I am working in a app that register a user in a specific place.
I got the client_id and the client_secret and the url, also the token url.
i have seen how simple was to use the AFOAuth2Client in Iphone and i would like to know if there is an equivalent for Android.
Thanks in advance.
It's generally not a very good idea to store secrets on a device. If you control the entire stack: client, API and AuthZ server, then make sure you use a Oauth2 flow that doesn't require that. (Or reconsider using Oauth2 altogther perhaps).
The simplest Oauth2 flows are quite simple to implement as they are straight forward HTTP requests.
Related
I'm wondering whether OAuth is the right fit for me.
I need to write a REST service (or REST services) that can be accessed by several clients. All clients will be written by me. The service will be written by me. And as for the Authorization server, it will only use local accounts, no external log ins at all.
Given this I feel like implicit flow and the authorization code grant flow are not the right fit for me. I feel like using a redirect in this scenario would be silly, given that I write the clients, am the identity provider, and so on.
Should I maybe not use OAuth at all? What should I use instead? Or if I am to use OAuth, would I have to use ROPC in order to avoid the redirects?
If OAuth is the answer, are there any solutions I could use? Azure AD B2C? Or should I write my own, and if so, does any one have any resources on how to do that using .NET Core?
I should mention that we will also be using long-running services where client credentials flow would be a good fit.
Implicit flows is just one of the ways OAuth2 defines for a client app to acquire a token it will subsequently use to call a service. It should be used by browser-embedded (SPA) apps only. A blog I wrote lists the other flow types and when to use them
Yes, you should consider using OAuth2 unless you don't care who calls your services because nobody else can (you are running on a completely closed network inside Fort Knox) or you cannot imagine anyone would want to call them. (sorry about my sense of humor). The purpose of OAuth2 is to manage permission of apps calling each other. Its advantage vis a vis other protocols is that it supports most common scenarios (daemon clients, web apps, IOT devices, etc.)
I want to develop the Android client for my RESTFull Web service. But, I'm nearly newbie in Android and I don't know how to make correct authentication with REST service. How to save user details in android ?
This is a fairly complicated topic that is too broad to explain fully here. I highly recommend Retrofit for this. Here's a link to their site, http://square.github.io/retrofit/
I've also put together a sample project that gets images from imgur api using retrofit if you'd like to learn more about the implementation.
https://github.com/mmeister1203/SampleRetrofitApp
For authentication, I suggest you use Authentication token. It basically works this way:
You send user details to server(through https, of course).
You receive authentication token, which you save in, lets say, SharedPreferences.
Every time you make a web request, you include your token the request.
This is most common approach when you don't need extremely high security.
I'm trying to setup a private oauth2-server for usage with Android. I don't want any 3rd party-server to authorize, so my question is how to do this?
I had a look at Apache Oltu, but I haven't been able to find any HowTo to setup the server. Are there any instructions available or could someone who already did this help me?
Furthermore, is there a better solution? I don't want to just provide user/pwd-authorization (or even digest), because it's about getting an user-specific file, which should be automatically synced once in a while without asking for a password again.
The Apache Oltu documentation contains some example code, which should help you understanding the basics. Then you should have a look at the integration tests, which contain code for nearly all use cases.
But you have to understand that Apache Oltu isn't a standalone solution. It's only a framework, which handles the network communication for OAuth authorization and resource requests. That means, you have to implement
your own persistence layer for storing tokens.
your own security interceptor which actually checks if the received token is valid. Oltu isn't integrated into the webserver, so you have to take care that requests don't bypass OAuth authorization.
your own user registration process.
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.
Users of my Rails app can authenticate in one of these 2 manners:
Using their Facebook account
Using our own authentication
I'm using Facebook SDK on Android and devise and omniauth on Rails.
How do I authenticate against my Rails app on Android so I can then fetch the information I need from the server?
NB: I've noticed this question is getting a fair amount of views recently. Please don't follow the advice given in this thread too closely -- the web moves fast and it dates from 3 years ago!
This can be done using the fb_graph gem (not fbgraph!).
You can just add it to your gemfile and do
user = FbGraph::User.me(token).fetch
where token is the oauth token you got by using, for example, the Facebook SDK on Android.
user.email will be the user's email address (if you set up the necessary permissions).
You can use this URL for testing:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token
That totally depends on how your authentication system works. You will need to create an API on your server to handle communication from the Android app and pass information between both using the API.
Niraj Shah is completely right, though the answer might not be detailed enough for you. For an in-depth answer to your question, have a look at Securing an API railscast by Ryan Bates that has been released only recently. It covers HTTP Basic Auth.
You might also want to have a look at the more advanced option to secure your API / provide registered users access to their data. There's a railscast about this one as well here: http://railscasts.com/episodes/353-oauth-with-doorkeeper - though it's a pro episode, so you need to sign up for it in order to watch it.
Francisco, I have the exact same need.
The devise scenario using token_authenticatable seems straightforward and shouldn't be a problem but I'm not sure the best way to handle the Facebook scenario. On the web side, for FB auth I'm using omniauth-facebook as documented here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. I think this uses OAuth with FB as a provider so it's a good possibility that the latest RailsCast about doorkeeper securing an API with OAuth should do the trick. I haven't tried it yet but will do so soon unless you beat me to it. Here is the link: http://railscasts.com/episodes/353-oauth-with-doorkeeper.