I've been following this link https://spring.io/guides/tutorials/spring-boot-oauth2 for implementing security to my own resource server. My final goal was to have custom login oauth server to access resource server from an android app which I've achieved using grant_type=password.
Now I would like to add social logins like Facebook to the same flow. I was able to make it work for web apps easily,I even got the accessToken from facebook in native android app but now what? After so much searching I was not able to find anything good for an android app. So my questions are:
How to add social login using spring oauth2 to an android app. Any links?
Should I be using Spring social with spring security for my goal. If yes, how?
I've been using JDBCTokenStore to persist my tokens in case my server restarts. If I get my token to server somehow how should I store it?
Please let me know if my understanding is incorrect.
Without digging too deep into the details, you can take the token you get from the client and use it to create a new connection via the connection repository. Of course, you'll also need to know which use the connection belongs to. In the end, the code will look something like this:
Code:
UsersConnectionRepository ucr = ...; // probably injected
ConnectionRepository cr = ucr.createConnectionRepository(userId); // you determine the userId somehow
ConnectionData cd = new ConnectionData(...); // lots of params...you'll fill those in.
FacebookConnectionFactory fcf = ...; // create or inject this
Connection<Facebook> conn = fcf.createConnection(cd);
cr.addConnection(conn);
As you can see, the code above is rough...I'm leaving a lot for you to fill in. But that's roughly how you'd do it.
Related
I am currently working on implementing a mobile app for our site that uses Ruby on Rails and Devise. The idea here is, at first, create a mobile login form that on successful login opens a web frame that is authenticated and allows the normal use of the (mobile optimised) site. Theoretically that should be possible.
I am having trouble with the following issues:
How do you get the pure session key for the user session via a json request? What methods can be used to manually generate it from devise, something that the sign_in(:user, user) method does?
Is it even possible to take that key and put it into the browser cookie the way it normally happens in devise, but on the mobile side?
I know that this is not the standard method of making mobile applications for the site, but I believe it should be possible.
You might want to consider using Devise Token Auth and treating your mobile application like just another webapp that requests permission from your main site. DTA is particularly nice since it takes care of managing the session tokens (renewing/expiring) and passing them onto the app requiring access. The issue is overriding your session controllers so that it automatically logs in after you already log in on the mobile app (or just rewriting your log in so it occurs in conjunction with the Rails site, rather than before). Considering you're already using Devise, this may also be more refactoring than you'd like.
If you want to put your authentication form on the mobile UI and pass the credentials over to the web frame, you need a way to pass data from the mobile app to the web frame.
How you accomplish this depends on what platform you're building on. I'm not really a mobile developer so I don't know for certain how difficult / easy these options are:
When opening the web frame, instantiate it with session data
Find a way to call methods on the client from the web frame. Something like getSessionData.
You could generate a fingerprint for the web frame, have the mobile UI send this data to the server, and then have the web frame authenticate with the server by sending the fingerprint.
Again, I'm not entirely sure how possible all these options are.
You should use token authorization and Android deep linking. It will allow you to login in the web browser and send a token to your app via deep linking.
OK, so I decided to make a webframe solution as follows, basically you post the login and password to a certain sign_in method specially designed to generate one-time sign in tokens for the application. You need two methods in the system to do that:
routes.rb
devise_scope :user do
get "sign_in_with_token/:token" => "sessions#sign_in_with_token"
post "get_login_token" => "sessions#get_login_token"
end
sessions_controller.rb (don't forget to add the method that increases the failed_sign_in_count on wrong password, otherwise that can allow brute force attacks)
def get_login_token
user = User.find_by_email(sign_in_params["login"])
password = sign_in_params["password"]
if user and user.valid_password?(password)
token = SecureRandom.hex(16)
user.update_attribute(:authentication_token, token)
render json: {token: token}, status: 200
else
render json: {error: "error"}, status: 403
end
end
and the method to sign in with that token
def sign_in_with_token
#user = User.where(authentication_token: params[:token], email: Base64.decode64(params[:email])).first
if #user
#user.update_attribute(:authentication_token, nil)
sign_in(#user, bypass: true)
end
redirect_to '/' # or user_root_url
end
That way the mobile app will work like this:
use the generic web frame to send ajax requests to the server and get that token for the user email if password is correct.
make a /sign_in_with_token/#{token from ajax}?email=#{base46 encoded email} link inside the app.
open that link inside the web frame and use the app as though you were logged in normally. Now the app can save email and password locally and use that logic to get the token again for another session. Later logging in will also be able to set the app id so that push notifications can be sent.
