Sorry for the misleading title, but here's I want to do:
Say I have an already running website AwesomeWeb, which authenticate its users using username/password combination. Now I want to develop a mobile app AwesomeApp for it, and at the same time, develop and open up its RESTful API - AwesomeAPI.
To keep things simple, I plan to authorize AwesomeAPI using OAuth2, and make AwesomeApp the first client/application.
But I DO wish AwesomeApp to have a simple sign-in process: input username/password -> click the button -> done. In other words, have a 'non-web' feel just like Facebook or Twitter does.
For those 3rd party mobile apps that want to access resources (like username) through AwesomeAPI, it should embed a button somewhere in the app, which opens AwesomeApp to display a 'allow/deny' page when clicked. Again, this is what Facebook and Twitter app doing.
OK, here's the questions:
At step 3, what do I use: webview or doing http stuffs background or just use OAuth2 password grant type? Pros vs. cons?
After step 3, I get an access token for AwesomeApp. But this token CANNOT be used in step 4 to issue an access token for some 3rd party app, am I right? If so, how to achieve step 4?
Appreciate your help a lot!
Notes: I'm not asking for OAuth2 flow or inter-app communication.
Regardless of whether you achieve the step 3 by implementing "Resource Owner Password Credentials" flow defined in RFC 6749 (OAuth 2.0) or by other means, the authentication should be performed in the background. Note that in "Resource Owner Password Credentials" flow, a client application does not access the authorization endpoint but accesses the token endpoint directly, so the authorization UI (which is supposed to be shown at the authorization endpoint) is not displayed.
To achieve the step 4, you have to implement "Authorization Code" flow or "Implicit" flow.
Related
I have an android native app as client and spring boot service in the backend with REST endpoints. I want to know the best possible strategy for authentication with oAuth2 (without the social login approach).
I am currently using spring oauth security & have an authorization server up and running(user signs up with email & password). I use the grant type "password" to get access tokens in the android app. However, this approach requires the android app to send the client ID & secret in the request. I read a few posts which suggest that this grant type is not ideal. I dont mind receiving the user's password, but i think storing the client secret in the app is not a good approach.
Another approach would be to use the Authorization Code grant flow, but in this case since i only have a native app & backend APIs, i dont know how to authorize the user. It doesn't seem like a seamless experience for users to see a browser page asking them to authorize the app. Which doesnt make sense also because this is no third party app.
I found a post where people suggest using Authorization Code flow with PKCE. But this apparently doesn't yet work with spring.
So, now i am left wondering how other native mobile apps, handle authentication? Do they not use access token? How best can i support authentication when dealing with a mobile app & spring backend?
Spring Security OAuth supports password and authorization_code flows without the client secret, meaning a "public client". Since you own the Authorization Server and the native app and you are okay with the native app taking credentials, it's reasonable to have your native app use a public client with the password grant type.
If you decide that your native app shouldn't take credentials, though, then PKCE is the current best practice. Using the authorization_code flow with a public client is the recommended alternative to PKCE:
In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps.
And this would mean, as you mentioned, jumping out to a browser.
I'm developing an application in which I need an authorization workflow.
I m working on OAuth2 with oauth2orize library.
My applications (client) are frontends written in javascript or java (android).
First, what I need is simply a way to authenticate inside of them and get back an access token. To make it work, I have a resource owner flow.
My problem is that I can't store my secret on my client app cause of security problems. Do you have an idea how should I do it?
In the other hand, how can I make a third party login page? Like "connect trough XXX" and then be redirected on the login page?
The Implicit Grant flow is for public clients operating on a given URL, like Javascript (and there's a way to do it on Android).
You'll make a button "Connect through XXX" and then you redirect the user to XXX to authenticate. When that's done, you get a redirect back with the Access Token in the URL fragment.
I'm developing a web server (Using J2EE/Wildfly 8.2) with a RESTful API for the Android clients. To authenticate the connected client I would like to use a token (OAUTH2 or whatever is appropriate) from that client rather have to deal with the messy password admin in the server.
Could someone point me at a good example. Ideally it would use the Google account on the Android device as most users (I would think) have an active Google account.
As always, many thanks for your help getting me started on this.
I think it will be helpful for you to take a look at Stormpath. In your backend, you can use the Stormpath Java SDK to easily delegate all your user-management needs. Since you are specifically interested in the social login functionality, this is the way you would do it with Stormpath:
There are two options here...
You can completely delegate the login/register functionality to Stormpath via its IDSite. It supports Google, Facebook, LinkedIn and Github login.
You can create and host your your own social login forms. In this case, your front end will display the login buttons. When the user presses the login button, your front end will send the credentials to the backend-end where you will need to execute code similar to what was documented here
I have created the SDK and now want to integrate oauth for authentication process. Now I want to do same as Facebook SDK do, if client app is already installed and login, it switch to that app ask for permission and switch back to app who wants to authorise it. if client app is not there is will open the webpage and on login ask for permission and then redirect to my app after login.
We have implemented the oauth on server but not sure which grant_type we will use to achieve the above functionality. We can not store the password in client app.
Let me know if anyone has idea how to achieve this functionality and implementing the same flow as other SDKs(Facebook, Twitter) does.
For mobile based apps use the following URL for authentication:
POST https://api.example.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID
Pass the authentication code from the app if user is login else if user is not login first navigate to login page, on successful login authorization page come as-usual.
NOTE: It might be unsecure as we are sending the code in query param, but doing it in request over ssl enhanced security.
For browser authentication
https://example.com/auth?response_type=token& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
where authentication picks the login session if user is already login.
I think you already answered your own question when you said "I want to do same as Facebook SDK does".
Facebook SDK provides the framework for detecting if Facebook application is installed in order to avoid signing up through WebView interface. Google also provides an authentication and authorization API through Google+ sign instead of a browser. As you can see:
the documentation suggests using the right device infrastructure rather than the system browser.
According to this post, it is possible detecting programmatically check if an application is installed. For Android, I think that boths SDK check if their related apps are installed when you trigger the sign up/in/out process and invoke the system browser if necessary.
Thus, in order to provide a generic OAuth 2.0, you also could do the same programmatically, but I guess that drilling this information, pick the right application, and launch it won't be an easy task.
I followed the tutorial here: https://developers.facebook.com/docs/mobile/android/build/#enablesso
I am able to authenticate on the android side, but what I want to do is to use SSO or some sort of authentication using facebook [preferrably OAuth] to authenticate against my web application on GAE. I expect it to work something like this: blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
This is the sort of flow I expect:
The user starts my app, and is prompted with an option to authenticate to FB.
The FB app/web dialog opens and asks the user to confirm permissions to be given to my app.
Once that is done, FB provides me with a cookie [or something similar].
I use that cookie for subsequent requests to my web service, where I can get the username simply using:
user = oauth.get_current_user()
user.nickname()
Is anything like this possible? The problem I face is that while performing SSO, there is no place where I specify an OAuth end point. GAE provides OAuth endpoints [http://code.google.com/appengine/docs/python/oauth/overview.html], which I think I should be using. Any clue as to how I can proceed about this?
Any help is appreciated. Regards, rohan
You need to implement the server-side authentication flow: http://developers.facebook.com/docs/authentication/
I implemented it in Java: see the LeanEngine oss project. You could probably reuse the android client part: the login dialog.