I have multiple applications such as:
user.myappsite.com/app1
user.myappsite.com/app2
user.myappsite.com/app3
A user logs in using their cognito login on any given application. Problem is if they go to another application they have to log into that one as well. I'd like to use a token created at login to verify the user on other apps so they don't have to login multiple times.
I'm sure this is possible but not finding anything helpful through the docs or searching.
Depends on how your app is constructed. The issue is you need to store the login state somewhere in your application. If you are using an SPA you need to use a store. If this app has a server involved you can use server side sessions.
In the case of a server whenever the user visits a page you need to verify that they have a valid session before proceeding.
In the case of an spa you only need to verify once when the page initially loads and prevent your app from rendering unless that token exist.
Keep in mind with an spa your apps insides are all exposed so make sure any sensitive information your app provides only comes from a place that verifies tokens first (like api gateway).
Related
I would like to have only one login screen, registration, profile and password recovery for all projects in my company. Basically a unified login or SSO.
So I made these screens using AWS Cognito and hosted them on the sso.mycompany.com domain and it's working fine.
But now I need to implement these screens in my other projects. How can I do this? I can't just copy the files, as this was done in Vue.js, and I would like to put these screens in projects done in Laravel, Wordpress, React, etc;
I thought of using an iframe loading sso.mycompany.com, but how do I return user data after login to the app that opened the iframe?
Basically that's it, I have authentication screens hosted on the sso.mycompany.com domain and I would like to use them on projectx.com, projecty.com, mycompany.com, etc.
Here is one solution that might work for you and might give you some ideas on how you could put together a solution. Unfortunately, Cognito out of the box doesn't come with a unified/universal login experience that you require. It also doesn't come with a lot of other features you might see from the big IdP platforms, but that is another discussion for another time :) The whole foundation of this solution is based off of a single domain, cookies and JWTs(access token, id token and a refresh token). It will still work for your apps on other domains, but the experience for your end users will be a bit sub optimal compared to if all your apps were on the same domain.
Because an app like projectx.com sits on a different domain then sso.mycompany.com, you have to somehow get a access token over to projectx.com after the user logs in through mycompany.com. You can simply just pass the access token through as a query param when you redirect the user back to projectx.com after a successful login on sso.mycompany.com.
I had a much longer answer with details, but stackoverflow won't let me post because it thinks my answer is spam??? Check my profile on how to contact me if you want the longer version with details.
This question may be super simple but I've been googling for a while now and haven't found an exact solution.
I'm trying to implement a Google Login using React for the frontend and Django for the backend.
How exactly would I do this? I have seen solutions where a token is sent over to the backend which then retrieves the necessary information from the Google API and either creates or retrieves a user from the database based on the token. However, this seemed to be based on JWT and I was wondering if it is possible to implement the same with the simple Django Auth Token?
Maybe I'm just really blind but I really wasn't able to find a suitable solution.
Thanks for your help!
I was actually working on this a few moments ago, after many fails in the past. It's quite a headache really trying to find a solution that works with React. I have however managed to easily setup google login on the React front end side with https://www.npmjs.com/package/react-google-login. This should be the first step you will need to take.
After that you will need to setup social login on the Django backend using django_allauth. Basically, the idea is once a user logs in via google or to be precise, clicks on the Login With Google button on the front end, a google access_token will be retrieved from Google and saved in local storage together with some other data. Only the access_token is of interest here. So you will then need to take this access_token and send it to the Django backend via a Rest API of a view that you will have setup. That will get the google user data saved in the database under social accounts, ultimately login them in the application. Everything from then on should continue as per your normal logins with email and username. That is if using JWT, a jwt token will be returned from the backend which you hopefully should be able to save in local storage. In my React app, I authenticate against this token, so as long as I have the token in local storage, a user is logged in.
Pratik Singh Chauhan does a good job explaining this in his Part 1 tutorial here -> https://medium.com/#pratique/social-login-with-react-and-django-i-c380fe8982e2 and Part 2 here -> https://medium.com/#pratique/social-login-with-react-and-django-ii-39b8aa20cd27
UPDATE: June 2022
Since Google is now moving to (GIS) Google Identity Services sign-in SDK, this method, although it works is now deprecated.
Here is a good link to help you setup react login with the new google GIS.
https://github.com/MomenSherif/react-oauth/issues/12#issuecomment-1131408898
There are 2 methods you can use depending on your workflow, implicit or authorization. To maintain a similar workflow that the above code achieved, implicit workflow is the one that can give you both access_token and refresh_token that you will send to your backend api.
Here is another link with sample code for both workflows.
https://react-oauth.vercel.app/
Note you will need to use #react-oauth/google to configure the Google workflows in your code.
Refer to this:
https://reactjsexample.com/google-oauth2-using-the-new-google-identity-services-sdk-for-react/
I'm building an eCommerce website for a personal project. It uses React for the front-end and a REST API running on django for the back-end. I want the user to be able to add items to a shopping cart and place an order without the need for an account.
