
"error_subcode": 1404120,
"type": "OAuthException",
"error_user_title": "Ask user to pass two factor authentication",
"is_transient": false,
"code": 415
}
I've seen this issue a couple of times and the problem usually extends from the Business Manager having two-factor authentication enabled, but the user making the API calls does not have two-factor authentication enabled on their account.
In all the cases I've seen, having the user enable two-factor authentication on their account, and pass through the 2-fac login flow has fixed the issue for the user.
I'm creating an app in which you are supposed to signup/login to use it. Now I'm implementing a restful webservice for it and I'm not sure whether I'm going the right way. My workflow is:
To signup, the user types in his credentials like username, email and password. The app hashes the password and sends a post request containing the credentials as json to my webservice and the webservice saves the new user to the database.
To login into the system, the app sends a get request including the parameters username and hash of the password to the webservice, compares the hash values and returns an appropriate response code for success oder fail.
The communication between app and webservice is secured by ssl.
Is this the right and secure workflow of a signup/login system? If not, why is it not secure and can you recommend another workflow? Cheers.
The most important part should be that your web service is only reachable via https.
I assume you are talking about a mobile app.
The app should not hash the password, the web service should do it and then store the user.
Mobile apps can be reverse engineered and then you know how to hash your passwords.
So to create a user in a restful way would be to send a POST request with username, email and password in the body.
For example POST /users
{
"username": "john-doe",
"email": "mail#example.org",
"password": "some password"
}
For authentication/authorization you might consider OAuth 2 but that takes a huge amount of time to implement.
Another option would be to have another REST resource called access-tokens.
So whenever you need to authenticate you do a POST /access-tokens request to create an access token.
POST /access-tokens
{
"username": "john-doe",
"password": "some password"
}
Response
{
"access_token": "9d91c97fc0f98a6311f101246e252ab3230c261c2af",
"expries_in": 3600
}
Then the mobile app needs to take care of that it will always create a new access token shortly before it expires. OAuth 2 has also refresh tokens for this purpose which are delivered together with the access token. Then you can retrieve a new access token just by sending the refresh token to the web service.
Once authenticated you need to include the access token in the Authorization header in every request to the web service that needs authentication.
In a project I am using Authentication multiple times for different providers, so I am relying on standard libraries.
I want to establish connection with Facebook yet it provides not completely standard authorization.
To test the connection I am using REST Console in Authorization part of it I place a key and secret and for
Authorize URL I provide https://graph.facebook.com/oauth/authorize
Access token URL - https://graph.facebook.com/oauth/access_token
Request token URL I leave empty or fill it with https://graph.facebook.com/
And what I get bck looks like this:
{
"error": {
"message": "Expected 1 '.' in the input between the postcard and the payload",
"type": "OAuthException",
"code": 1
}
}
So my question is how to get authenticated forming standard OAuth calls?
EDIT
For the moment (testing stage) I found that data can be retrieved using no standard authentication but access_token with appropriate values. Yet sending http request with api key and secret exposed in the request url can not be the right way of ding it.