Google + OAuth2 Callback to Angular - angularjs

I am having problem implementing Google Plus Web Server authentication
https://developers.google.com/accounts/docs/OAuth2WebServer
I have implemented most of the steps, until the last step, I have no idea how to make a callback with token to my Angular.JS,
I found an article which solves my problem (and it has the same implementation as mine):
http://apicatus-laboratory.rhcloud.com/2014/04/13/handling-oauth-callbacks-in-spa/
But, I have few questions for this article,
is this way legit??? or any other security flaws that I need to consider?
what is the normal way to do it? if I dont want to use Google SDK, cookie and session to send the token back to my Angular, what other possible ways to send token to my Angular app?
how the normal angular app handle the callback?

Why not use this flow that is meant for javascript applications?
https://developers.google.com/+/web/signin/javascript-flow
& https://developers.google.com/accounts/docs/OAuth2UserAgent
You can get an id_token (it is JWT) directly from Google in JS and use that.
What the article is trying to do is to get the Google Oauth response to the server and issue it's own JWT just like any site would issue its own authentication cookies and use those in the application.
Both are possible options depending on the goal of your application.

Related

AngularJS API Login using OAuth

I'm trying to learn how to use OAuth 2.0 on AngularJS to do logins to APIs. Can anyone point me to a good tutorial/some code on how to do this? Thanks!
Learning about logins is not Angular specific and is more about the following factors:
Getting set up with an Authorization Server
Knowing what security libraries to use
Understanding how an SPA can login and get an access token
Understanding the OAuth messages and which fields are important
Calling an API with the token and handling 401 responses
Understanding how APIs validate tokens and use claims
If these aspects interest you, have a look at my visual tutorial, which has a code sample that you can run on your local PC.
My early code samples use plain TypeScript and I update to ReactJS later. You should be able to do the same thing for Angular.

AngularJS Authentication / Authorization via oAuth2 functionality

Can someone help to find a solve how to write this functionality on AngularJS?
Have java rest API and authorization server on one port and ui on other. Back-end authorization made by oAuth2. Need to make UI authorization. can someone help, please?
Thanks and best regards.
if you are using AngularJs 1, you can use Satellizer. It's an AngularJs library to easily implement a token-based authentication.
Here is the GitHub link -> https://github.com/sahat/satellizer/
It is compatible with OAuth1, OAuth2 and has built-in support for the most popular provider (Google, Facebook, GitHub etc). I am using it for a current project and it perfectly works.
Please provide some details if you need any further help :)
If you are using oauth2 server you can authorize you rest enpoint via oauth token.
Make an http call at the loging form the frontend to necessary rest enpoint and take the relevant token and store it in the local storage.
Then use and http intercepter to attach the authorization header to each and every request.
If you need any codes or example drop me a message.

AngularJs + JWT + WCF or WebAPI

I have a small angular js application where I am using angular js, typescript & html 5 for my UI. I have currently wired up the UI to get data via Restful WCF service (c#). All here works fine. Now I am looking to implement security/authentication in my application where I would like to have login/logout/register page. I have read about JWT and looks like a good one. Is this the standard nowdays of using JWT or if there are others options available.
If JWT is a good option for my site (pubic website), could anyone provide inputs where I can start with. I could not find much helpful basic posts that would guide how to create a simple form in angular and hit wcf/web api sercvice.
Any inputs would be appreciated.
I have had a good experience with the open-source IdentityServer3 project. They support JWT authentication from client to Web API. I myself have used it both as an authentication server providing tokens and as a middle-ware in the Web API for authorizing different controllers.
Here's a link to their documentation.

Google Cloud Pub/Sub Publishing from Browser - How does Auth work?

I have a requirement to use Google Cloud Pub/Sub API directly from Browser ( similar to GA script). I was wondering how can in handle Auth without requiring going through a back-end server.
I want to invoke the Cloud Pub/Sub API directly from the browser. I tried and it says i need to authenticate first , my issue is how to secure the Auth Token.
Is there any javascript library that is available which i can use in Browser ( not backend) to invoke the Google Pub/Sub API.
Thanks in advance
The general approach in Javascript for authorizing and making authorized requests to Google APIs is shown at https://developers.google.com/api-client-library/javascript/samples/samples#AuthorizingandMakingAuthorizedRequests -- it's not specific to the Cloud Pubsub API, but it should work for all Google APIs. Similarly, https://developers.google.com/api-client-library/javascript/start/start-js for general Javascript access to Google APIs.
This is quite an old topic, but I've been recently assessing if it's possible. The simple answer is - yes, it is possible to send messages into PubSub topics directly from a browser application. The solution is as follows:
You need to post a message via REST API using fetch()
You need to send the Authorization header
Authorization header has to contain oAuth2.0 token identifying the user; it can be an anonymous authenticated user or fully authenticated, using firebase authentication library for example.
To have all three above working perfectly, you'd have to write a lot of code. It is not practical at all and architecturally not nice. Unless you absolutely need to do it that way, not another (I can't see why though), the simplified but involving a bit more components solution is as follows:
Authenticate user in-browser via firebase - can be either anonymous or full user
Do simple GET or POST to your cloud/firebase function with the required payload
In function validate the incoming request which will have authenticated user token
If validation is good then publish message into the topic
This way it's still secure, much more maintainable and clearly separated into functional components. Less code, a bit more infrastructure.

Oauth social login using MEAN.js Restful sessionless API backend

I'm developing a Restful API using MEAN.js, which will be consumed by an AngularJS Web site and Phonegap Mobile Apps.
I'd like the user to be able to create an account and/or login using Faceboo, Google and Twitter.
I'm trying to use the same sample code that comes with MEAN.js seed application, but with the Node side of it, on port 3000 serving only the API, and the web site running on another server (currently on port 9000).
I','ve already implemented Token authentication using a Passport custom Local strategy, which generates a token, and the Bearer Strategy to autheticate API calls.
But I'm having problems with social login, to link social accounts to existing users.
From the Angular Client I call an api endpoint that redirects the user to the oauth provider (e.g. Twitter). When the user comes back, my serve has no knowledge of the logged user, since I'm not using sessions anymore.
I've tried to return the provider token to the client, but have problems parsing the anguler url. Then I coded another page outside angular that receives the provider token and calls an api endpoint sending the oauth token and the token issued by my api. It worked for Google, but not for Twitter. It seems twitter needs a session.
Anyway, what is the best approach to achieve what I want? How can I make this work?
Since your using Angularjs, take a look at this Angularjs library https://github.com/sahat/satellizer. The library pretty much opens up an oauth popup and checks the popup url for tokens. You can easily replicate the approach or just use this library. It works with a few social media providers like Twitter and its easy to add more.
I was in need of the same thing and so I set out to create my own. It's still in development but should give you a good start. Feel free to create a pull request and help to make it better. Maybe we can eventually merge it into their codebase.
https://github.com/elliottross23/MeanJsSocialLoginTokenAuth

Resources