I've integrated Facebook login to my AngularJS application. The user can login and from that login I get the users ID and an access token.
But I guess I further have to secure my API as anyone, now, could do request with a number (ID) and a token (string) and get access.
My backend is a ASP.NET Web API project.
Is there a service from Facebook (API) that I can call to verify access token and user id? Or do I have to implement some sort of request token system to verify that the client is one of mine?
Any comments on how to verify my clients?
Have you checked this ?
Login Security guideline for fb.
Related
I have set up an AAD SSO enabled website A that gets an access token once the user logs in. Now, the user has the option to navigate to website B, but on a new browser that doesn't have access to the session of the browser that website A was opened.
Is there a way for website B (.NET MVC Azure hosted Web App) to be setup to accept the access token (for example: through headers) to authenticate the user and establish a newly AAD SSO logged in user on the new browser? (Users can't re-enter their credentials)
In my opinion, access tokens enable clients to securely call protected APIs, so it should be stored in backend. More often we use refresh token and access token at the same time to prevent the access token expiring.
On the other hand, if I have entered the credentials in one browser, then the identity platform knew the request came from me because some information would stored in my cookie of the website, but if I used another browser to visit IDP, it was impossible to let IDP know the request came from me, because I can't share cookie infomation with different browsers.
I find 2 videos on introducing SSO, I think they will help, here is the link.
Hope it will do some help.
I am developing web application in React and Django(Rest Framework)., i want to users can login with google account.,
I approach i followed is implicit grant flow.,where i get the access token in the front end., and sent the access token to the back-end. then the back-end should verify the access token with google., and return the new jwt token for future requests. once the user logged out., same cycle continues.,
By My client don't want repeat the same implicit grant flow for other devices(mobile for example)., they want authentication to be handled entirely by back-end. so i am planning to use code exchange flow.
the approach i am planning.
user clicks the login with google button
send the request to django back-end, get the clientId and server callback URL.
client redirect the request to google with the client id and callback url.
google ask permission to users and sends the access token to backend.
In the above approach the connection between client and server is broke in step 3., how to we know the back-end got the access-token. user logged in?
I'm having I think, a misunderstanding of concepts related with Oauth2 protocol. Right now I have 3 applications:
Frontend developed in React
OAuth2 server developed in Golang (not finished)
Another backend app, let's call it: Bussiness Logic app
At first, the user from react can login in the system using the OAuth2 server, the OAuth2 server sends the token and everything's perfect.
Now, when from the the react app some request is send to the Bussiness Logic App the token is also send in the headers. My question is: having the token, should I be able from the Bussiness Logic App to get information fo the user making a request to the OAuth server? is it allowed in the OAuth protocol?
The thing is that I need to know in the Bussiness Logic App which user is logged in, if it's not allowed, how should I fix it?
No.
OAuth 2.0 NOT an Authentication protocol.
If you need Identity Information you need to use OpenID Connect (which is built on OAuth 2.0)
With OpenID Connect you are provided both an Access Token and an Identity Token. The Identity Token will contain "basic" profile information about the "user". The Access Token may be used to obtain more detailed information about the user from the userinfo_endpoint.
i've a desktop site based on wordpress.
Mobile version is on a subdomain and is developed using angularJs (ionic).
I'm trying to figure out what the best solution to authenticate mobile version users using wordpress wp_users credentials.
Thanks in advance for any advice.
1 - Basic Auth: The easiest, This one is not recommended for production since your users will be sending their credentials with each request, only use it over https.
2 - OAuth: This one is secured but might not be interesting because users will be redirected to WP to login then redirected back after login success, here is a decent tutorial for it.
3 - JWT Auth: This one is interesting because it only sends user credentials once, when login succeed you will get a jwt token which will be used instead of user's password in each request.
For your app purpose I recommend implementing your own authentication method, make a plugin for that, it should generate a secret token and save it in user session, it should also block any request that doesn't include that secret token.
I would like people to sign in with there Strava account (strava is a cycling/running platform)
Firebase has some default authentication Sign-in providers like Google, twitter etc. but no Strava. Is there any other way I can authenticate users via there Strava account in Firebase?
My project is in AngularJS
Strava authentication API documents
Currently there is a limited list of OAuth providers supported by Firebase Authentication.
If you just want people to be Authenticated against your application I would suggest to implement the OAuth flow by yourself in your client application.
If you also want to store some user state and therefore want to use Firebase you could create a Firebase User Account for every ID Token you receive from your Oauth-Client. People can sign up /sign in to your Firebase backend by providing their ID Token and exchanging it against a Firebase Access token.
Important: Make sure to verify the Strava Id/Access token in some way. Simplest way would be to call the Strava API and see if the token gets accepted.