Appreciate any feedback or criticism on this solution.
Hello all i am making an android app in whiich i have multiple account login at a time now my question is that i for multiple logins i should use sessions to verify every account user that is logged in. Now i am using express on the server side i have read a lot of documentation on storing sessions in node.js
Express-session (Though it is only good for development but not for production but not for my app)
Cookie-session
connect-Redis
connect-mongo
I have also heard about json web tokens where i can generate unique tokens and then i can pass the tokens to the client using res.json({user_id:"user1", token: "generated_token here"})
I have also heard about passport but dont know how it is going to do this also as in passport i use express-session by default will it be good for production or not ??
Now my first question is i have read all of there docs and nowhere it is mentioned where i am creating unique tokens for every user that is signing up.
Second question as i am using my server for android app there will be no use of cookie i will be sending user token as in parameter req.body.token now how to cmpare this with current user_id.
Actually i dont get the flow of control i mean how everything is going on in session in node.js. Also what is this secret is this thing generating unique tokens or what. Also i mean about 100000 of users are registered for my app now please tell me accordingly which way should i use for my app.
I have asked this question previously but there i did not mention that as i am not making a website how to do this(As in my case there will be no use of tokens)
I know this question i am asking is very vague but please bear with me i just want to understand how sessions are used in node.js
Thanks Anways
I'll try to answer this, but it is vague (as you pointed out). I'm going to make an assumption that your Android app is a native Android app and is going to be connecting to some sort of NodeJS backend in the cloud that is based on ExpressJS. If that's not the case, please clarify your thoughts in an update to your question.
The best idea for this specific scenario is to look to the cloud provide. Azure App Service Mobile Apps, for example, allows you to implement authentication - it eventually returns a JSON Web Token (http://jwt.io) to authenticate each request.
If you don't want to be beholden to a cloud provider, but want to run it yourself, you are going to have to implement the token generation and checking yourself. This generally follows the form:
Set up a WebAPI endpoint (maybe /signin) which takes whatever token the identity provider gives you, verifies the information and returns a JWT - there is an NPM module (jsonwebtoken) for producing the JWT. Ensure the JWT includes the identity of your user. I tend to use email address for the identity.
Your Android application will do a WebAPI request to your backend with an Authorization header, the value of which is "Bearer "
Your NodeJS API will use JWT authorization to validate the JWT and extract the user identity so you can use it in your API logic.
The important thing to note in this specific scenario is that your backend code is implementing a WebAPI - there are no cookies nor sessions in the API. The only thing that is linking the user from the client code to the backend code is the JWT.
As a short piece of code, here is how you verify a JWT:
var express = require('express');
var app = express();
var jwt = require('express-jwt');
var jwtCheck = jwt({
secret: new Buffer('your-jwt-secret', 'base64'),
audience: 'your-jwt-audience'
});
app.get('/api/protected', jwtCheck, (req, res) => {
// Your code here
});
app.listen(process.env.PORT || 3000);
I need a private channel on Pusher in order to enable a bunch of Android clients to communication with each other. Pusher was recommended to me, although it is really complicated. I've read all the docs many times, so I'm hoping someone (Mr. Leggetter?) could give me a hand.
I've installed the Pusher Android JAR on the client and am able to subscribe to public channels that I trigger from the "Event Creator" (very neat), but in order to get the private channel working, in order to trigger events, I need this:
HttpAuthorizer authorizer = new HttpAuthorizer("http://example.com/some_auth_endpoint");
PusherOptions options = new PusherOptions().setAuthorizer(authorizer);
Pusher pusher = new Pusher( YOUR_APP_KEY, options );
According to http://pusher.com/docs/authenticating_users, the HttpAuthorizer() needs a URL that points to an app server that is going to respond with a JSON authentication token. Do I have to set up my own app server to provide authentication, like the example at https://raw.github.com/pusher/pusher-android-example/master/src/com/pusher/android/example/MainActivity.java, or can Pusher provide this? This seems like something Pusher should provide.
In the Ruby server code example for my app (why is there no Java?) I see this: Pusher.url = "http://{key}:{secret}#api.pusherapp.com/apps/{app_id}". This URL, however, does not exist. I tried it in HttpAuthorizer() and got a java.io.FileNotFoundException. (I just found the "Enable Clients Events" checkbox under Settings - checking it did not help, but I'm guessing that's an important step.)
