We have developed a web site, online magazine store for android device, there is also an android app that loads the website as web view. Every device has a username, password and a device ID which is sent as post during the loading of web view.
My requirement is :
The site should load only if the login credential supplied (post) from the android device is valid.
Where should I check the validity of the the credential?
I mean should I write a plugin or whether the checking has to done in bootstrap. I dont need any group based access control all users have the same privilege.
Please show some example with necessary code.
My recommendation here would be to use an Action Helper that checks for your $POST variable and redirects/blocks the user as required.
Writing your own action helper is not difficult and once you've tried it you won't be able to stop! Matthew Weier O'Phinney has written an excellent blog post that will be useful to you too.
Related
Using Visual Studio 2013 Update 5, I have created a boilerplate MVC 5 application with Individual User Accounts auth option selected, and I have been trying to implement social logins using the template code, but have been unsuccessful.
I have ensured all NuGet packages are up to date, and the code is using MVC 5.2.3; Owin 3.0.1; AspNet.Identity 2.0.0.
I can get everything working fine, including authenticator apps using OtpSharp, but the Facebook login is just not working whatever I try.
I have created the Facebook App, set all the relevant options on that and set the AppId and AppSecret in my Startup.Auth.cs file.
When I try to login with Facebook, the MVC site redirects me to Facebook, which prompts me with the auth screen for the app. I click OK and accept this then I am redirected back to the MVC app. If I check the authorised apps under my Facebook account, my app is listed and shows that it has granted permission to the app to retrieve email address.
The callback works fine but when it hits ExternalLoginCallback and in particular:
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync()
loginInfo always returns null.
Looking at the Request it shows an error of access_denied:
https://localhost:44301/Account/ExternalLoginCallback?ReturnUrl=%2Fmanage&error=access_denied
I have read pretty much every blog post and SO question on this error and whilst most of them are helpful, most are also out of date and not relevant.
It would seem that something is missing from the templated project, or something has changed elsewhere as no matter which tutorial I read, and options I set, the result is the same.
I have tried this internally on a dev machine running IIS Express and externally on a hosted machine running IIS 7.5 too and the results are the same.
I've even decompiled the Microsoft.Owin.Security.Facebook library to see where that particular section of the querystring is set to no help.
If I had any hair I'd have pulled it all out by now.
I'll take any suggestions. Can anyone help?
Facebook loves to make things difficult. Access_denied sounds like they are blocking you on purpose. Check your developer dashboard and the accounts authorized to test your app while its in development mode. The email permission is approved by default, so that isn't your issue.
Make sure the account you are testing with is added here:
If that doesnt solve it, make sure you have the correct app domains (testing and live) listed in the domain section here:
I had the exact same issue. No matter what I did the facebook would show the login, get permissions and then return back to the Login page instead of the Email confirmation page.
Using Fiddler Facebook would invoke "http://localhost:1234/signin-facebook&code=SOME_SECRET_CODE_HERE", and then my application's controller would invoke "http://localhost:1234/ExternalLoginCallback?error=access_denied". I was sure Facebook is refusing the access. It was only after implementing a Facebook Javascript SDK Sample, I realised I could successfully login and also view FB scopes!
My Dev environment
MVC 5 application
Visual Studio 2013 Community edition Update 5
Microsoft.OWIN v2.2.1
Microsoft.OWIN.Security.Facebook v3.0.1
Finally I found a YouTube Video by ProCoder which mentioned to put the correct path in the Valid OAuth redirect URIs as http://localhost:1234/signin-facebook and it worked. If you haven't already added, you will need to add Facebook Login product to your Facebook app.
I also set App Domain to localhost and Site URL to http://localhost:1234/
I have added 127.0.0.1 and MY.EXTERNAL.PUBLIC.IP to the Server IP Whitelist Under Security in the Advanced Settings option of the Facebook app.
All these settings I replicated in a new MVC 5 application and it worked like a charm.
update the package Owin.Security.Facebook 3.0.1 to 3.1.0
It works for me
I built a native Windows app (non Windows-Store) that uses the Facebook API.
I wanted to make it public which means going through their review process which means (among other things) selecting the app's platform.
Sadly a native Windows app is not one of the choices: Facebook app platform selection screenshot
I found 2 unanswered questions on SO on the same topic:
one
two
How should this be done in a proper way?
Thanks in advance.
PS:
I found a post a few days ago where the poster said he registered such an app by setting the platform to "web site" (I didn't keep the link).
