I have IdentityServer4 configured for my JS clients , and I am using ResourceOwner flow for getting access_token and authenticate the user. This flow can work for both JS clients and mobile apps.
Now I want to authenticate my native mobile app clients with external providers like Facebook, Twitter etc using my IdentityServer4.
I have run the samples for IdentityServer4 using External Providers but I want to authenticate my mobile app users from native apps (android , ios) , please give me suggestion that how can I achieve that? I know that it is not possible without redirects , this is OK.
Related
I'm working on a product with two apps: one a single-page web app, and the other a native mobile app. Both make use of the same backend API. Currently the user authenticates using username/password credentials to establish a session cookie. I'm planning on adding support for authentication using OpenID Connect.
For the web app, I'm looking at following the advice for "JavaScript Applications with a Backend" in "OAuth 2.0 for Browser-Based Apps". In that scenario, the authorization code gets sent to the backend, which obtains the ID token and begins a cookie-based session.
I'm trying to work out how this would work on Mobile. The "go to" implementation of OAuth/OIDC on mobile appears to be AppAuth. From what I can see, AppAuth uses a different approach where you end up doing the auth code exchange on the device to get the ID token.
Should I have the mobile app send the ID token on to the backend to prove the user identity (and then begin the session)? Is there any best practice around doing this? Presumably at least the backend would need to validate the JWT and verify the signature?
Alternatively, can AppAuth be used to do a similar flow as done on the web app as mentioned above?
The mobile case does indeed work differently, and is defined in RFC8252, which defines the AppAuth pattern. Both the web and mobile cases have this in common:
Open a system browser at the Authorization Server URL with a Code Flow request URL
Cookies are not used in mobile views, and mobile apps can store tokens securely, unlike browser based apps. The mobile app will send access tokens to APIs, and also make token refresh requests when needed.
Out of interest there are easy to run versions of each in my online code samples, if you want something to compare against. Both flows are tricky to implement though.
I have managed to get my IS4 to work with Google authentication for web application.
services.AddAuthentication()
.AddGoogle("Google", o =>
{
o.SignInScheme = IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme;
o.ClientId = "11111.apps.googleusercontent.com";
o.ClientSecret = "1231231";
});
Now, how do I add for mobile application?
I have tried changing the ClientId to use the new one that I got from Google console. Removed the ClientSecret (because for mobile application there is no secret given). Used the same ExternalCookieAuthScheme. And I got an error because "ClientSecret" must be provided. So how do I get this to work?
In this case you are trying to login from IdentityServer via google as external identity provider. From google point of view, the client is IdentityServer. And IdentityServer is a web application.
You should stick to the original client created on google.
For future reference: We need to set the application type to android or IOS when we are trying to login directly from mobile apps.
The client credentials here:
o.ClientId = "11111.apps.googleusercontent.com";
o.ClientSecret = "1231231";
Is only between the IdentityServer and Google and this should not be stored in the mobile client.
The clientid + secret that is used in the mobile application is found in the Client definition for the mobile application in IdentityServer.
Google in this case does not care if the user authenticates with a web application or client application. Google will only see that a user via IdentityServer tries to login. So google is completely shielded from what kind of application is using IdentityServer.
So, in IdentityServer, you can create one client entry for the web application and one client entry for your mobile application.
See the client type in the documentation here.
I have an angular web app talking to a c# .net web api back end.
They are both hosted on azure app services.
Azure app services offers a suite of authentication services and I've chosen to use google auth.
I've got my google client id and secret setup in azure google auth and my web app correctly shows and prompts me for my google credentials.
My problem now, is that i need my web api back end to authenticate the web app google token. I couldn't find any articles or tutorials that demonstrates the following:
How to get and send the token to the web api? I've read that azure app service should automatically inject the necessary auth headers but any calls to my api do not include those headers. Should i manually call auth/me and add them to the request header?
How do i get my web api to authenticate the details from the request header with google auth? Do i need a separate client id for the web api or should i re-use the web app client id?
Cheers!
According to your description, I assumed that you are using the built-in Authentication / Authorization provided by Azure App Service.
AFAIK, App Service Authentication (Easy Auth) provides two flows: client-managed and server-managed flow. For the server-managed flow, the server code manages the sign-in process for you, and your backend would directly receive the token from the relevant identity provider (e.g. Google, AAD,etc.), then both generate a authenticationToken for browser-less apps and AppServiceAuthSession cookie for browser apps. Details you could follow Authentication flow.
For your angular web app, you could just use server-managed flow, after user successfully logged, you need to call https://<your-angular-app-name>.azurewebsites.net/.auth/me to retrieve the google access_token, then send the following request against your web api endpoint for retrieving the authenticationToken as follows:
POST https://<your-webapi-app-name>.azurewebsites.net/.auth/login/google
Body {"access_token":"<the-google-access-token>"}
After successfully retrieved the authenticationToken from your Web API endpoint, you could send the following subsequent requests for accessing your APIs:
GET https://<your-webapi-app-name>.azurewebsites.net/api/values
Header x-zumo-auth:"<authenticationToken-generated-by-your-webapi>"
Moreover, you could also use client-managed flow in your angular web app, you may need to directly contact with your identity provider (Google) to retrieve the access_token in your client via Auth0 or google-signin or other third-party libraries. Then you may need to both send request to your angular web app and Web API web app for retrieving the authenticationToken as the above request sample.
Do i need a separate client id for the web api or should i re-use the web app client id?
Per my understanding, you must use the same google application. For AAD authentication, you could configure a AAD app with the access permissions to another AAD app.
I have an ASP.NET MVC5 application which has WEB API2 project with few controllers within it. I have setup AzureAD authentication for the ASP.NET MVC5 project using AzureAD and OpenID connect and OWIN middleware.
Everything is working fine from ASP.NET MVC project point of view. The WEB API2 controller are used here to process the requests coming from angularjs, Android
and iOS app. There is a requirement for a WebAPI controller to process requests from unauthenticated clients (angularjs, Android, iOS apps) which issue AJAX requests.
Prior to the AzureAD authentication setup it was configured with on premise ADFS authentication. In this case I followed the below link to by pass on premise ADFS authentication for the
WEB API2 controllers and it worked fine for me.
Can I bypass organizational authentication for a WebAPI controller inside an MVC app?
Can anyone help me to know how to bypass the azuread authentication for the WEB API2 controllers to allow requests from unauthenticated clients in this case with some code samples ?
The web API controller is access-able for anonymous user by default. If you got the unauthenticated issue(401) when the anonymous user access that controller, please check whether there is Authorize attribute for the specific controller and remove that attribute.
Discovered a problem with connecting all together - Facebook, GWT and App Engine.
I need to authenticate user on my web site hosted on App Engine (Java) that uses GWT. After authentication, some information should be passed to server from facebook - like profile information, user list, etc.
Currently am trying to use facebook4gwt and authentication works fine, and I can obtain all needed information on client side, but can not transfer facebook session to server, particularly, obtain Facebook cookies for session verification.
Could anyone suggest any good solution for this? Probably, it would make sense to get rid of facebook4gwt and do everything on server side.
I have been using the gwt-facebook library for one year to authenticate users of my application on App Engine. When a user is already logged into Facebook, and has already authorized my application, I can automatically get the access_token in GWT and send it to the server which can then do the hard work (data syncing) with facebook-java-api library.