I am working on a Android application which authenticates the user with Google+ sign-in. Now I would like to communicate with my web api to store and get data. What is the most easy way to implement authorization on my web api?
Before implementing google+ sign-in, users had to register with a username and password and I used basic authentication to authorize users with my server.
Currently (planning on)using:
Client side authentication with google+
Asp.net web api (no authorization for google+ sign in yet)
SSL
If anyone could make this process clear and maybe with some examples or webpages to find the information I need that would be perfect.
The Google+ documentation includes a full explanation of the REST API and its capabilities, which you can use to see what is available for your web implementation. Many of these methods include code snippets for .NET, such as the people.list API call.
There is also a C#/.NET quick-start that you can use to see how Google+ Sign-In works at a glance.
Related
I am developing an Android app with a REST API. The REST API needs authentication for security. I would like to use Google's OAuth2 provider since I the client will be on Android. I don't want to store passwords myself.
I'm trying to understand how the flow should work at a conceptual level. Authenticate to OAuth2 services describes how to get an OAuth token in the Android app. But then what? Do I need a route that accepts this token?
I am implementing the API with Django and Django Rest Framework. I found python-social-auth to implement OAuth flows for the API. It works great when I test manually in a browser going to http://localhost:8000/social/login/google-oauth2/. When I request that URL with a HTTP client, it returns HTML for a Google login page. In the Android app, should I load that in a WebView? And then what? That doesn't seem quite right to me since I'd rather use the Android OAuth API that I linked earlier.
What am I missing here and how do I solve this?
I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.
I'm doing a website in asp that uses Identity (v2.0) and also an Android app connected to the web site through Web API.
I've configured Identity to use Google OAuth signins and works quite well. Right now I'm trying to make a Web API for the app and I also need to authenticate mobile users.
I've reached to the point to configure Identity to manage bearer tokens for the api. But to perform a signin, the only way I've found is through user and password as documentation says:
grant_type=password&username=user&password=pass
Or perform OAuth challenge by web.
As Android also manages Google OAuth. Is there a way to configure Identity to perform signins using Google Oauth?
I have neither found a way to manage external bearer tokens or to use Google Authentication tokens to do a signing with Web Api with Identity.
Maybe I'm misunderstanding something.
Thanks in advance.
Ok, somehow I've found how to do it.
In Android, get an ID token using scope audience:server: as in Google "Accounts Authentication and Authorization" docs.
Send Web API token endpoin as user the email and as password the token.
grant_type=password&username={email}&password={GoogleToken}
In my extendend class from OAuthAuthorizationServerProvider in the server, I added token verification as from github repo googleplus/gplus-verifytoken-csharp to the method GrantResourceOwnerCredentials
If token is valid, I can populate a UserLoginInfo and find the user with UserManager.
Then normal authentication goes on and user is authenticated in identity as normal.
Anyway, I think there has to be a more elegant way to do it.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.