I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.
Related
I am developing an Android app with a REST API. The REST API needs authentication for security. I would like to use Google's OAuth2 provider since I the client will be on Android. I don't want to store passwords myself.
I'm trying to understand how the flow should work at a conceptual level. Authenticate to OAuth2 services describes how to get an OAuth token in the Android app. But then what? Do I need a route that accepts this token?
I am implementing the API with Django and Django Rest Framework. I found python-social-auth to implement OAuth flows for the API. It works great when I test manually in a browser going to http://localhost:8000/social/login/google-oauth2/. When I request that URL with a HTTP client, it returns HTML for a Google login page. In the Android app, should I load that in a WebView? And then what? That doesn't seem quite right to me since I'd rather use the Android OAuth API that I linked earlier.
What am I missing here and how do I solve this?
I need to send post request to get token from here https://developers.google.com/android-publisher/authorization
But on step 4 I don't have client_secret
I have code / client_id / redirect_uri the JSON does not have it
The most recommended mobile solution is to use AppAuth libraries, which involves these 2 steps:
Use Authorization Code Flow (PKCE)
Login via System Browser (Chrome Custom Tabs)
In this case the request to get a token uses a runtime code_verifier rather than a client_secret. My blog posts and code sample may give you something to compare against, but mobile OAuth can be quite intricate.
Google Mobile OAuth
Google generally recommend AppAuth for mobile logins. The playmarket API is just a scope value, so I see no reason why it wouldn't work.
References to client secrets in the Playmarket page may just be incomplete documentation. I haven't used this particular API but have used similar Google resources.
Quick Next Steps I'd Recommend
Try running the Google AppAuth sample - this blog post of mine makes this very easy.
Then repoint the sample to your Google Auth Server and add the Playmarket scope. You should then get a token and be able to successfully access Playmarket resources.
If there are no problems, integrate the solution into your own app. If you run into usability problems, have a read of my blog posts.
Coding Aspects
Not sure what language you're using, but my Kotlin sample code uses the libraries with a modern async await syntax.
I am trying to make an android app to get my VSO items.
I am following the documentation here for the OAuth flow https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/oauth
The authorisation and authentication calls require a redirect_uri to be passed in the POST requests. What would be that value for an Android app?
The URL must be secured as per VSTS guidelenes.
Based on Authorize access to REST APIs with OAuth 2.0 article:
Q: Can I use OAuth with my phone app? A: No. Right now, Visual Studio
Team Services only support the web server flow, so there's no
supported way to implement OAuth for Visual Studio Team Services from
an app like a phone app, since there's no way to securely store the
app secret.
The workaround is that you can build a web app, then send the request to that web app from your Android app to retrieve necessary data.
Update:
If you can use Personal Access Token or Alternate authentication credentials, you can use it on your android app directly. (Can't access account and profile information)
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I am working on a Android application which authenticates the user with Google+ sign-in. Now I would like to communicate with my web api to store and get data. What is the most easy way to implement authorization on my web api?
Before implementing google+ sign-in, users had to register with a username and password and I used basic authentication to authorize users with my server.
Currently (planning on)using:
Client side authentication with google+
Asp.net web api (no authorization for google+ sign in yet)
SSL
If anyone could make this process clear and maybe with some examples or webpages to find the information I need that would be perfect.
The Google+ documentation includes a full explanation of the REST API and its capabilities, which you can use to see what is available for your web implementation. Many of these methods include code snippets for .NET, such as the people.list API call.
There is also a C#/.NET quick-start that you can use to see how Google+ Sign-In works at a glance.