React-Rails OAuth with omniauth - reactjs

I want to implement authentication with a rails-react app.
I am using OAuth with google as the authorization server.
I am using it to authenticate users on my rails api, not to get access to some of google APIs for a given user.
I want to use token based auth. I am using the gem omniauth to help with the process of exchanging the authorization token for the access token between the rails server and google.
Considering that the client (react) needs to always send a token in the header of every http request sent to the server, once I have an access token how do I verify this token sent by the client?
Here are my thoughts:
Verify the token on the server side
1 - How do I use the token to verify that the request coming from the client is coming from an authenticated user? Store in the db and compare it for every request? Query the OAuth authorization server every time to validate the token (If that is even possible) ? JWT ?
2- I understand that there are multiple flows to obtain a token from a OAuth provider. Omniauth seems to abstract this part of the token exchange with the OAuth provider am I correct?
Give the token to the react client
3- Once I get any token (whether its a JWT or a simple access token), I need to pass it to the react client, which is not secure as anybody could get a hold of this token and make a request to the api with a stolen identity. I think I missed something here as this doesn't make sense?
Thank you!

Related

OAuth2 SSO with redirect to React SPA

I have a client who is using OAuth2 for single sign on with their own login page. Once user is logged in they will be redirected back to my React SPA i'm building.
What I'm trying to find out is a way for my app to integrate with OAuth2 to keep check if user is still signed in. For example say they refresh the app I need a way to check OAuth2 if user is still authenticated.
Should I use an express server to manage the AUTHORIZATION_CODE returned by the redirect from OAuth2 ?
From what I understand OAuth2 returns a AUTHORIZATION_CODE and STATE in the redirect url.
If so how would I manage this on the express side ? Is there a express plugin to manage this process.
Or could I just bypass using express and just use the Auth0 React SDK to check if user is Authenticated ? I found this example on the auth0 docs. https://auth0.com/docs/libraries/auth0-react
Not sure if this would work because of my setup where the login happens from the client login page and redirects back to my app ?
Authorization codes are meant to be exchanged with access tokens. After you exchanged the code with an access token, what you technically need to do is to inspect the token to check whether it's active or not, with active status meaning that the user is logged in. This can be done in a couple of ways, the following are just the ones I can think of:
Most conventional way I know is to send an API request to the introspection endpoint while including the access token. The response will tell whether the token is valid and/or active.
If the token if in JWT format, it is usually possible to verify the token signature and verify the expiry time after decoding it. Depending on the authorization server, it might be possible to send this token to the introspection endpoint as well.
Unfortunately I can't help with the specifics as the OAuth2 server being used is not mentioned. But if you actually use Auth0 as your authorization server, you can probably use their libraries to help with their OAuth 2.0 flow, such as logins and auth status checks. Otherwise you might need to find another library like node-openid-client or do it manually as explained.

What Should be the basic flow of AWS API Gateway Integration in React JS with cognito user pool authentication system?

I am using React JS in frontend and AWS Server less architecture as the backend of the react application.
So, for the user authentication and authorization I am using the AWS Cognito Service. and for making the requests I am using the axios.
Now, I want to integrate APIs which are created with the AWS API Gateway with cognito user pool. I am able to sign in to the user session and retrieving the id Token, access Token, and Refresh Token. and I am sending the ID Token in the all request which are created with AWS API Gateway. But How can I know that token is expired? because when token is expired it is sending the Network error instead of message("Token is Expired.").
In short I want to handle situation if token is expired or token is invalid. what I have to do?
Give the basic flow of handling the all requests(GET, POST, etc...) using axios.

How to implement code grant flow in REST API?

I am developing web application in React and Django(Rest Framework)., i want to users can login with google account.,
I approach i followed is implicit grant flow.,where i get the access token in the front end., and sent the access token to the back-end. then the back-end should verify the access token with google., and return the new jwt token for future requests. once the user logged out., same cycle continues.,
By My client don't want repeat the same implicit grant flow for other devices(mobile for example)., they want authentication to be handled entirely by back-end. so i am planning to use code exchange flow.
the approach i am planning.
user clicks the login with google button
send the request to django back-end, get the clientId and server callback URL.
client redirect the request to google with the client id and callback url.
google ask permission to users and sends the access token to backend.
In the above approach the connection between client and server is broke in step 3., how to we know the back-end got the access-token. user logged in?

Getting information of user from oauth2 app having the session token

I'm having I think, a misunderstanding of concepts related with Oauth2 protocol. Right now I have 3 applications:
Frontend developed in React
OAuth2 server developed in Golang (not finished)
Another backend app, let's call it: Bussiness Logic app
At first, the user from react can login in the system using the OAuth2 server, the OAuth2 server sends the token and everything's perfect.
Now, when from the the react app some request is send to the Bussiness Logic App the token is also send in the headers. My question is: having the token, should I be able from the Bussiness Logic App to get information fo the user making a request to the OAuth server? is it allowed in the OAuth protocol?
The thing is that I need to know in the Bussiness Logic App which user is logged in, if it's not allowed, how should I fix it?
No.
OAuth 2.0 NOT an Authentication protocol.
If you need Identity Information you need to use OpenID Connect (which is built on OAuth 2.0)
With OpenID Connect you are provided both an Access Token and an Identity Token. The Identity Token will contain "basic" profile information about the "user". The Access Token may be used to obtain more detailed information about the user from the userinfo_endpoint.

Can JWT be used across different AngularJS Apps?

I have a Laravel 5.1 API that is connected to an AngularJS Frontend.
Can I do this..
Have one (hosted on mydomain/public) AngularJS App with the sole purpose of authenticating the user and getting a JWT token from the Laravel API Backend
Somehow passing this same Token to a second (hosted on mydomain/secure) AngularJS in order to authenticate the user and the access the App.
I know the token is saved on the local storage so I don't see a reason why I can not or would I have to merge the two apps together.
Cheers,
Yeah. They are not related to the number of Ng-App or instances of Angular apps you define.
How JSON Web Tokens Work ??
A browser or mobile client makes a request to the authentication server containing user login information. The authentication server generates a new JWT access token and returns it to the client. On every request to a restricted resource, the client sends the access token in the query string or Authorization header. The server then validates the token and, if it’s valid, returns the secure resource to the client.
So server logic is not dependent on if your front end is single page or multi page.
You can read this post for more clarity:
http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs

Resources