This does not look like a good long term solution and also I don't have a domain to provide.
In short, you must set your platform to Web.
The reason for this can be found in the official documentation on building your native logon flow. There is no secure way of creating a logon flow without a server, as this would imply storing your App Secret inside your binary or app config file.
So the recommended (and only supported) way is to create a server which stores the App Secret and handles authentication for you. And use this server from the WebBrowser/WebView control which you embed into your native application.
This means you use the logon flow from a web browser via a custom server and you should have a domain for it (a domain is quite cheap nowdays, it should not be a problem). So you are building a web app embedded into a native app.
For a successful login review do the following:
Choose Web as your platform
On the Settings page in the Advanced tab choose Native App.
Create a screencast (Start your app, logon, use all the requested permissions and that's it. Do not edit it!) and upload it to the web (YouTube/Vimeo/...)
When submitting provide a link to your screencast.
I have an packaged app in the Chrome Web Store that I'd like to transition from a paid app to a free one with in app purchases. I need to be able to detect if the current user had paid for the app previously.
To be able to use the licensing API, I need the current user's OpenID URL. I was able to get this to work using chrome.identity and a popup dialog that the user has to authorize. But it is a bad experience and kind of a scary dialog.
For hosted apps, it's possible to get the user's OpenID URL without any user interaction or authorization. (see How to skip the OpenID approval screen). It would be fantastic if somebody knows how to make this work without user interaction for packaged apps.
I've detailed some of the approaches I've tried on this chromium-apps thread. I suspect it may be possible to do this with chrome.identity.launchWebAuthFlow but I wasn't able to discover the exact incantation of parameters to google's oauth/openid endpoints to make this happen silently.
I think you need to refer to this Link1 Parameters
this parameters are different techniques using that you can do this task..
also To bypass the Login/approval screen refer this link2
Here in the section How to skip the OpenID approval screen the details are explained which you can use..
And In case of packaged app this should ask for permanent permission that will help in OAuth throughout the life of app..
Client Library JavaScript Based
Authentication using Library
After your comment I thought this you can bind in your app.!!
Let me know what works for you..
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.
I'm trying to glue information from a web page to an iPhone app that said web page suggests to download. I control both the web page and the downloadable app.
Scenario is like this:
User visits my web page, on which I recognize the user (he may have logged in, and I store his info in a cookie). I then present a link to him to an app in the App Store that he should download for "enhanced experience" of this web service of mine.
Now, when the user launches the downloaded app on his iPhone, I like to re-identify the user who previously visited said web page.
All would be easy if an iPhone app could read Safari's cookies. But it can't.
A somewhat lame solution could be that the web server stores the visitor's IP address and uses that to recognize him once he launches the iPhone app. But that's not reliable.
Another one would be to give the user a token (code) that he needs to remember and then re-enter in the app. Still quite awkward, I think.
Any better suggestions?
Simply put, you can't do this.
One thing you could consider is a custom URL scheme to launch the app. You could send the user an email that uses this custom link. However there's a couple of problems with this:
the user may not have the account that they used to register for your site set up on their iPhone. This might seem unlikely, but say the user signed up for your site 5 years ago with their Hotmail account and they have since switched to Gmail.
it's unlikely that the email would fit into their workflow. They would probably download the app and just launch it by touching the icon instead of clicking a link in a received email.
You could also put the custom URL as a link on your web page, but again, this won't fit into the workflow because they have to go to the App Store app to do the download.
Consider this - if you've got some sort of website that has an authentication step, it's probably a fair bet to say that the user is the type of person who already has an application such as Facebook installed on their iPhone. They are already used to the paradigm of having to enter their credentials into an application despite the fact that they may have already done it in Safari.
If you could read the unique iPhone device ID from javascript on your web page, you could look for that again when the application connected...
But I cannot find any means of reading this from Javascript in Mobile Safari, I thought I'd post in case there is a way now to give you another option to consider.
OK, we found a somewhat working solution: The html code can create a cookie. Later, when the app runs, it can't directly read that cookie, of course (due to the sandboxing of iPhone apps). However, it can connect to the server, then open a http URL pointing to the server and including a unique token that it has gotten from the server beforehand. This leads to launching Safari, accessing the server. The server can now read the aforementioned cookie and finally establish the connection with the help of the token.
Just stumbled over this question and I'm curious if you thought about using a UIWebView.
Where the question is - does UIWebView share cookies with safari?
If it does the rest should be easy.
UIWebView's DON'T share cookies with Safari. So unfortunately that is not an option.