I want to implement Rest api with authorization in my Wordpress website. the version of Wordpress is 4.9.5 and REST api version 2.0-beta15. For securing my apis i need to implement OAuth on my site and at first, I implement WordPress REST API – OAuth 1.0a Server from this link and this useful link. But had these issues with plugin:
Rest-calls still works without authorization and every un-authorized user can call my rest-apis.
I want to implement this inside my Android app so I had to handle all steps in the background, but with this plugin, I should show many webView to user and user should fill them and the final token is also shown to the user in webview and this does not sound good for me.
So I looking for another plugin and find JWT Authentication for WP-API. This plugin is easier and handy. I followed the instructions and can get token and add to request header to make a request and if it is the valid response is 200 and if not need to validate. Every thing seems to work fine!
But the same problem:
every single REST API is even working without authorization header and if I do not put header the result is 200 And all request works as before without any Authorization
This is despite documents that say:
Once you get the token, you must store it somewhere in your
application, ex. in a cookie or using localstorage.
From this point, you should pass this token to every API call
So now I see that I cloud not restrict API call to have Authorization header in both plugins, how I can achieve that and what is the best solution?
I finally solve this problem with this plugin:
Disable REST API and Require JWT / OAuth Authentication
As its name says it will do exactly what i want. It works on both plugin i used
JWT Authentication for WP REST API
WP OAuth Server
And restricts all api calls that not authorized and works fine.
So i my best practice is JWT for Oauth + Disable REST API and Require JWT / OAuth Authentication and they are very good combination to implement OAuth in android application for word-press.
Related
I am developing an Android app with a REST API. The REST API needs authentication for security. I would like to use Google's OAuth2 provider since I the client will be on Android. I don't want to store passwords myself.
I'm trying to understand how the flow should work at a conceptual level. Authenticate to OAuth2 services describes how to get an OAuth token in the Android app. But then what? Do I need a route that accepts this token?
I am implementing the API with Django and Django Rest Framework. I found python-social-auth to implement OAuth flows for the API. It works great when I test manually in a browser going to http://localhost:8000/social/login/google-oauth2/. When I request that URL with a HTTP client, it returns HTML for a Google login page. In the Android app, should I load that in a WebView? And then what? That doesn't seem quite right to me since I'd rather use the Android OAuth API that I linked earlier.
What am I missing here and how do I solve this?
I had created an Android app that requests resources from the server using Rest APIs. Now how can I check on the server side that the request is from the app and its not from the Postman.
For example,
I am using the following endpoint to get data from the server.
https://api.example.com/get-data/{id}
Now, this endpoint is also accessible from a browser. Therefore I want a solution to make the API in-accessible by all other means. ie. It should be only accessible from my android app instead of any browser, Postman or an android app that is not built by me.
In other words, I want my android app to send a special piece of information that helps the server to authenticate the app.
Besides this, I am also concerned about someone to decompile my APK and take out that information to make API requests.
Note By special information I mean a security key or a mechanism to generate that key.
I am looking for something like the "origin" header that is set by the browser by default and no one else can change this header even the developer of the website. Does anything like this exists in android?
You need to implement an API token, that behaves like a password for your API.
A simple way of doing this is using the Bearer Header with the token value to come from the API and every request you send via your app should include this token as a header.
An example is the Slim 3 Token Authentication which does this for Slim 3 Framework APIs. IF you are using laravel API, try https://laravel.com/docs/5.6/passport
I'm developing a small REST API that will be used by browsers and Android / iOS / Windows Phone applications. I'm using JWT for authentication. Since in the API every url must receive the token, I'm stuck thinking about how to send the token to the API so that it's compatible also with mobile apps.
I can only think of two options:
First: Cookies, but I do not know if android / iOS / Windows Phone applications can use cookies just like browsers do. Can they?
Second: Using POST to send the token on every request. I know it would work, but I find it unprofessional and I'm sure there is some other way to make it easier.
Would cookies work? Does anyone have any idea how to do it right?
Thank you
Android and iOs applications do not use cookies. You need to store the JWT in local storage and include it in each POST request. The recommended way is using the Authorization header, but it is not mandatory
To store the token locally you can use perfectly cookies for the web application and Preferences for Android and iOS
jwt it your best choice
the main idea is to generate token using your credential that have 3 part the first and second part contains user info and the third part is generated by the first 2 part and the server key
you can see this example building by laravel and angularjs with full description
example here
update:
the best is to send it in request header Authorization : Bearer cn389ncoiwuencr[jwt token] it will work in both web and mobil
I have a server developed in laravel. I have an android application that can send POST and GET request to my server. I found that i can send POST and GET request from any other systems if have the link to my api. I want to authenticate my API and only allow my android application to POST and GET from my API. Please note that i dont have user login in my android part. I simply want to authenticate my android app to access those APIs.
If you want only your mobile application to make API calls, you can't. Your API doesn't know who is sending the information, he can only check if the information is correct and proceed with your endpoint. Like others have said use JWT/Authentication to limit who can use your API by creating an account or requesting a token, but there's nothing to prevent the user from taking his token and use it on his browser or tool of his choice like Postman.
I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.