If I have to set up my own app server for authentication, I'd like to use Java with GAE. http://pusher.com/docs/authenticating_users#implementing_private_endpoints has a Python/GAE example, but no Java, and I don't know Python. Is there a library for this? Will https://github.com/marcbaechinger/gae-java-libpusher# do the trick? It doesn't seem like it would.
token. Do I have to set up my own app server to provide authentication, like the example at https://raw.github.com/pusher/pusher-android-example/master/src/com/pusher/android/example/MainActivity.java, or can Pusher provide this?
You need to set up your own authentication server. The point in this is to allow you to authenticate subscriptions. This means you can authenticate the user in any way you see fit, against any existing or new authentication mechanism you may use e.g. user sessions (more applicable to web apps) or authentication tokens your own application may provide upon initial connection (via some username/password login to your system).
In the Ruby server code example for my app (why is there no Java?) I see this: Pusher.url = "http://{key}:{secret}#api.pusherapp.com/apps/{app_id}". This URL, however, does not exist.
There is a Java server library but Pusher don't directly maintain that. It's a community contributed one.
I'm not sure where you got the URL from. Maybe from the Web API reference, but unless you are writing your own Pusher Web API library I wouldn't expect you to be using that URL directly. There are Pusher and contributed helper libraries for that sort of thing.
If I have to set up my own app server for authentication, I'd like to use Java with GAE. http://pusher.com/docs/authenticating_users#implementing_private_endpoints has a Python/GAE example, but no Java, and I don't know Python. Is there a library for this? Will https://github.com/marcbaechinger/gae-java-libpusher# do the trick?
Yes, you need to set up your own authentication server. You could create a client-side authorizer, but that would mean exposing your app_secret in client code - which you shouldn't do.
The PusherUtil class provides a number of helper methods that you could use to add subscription authentication support to the library. But - you are right - it doesn't appear to offer this functionality.
The Pusher Play module (also Java) does appear to have an appropriate method so this could be ported. See:
https://github.com/regisbamba/Play-Pusher#generating-the-authentication-string
I don't work for Pusher any more, but I would be happy to contribute to an improved Java library.
I have an android app that the user logs in to via facebook. I am trying to access my symfony api without logging in another time. Is it possible to log in to symfony with just the access token that I get from the android app?
Yes, it is possible. You'll need to implement a custom authentication provider and possibly a custom user provider to authenticate a user with token (and possibly retrieve him by token).
Ok so just a wrapup of what I managed to do.
I tried to modify fosFacebookBundle to accept access_tokens but in the end of the day I had to just do everything from scratch following the links I got from Zalas. I got the user from the accesstoken via the FacebookProvider class in fosFacebookBundle.
I had to inject Facebook, and FacebookProvider into my FacebookTokenListener. I am not even shure that this is secure. Somebody might be able to login with a access token from another site(I havn't tested it yet). The accesstoken is also in plaintext in the header. All in all not a very nice solution.
$this->facebook->setAccessToken($request->headers->get("access_token"));
$fbUid = $this->facebook->getUser();
if(!$fbUid){
throw new AccessDeniedHttpException("invalid access token");
}
$user = $this->facebookProvider->findUserByFbId($fbUid);
$token = new FacebookTokenToken($user);
Thanks for the links!
Hey i'm working on a web application in combination with an android app. Now i want in my mobile app that the user have to log in with the same user data like on the web application. So i want to send a username and a password to the controller and in the login action of this controller the user should be verified and the additional user id should be send back to the application (the id is used for several operations in the app). I looked for the Auth Component of CakePHP but i don't find any solution for my problem. I hope you can help me.
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('index','view');
$this->set('logged_in', $this->Auth->loggedIn());
$this->set('current_user',$this->Auth->user());
if($this->name == 'Specific') {
// for the specific controller
$this->Auth->authenticate = array('Basic');
} else {
// everything else
}
}
checkout KVZ's rest plugin it may be of interest https://github.com/kvz/cakephp-rest-plugin
Not sure about what you need to do on the cakephp side of things, but if you want to have a set of account credentials stored securely and persistently on an Android device, I suggest you take a look at the AbstractAccountAuthenticator class.
The AuthComponent has a login() method you can use to manually login users. Depending on the Cake version you're using this method also checks the credentials you supply (actually Auth is completely restructured in 2.0 in a way that's much more useful for situations like yours, it's worth taking a look!).
You can send in the login credentials from your android app any way you please (XML, POST parameters), extract them in your login action and send them to the AuthComponent (or, in 2.0, write a custom authenticator object to handle it all).