For guest users, using a session/cookie to store info is great, but when it comes to logged in users, I would want to use the database to store items in a cart. That would require creating a user and giving them an auth token so they can perform necessary actions.
So should I use session/cookie authentication or is there a better way to achieve what I want using JWT?
Both approach can work very well. However, I am currently working on something similar and I would personally recommend the simpler option which is the classic session approach. JWT tokens can be harder to maintain and sometimes insecure if not done correctly. Also, JWT tokens will not persists between logins.
In both ways, I don't see why one would be better to create and maintain a cart except maybe that a session system can actually store the complete cart in the session itself. You can then implement sessions controllers at the API level.
ex: GET "https://{host}/api/cart" returns the items in the session's cart.
# Django session
request.session['cart_id'] = cartId
# JWT Tokens
jwt.encode({‘cart_id’: cartId} ...
little note.. It can be harder to setup the sessions if you are working on localhost for react and a remote server for your API. (The cookies are generally set per domain).
I am using JWT, and I think if you are using a database, you can create a generated JWTby user then store it in the database, you can control the availability of your jwt, in parameters, and I find the best way to secure your APIs, is to add the JWT token to the headers.
I would use Cognito authentication and integrate it with react and the backend api. It will help to manage the users outside the application.
If you’ll be hosting your application in AWS, Check out AWS Cognito, it’s an identity and a user pool service. Their free tier is quiet generous. That, together with AWS Amplify which is perfect for React, will give you out-of-the-box auth and user management.
I am a 30+ year programmer, but almost all of it was in the semi-conductor world and none of that was with web sites. I have been given the task of getting wso2is to work with 1 new app and eventually add the already existing apps. Most of the terminology is foreign to me. I have read much of the documentation, it is beginning to make sense. I can get it to run and create some of the items needed, user, role, permissions and claims. But there are some concepts that I don't get from the manual.
Ok I know that what I need to get out of it is simple authorization.
Person->web_app->wso2is->authorization->web_app
We will eventually have several apps that our internal users wish to forgo multiple logins.
So if I have AppA and AppB and I want to use both Apps. I login to AppA, it sends authorization request to IS and it sends back true/false that all is good for AppA, but now I need to get into AppB from the same browser, new tab. It is my understanding that wso2is is single sign-on (SSO). So it looks like I would have to sign also to AppB completely independent to AppA. Our developers are looking to use curl to communicate with IS. So how does IS tie all this together?
I'm very confused.
I understand users, roles, permissions and claims, at least I think I do.
I've managed to add users with REST and SCIM. I've had no luck in getting ANY of the samples to work.
Hope it is not too late to answer this question. I will try to expalin the steps as simple as possible.
Add App A, as service provider in WSO2 IS.
Add App B as service provider in WSO2 IS.
Note: Both apps can be ( and should be) fully independent to each other. By that I mean, App A can be java, App B can be a .net application. They can have different certificates for encryption etc.
When you try to log in to App A in new browser session, it will redirect you to WSO2 login page and there you can authenticate yourself with user id and password.
Now when you try to open App B in same browser in new tab, WSO2 will not ask you again for user id and password, rather it will allow you to access App B. All this happens because of SSO.
This is SSO in the simplest way.
I'm writing a Facebook canvas webapp that performs a login (using urllib) to a third party website and performs actions on behalf of the user. This means I have 2 accounts; the account the user has with my webapp (via facebook) and the account the app uses to perform a login on their behalf (with user/password details provided by the user).
I obviously don't want plaintext passwords in the DB. But I also don't want the user to have to enter their password every time they perform an action. I want them to enter the password once when they sign up, and I want to encrypt the passwords, but what do I encrypt against?
Any key on the server would be available to anyone who had gained access (i.e. useless), so I was thinking of encrypting it against a value available via the Facebook API.
When the user logs in (and gives the app their access token), the app can request the value via the API and encrypt/decrypt their 3rd party password with this. Anyone with access to the server wouldn't be able to make this request without the user being logged in to the app. (This still means someone snooping on the server could get logged-in users 3rd party password, but anyone who got one-off access to the DB couldn't see passwords.) Is this wishful thinking?
You might as well encrypt it using a key on the server. If anyone gains access to your server they will have everything they need to retrieve the key even if you're getting it from Facebook.
I think the best you can do is to store the key in a location that isn't available to your webserver, but that is available to your script. At least make sure you don't store the key in the database.
Whatever you do beyond that would just be security through obscurity. The key here is to keep your server secure so that no one gains access to it.
I guess you could store the logins ONLY on the client, in some sort of local storage and do all the actions related to the third party, from the client in JS.
This of course would need some change in the architecture of your app if you tought to do all this from your server, but that would possible for sure, you can event make client JS send data to your server after it worked so you can log data from the interactions with the 3rd party.
Furthermore it has the advantage of distributing the load on the clients
I know you didn't tag the question with javascript and you seem to want a server pure solution, but It seems the best solution to me. the user keeps its data ..
Security through obscurity might be your best bet. Perhaps implement an algorithm to generate the key using something standard (like the current datetime). You can store the date in your db, and use that to generate the key using your own algorithm.