I'm developing a small REST API that will be used by browsers and Android / iOS / Windows Phone applications. I'm using JWT for authentication. Since in the API every url must receive the token, I'm stuck thinking about how to send the token to the API so that it's compatible also with mobile apps.
I can only think of two options:
First: Cookies, but I do not know if android / iOS / Windows Phone applications can use cookies just like browsers do. Can they?
Second: Using POST to send the token on every request. I know it would work, but I find it unprofessional and I'm sure there is some other way to make it easier.
Would cookies work? Does anyone have any idea how to do it right?
Thank you
Android and iOs applications do not use cookies. You need to store the JWT in local storage and include it in each POST request. The recommended way is using the Authorization header, but it is not mandatory
To store the token locally you can use perfectly cookies for the web application and Preferences for Android and iOS
jwt it your best choice
the main idea is to generate token using your credential that have 3 part the first and second part contains user info and the third part is generated by the first 2 part and the server key
you can see this example building by laravel and angularjs with full description
example here
update:
the best is to send it in request header Authorization : Bearer cn389ncoiwuencr[jwt token] it will work in both web and mobil
Related
I had created an Android app that requests resources from the server using Rest APIs. Now how can I check on the server side that the request is from the app and its not from the Postman.
For example,
I am using the following endpoint to get data from the server.
https://api.example.com/get-data/{id}
Now, this endpoint is also accessible from a browser. Therefore I want a solution to make the API in-accessible by all other means. ie. It should be only accessible from my android app instead of any browser, Postman or an android app that is not built by me.
In other words, I want my android app to send a special piece of information that helps the server to authenticate the app.
Besides this, I am also concerned about someone to decompile my APK and take out that information to make API requests.
Note By special information I mean a security key or a mechanism to generate that key.
I am looking for something like the "origin" header that is set by the browser by default and no one else can change this header even the developer of the website. Does anything like this exists in android?
You need to implement an API token, that behaves like a password for your API.
A simple way of doing this is using the Bearer Header with the token value to come from the API and every request you send via your app should include this token as a header.
An example is the Slim 3 Token Authentication which does this for Slim 3 Framework APIs. IF you are using laravel API, try https://laravel.com/docs/5.6/passport
I want to implement Rest api with authorization in my Wordpress website. the version of Wordpress is 4.9.5 and REST api version 2.0-beta15. For securing my apis i need to implement OAuth on my site and at first, I implement WordPress REST API – OAuth 1.0a Server from this link and this useful link. But had these issues with plugin:
Rest-calls still works without authorization and every un-authorized user can call my rest-apis.
I want to implement this inside my Android app so I had to handle all steps in the background, but with this plugin, I should show many webView to user and user should fill them and the final token is also shown to the user in webview and this does not sound good for me.
So I looking for another plugin and find JWT Authentication for WP-API. This plugin is easier and handy. I followed the instructions and can get token and add to request header to make a request and if it is the valid response is 200 and if not need to validate. Every thing seems to work fine!
But the same problem:
every single REST API is even working without authorization header and if I do not put header the result is 200 And all request works as before without any Authorization
This is despite documents that say:
Once you get the token, you must store it somewhere in your
application, ex. in a cookie or using localstorage.
From this point, you should pass this token to every API call
So now I see that I cloud not restrict API call to have Authorization header in both plugins, how I can achieve that and what is the best solution?
I finally solve this problem with this plugin:
Disable REST API and Require JWT / OAuth Authentication
As its name says it will do exactly what i want. It works on both plugin i used
JWT Authentication for WP REST API
WP OAuth Server
And restricts all api calls that not authorized and works fine.
So i my best practice is JWT for Oauth + Disable REST API and Require JWT / OAuth Authentication and they are very good combination to implement OAuth in android application for word-press.
As per LinkedIn documentation I see that we cannot use the mobile access token to make REST API calls which LinkedIn provides. I have a use case, where, in my mobile app, I use LinkedIn's mobile SDK for logging in to linkedin and I need to fetch certain data like logged in user's connections etc on the backend. This should ideally be done on backend instead of mobile because I do not want too many calls going from app to our servers. Is there any work around to do this?
Actually, there is a way to do requests from backend to linkedin via mobile SDK token.
Such configuration worked for me:
GET https://api.linkedin.com/v1/people/~?format=json
Headers:
Authorization = Bearer ${token}
x-li-src = msdk
Using the Mobile SDK, there's really no way around this at the moment. If you require back-end call capability, your best bet is to use an existing auth library that implements OAuth 2.0 in the mobile environment rather than using the official SDK. That way, the access tokens you get back from the process are usable in either situation.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.