I have created an Android app that uses OAuth2 authorization code flow to get an authorization code from the Facebook authorization server. This works correctly, and I am able to retrieve the authorization code in my app after the user logs in and authorises it.
I would now like to pass that code to a .NET WebApi server to complete the flow on the server to retrieve the access token and, subsequently, the user's details from Facebook. I have scoured the web for examples of how to use this code, combined with the classes from Microsoft.Owin.Security.Facebook, to complete the signin process, but I cannot find anything. Is it possible to authenticate a user using an authorization code I have already retrieved rather than the standard Microsoft.Owin.Security process of redirecting the browser to the authorization url? Or will I have to write something custom?
Related
I have an android application that can upload files to Sharepoint. It authenticates with AzureAD. It works fine if I manually create a refresh-token, but I can't figure out how to do this in code in Android.
FYI, we also have an external web application (MVC) in which we can generate refresh tokens. It does this by following the authorization flow here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
The application follows the authorization flow by generating an authorization code, using that code to generate an access/refresh token and then retrieving the refresh token.
This proces is already complex in our web application, but we now want to implement such thing in our Android application.
My question is, how can we implement this authorization flow in an android app? When the user requests an authorization code he is automatically redirected to an azure login page. Is this also possible with an http client library in Android? Any help would be appreciated.
I am building an Android App that requires users to log-in by their Facebook (so we can get their profile picture and albums). It works great by using the Android Facebook API. After I get the access token from the API, I can get the information that I want and also post feeds/photos by the App.
However, I now need to build the remote function for this App as well, which means the App should talk to our server for managing his own information and fetch other information.
I plan to manage users in our server by also the Facebook API. Specifically, I am using .net + Facebook authentication:
.net Facebook authentication
It works ok. Basically, when people(or my App) visit the url on our server, a response from Facebook will ask user to log-in and then my server can get user's identity.
My problem is, in this case, the users seem to handle the log-in "twice" (one for Android Facebook API and one for remote server Facebook API). Is there any way that I can just do it once? For example, once I get the "access token" by the Android Facebook API, can I pass that "access token" to my remote server (maybe via the post header?), and then my server will be able to talk to Facebook via the same log-in identify. (I prefer using the Android SDK because it allows users to skip entering the password if the user has the Facebook app installed)
I am wondering if anyone can give me some suggestions to achieve this function. I notice there is something called "JWT Bearer Token" seems fit my need but I am still looking for tutorials of using this with Facebook API.
I have a fully functional web app, where authentication was created using Passport. The application uses client-side, cookie-based session token. Basically, when a new session happens, the client's data is stored as Base64 AND signed client-side, so that the user cannot change it.
The login/pass mechanism obviously works 100% fine. Facebook, however, doesn't. The main issue is that in a web environment, the user is expected to get redirected to the Facebook page and which is passed the redirect URL to which the token is passed etc.
In a App environment, this doesn't happen: my (basic) understanding is that the client handles the whole oauth mechanism, and it is meant to provide the server with the userID and auth token -- which must then be checked by the server using a Facebook API.
So... is there a known "path" to go from "Web based Facebook login using passport" to "App based Facebook login using passport"? Or shall I not bother with Passport at all for the app side of things?
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
My Android app needs to send an authorization code to my server so that the server can use that to acquire an access token for the user's Google Drive account. I have been trying to figure out how to acquire the authorization code and I found this in the Google API documentation (Using OAuth 2.0 for Installed Applications):
This sequence starts by redirecting a browser (system browser or
embedded in the application as a web view) to a Google URL with a set
of query parameters that indicate the type of Google API access the
application requires. Like other scenarios, Google handles the user
authentication and consent, but the result of the sequence is an
authorization code. The authorization code is returned in the title
bar of the browser or as a query string parameter (depends on the
parameters sent in the request).
After receiving the authorization code, the application can exchange
the code for an access token and a refresh token. The application
presents its client_id and client_secret (obtained during application
registration) and the authorization code during this exchange. Upon
receipt of the refresh token, the application should store it for
future use. The access token gives your application access to a Google
API.
Now I am not sure how to get this authorization code in my Android app since the Android examples I have seen seem to get the access tokens directly. I am looking at the Android AccountManager class and it has a method getAuthToken but this seems to refer to the access token and not the authorization code.
So how does one acquire the authorization code that can be shared with a server? If it is possible I would greatly appreciate some example code. If this is not possible what are the possible workarounds?
You may want to take a look at the Cross-client Identity document. It should keep you from needing to pass user tokens back and forth.
I believe you can actually take the access token returned by the Android AccountManager, send this to your server, then have your server make a call against the Google Drive API using that same access token - it is a bearer token and not bound to the channel that created it, so please take good care of it and only send over encrypted connections.
Documentation on how to get that access token can be found here:
https://developers.google.com/drive/quickstart-android
While that access token is good for immediate use, it will expire in less than 1 hour, so if you are looking for a solution that enables your backend server to have continued access to the Drive data, without the user being present at your app at the time of request, an alternate approach will be needed.