I am creating simple REST API with OAuth2 authentication. I use Apache CXF, and the only third party app (consumer) that I will have for beginning will be Android application.
I was wondering if I must have redirectURL set for my
org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant
I want just to return authorization code as JSON to my application and continue with OAuth protocol from there.
On the app, I plan to mimic form with POST request which will also send username/password to authorization grant service. Once I get response I will use authorization code to call access token service.
Is this OK, or there is better approach to programmatically do OAuth from Android APP as a client? I know about Spring OAuth for Android, but don't want to use it until I try simpler implementation.
Best Regards!
Related
I have an android native app as client and spring boot service in the backend with REST endpoints. I want to know the best possible strategy for authentication with oAuth2 (without the social login approach).
I am currently using spring oauth security & have an authorization server up and running(user signs up with email & password). I use the grant type "password" to get access tokens in the android app. However, this approach requires the android app to send the client ID & secret in the request. I read a few posts which suggest that this grant type is not ideal. I dont mind receiving the user's password, but i think storing the client secret in the app is not a good approach.
Another approach would be to use the Authorization Code grant flow, but in this case since i only have a native app & backend APIs, i dont know how to authorize the user. It doesn't seem like a seamless experience for users to see a browser page asking them to authorize the app. Which doesnt make sense also because this is no third party app.
I found a post where people suggest using Authorization Code flow with PKCE. But this apparently doesn't yet work with spring.
So, now i am left wondering how other native mobile apps, handle authentication? Do they not use access token? How best can i support authentication when dealing with a mobile app & spring backend?
Spring Security OAuth supports password and authorization_code flows without the client secret, meaning a "public client". Since you own the Authorization Server and the native app and you are okay with the native app taking credentials, it's reasonable to have your native app use a public client with the password grant type.
If you decide that your native app shouldn't take credentials, though, then PKCE is the current best practice. Using the authorization_code flow with a public client is the recommended alternative to PKCE:
In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps.
And this would mean, as you mentioned, jumping out to a browser.
I have a laravel backend which has rest api. But I want my rest api to be used only by my android app. So how do my backend know that the request is coming from my android app only and not from web or another app?
NB: I don't want the users to accept some login challenges.
you can use jwt. Each time you execute a request you must obtain the token. The token ensures that the user belongs to their service. The token must be saved in some way in your android app to return that response to the api rest.
https://github.com/tymondesigns/jwt-auth
Also keep in mind protect your endpoints in the api rest:
Route::middleware(['jwt_auth'])->group(function(){
Route::group(['prefix'=> 'V1'],function(){
Route::post('/endpoint', 'V1\EndointController#store');
});
});
I have a rest API which create by asp.net webservice, and I have an android and IOS application which call the api and show some data to the user.
what I need is to secure my API in a way that only my application can access to the data through the api and other request rejects.
I should mention that my application are not user base so there is no login and authentication and I don't want force user login !!!
According to my search, I need query authentication (query parameters) to achieve this.
What I need is how to create this kind of query parameters and how to validate them? (Performance is too important for me)
Thanks in advance
You can use basic authentication or any token based authentication mechanism.
So on every request to your api, get the authentication headers(authenticiation tokens in http request header) and verify if client is allowed to invoke it. If it failed then send by necessary HTTP status code. You just need to ensure that the applications that you want to allow to call your api are using those security tokens in their request headers. And you can keep those credentials or security tokens in memory or file or db as you like.
I am not a security expert, but as far as I know what you want is not possible. Anything you embed on the client to authenticate your application is accessible to an attacker, who can than use that information to access your API.
I have a more structural question about designing a connection between an app (android) and a server (rails-api gem) using json. It should use facebook as authentication and afterwards handles the connection flow via a token.
My planned solution looks like this:
I'm planning to use the facebook sdk (client side), to get a facebook access token.
a) Should I use client side? I am considering it, because the request would not be done by my server. But is the access token trustworthy?
Afterwards I send the access token to my server and check it with the facebook graph api
If the token is correct, I create a new user with the information from the facebook graph api
Next I use doorkeeper for creating a oauth provider. The client gets an oauth2 access token which he uses to communicate with the server…
a) Should I use another authentication gem? Or should I use the facebook access token as normal authentication token?
b) I am not sure if I should use doorkeeper or devise. Is doorkeeper enough? I read somewhere that u should use doorkeeper for apis and devise for normal websites.
c) I don’t get the implicit grant stuff from oauth2. Should I consider it here?
Thanks for our help :)
I've recently done some OAuth authentications on Android apps (or iOS), but I now have a problem.
When this OAuth authentication needs to be stored in a remote server to perform login request. Which is the best way to do this?
Should I send access token from this oauth provider, and then get otherr access_token just for my app?
Or should it be done in a different way?
Thanks!
Well, there's no general answer but I'll try to explain.
2 basic flows I can think of :
1) If yo don't want that your app directly asks for a username/password, you can use Facebook/Twitter login.
2) Ask the user for a username/password directly and implement your own OAuth service with your server, then use an iOS OAuth library to communicate with it. Your service will need to perform user/pass authentication at some stage.
You can either generate a random UID (user identification) on the client and use that to communicate to the server. Or you can just pass the username/password, let the server generate a UID and from there on communicate using that UID in the request headers.
Hope this help