I have a flutter application with a DRF back end. currently using Dj-rest-auth for regular authentication (token).
I'm at a point where I'd like to implement social authentication (specifically Google).
I searched a few resources but still don't quite get the workflow.
https://github.com/iMerica/dj-rest-auth/pull/336/commits/8f5cc65049c4bcb0c650bde707f5023013497b20
my guess is:
you set up your application on google cloud console.
You make a request to get an "access token" to the google auth on the Frontend (in my case flutter)
send that access token to your Back end - django to confirm. which then sends back a regular token for authentication?
Any guidance would be appreciate.
Your guess is accurate.
The exact flow would be to:
Set up API credentials on Google cloud console
Use Sign in with google which gives you an object with a token.
Use the recieved token to hit your dj-rest-auth endpoint for google authentication and mint your own jwt token and return it.
Now, depending on whether your requirement is for flutter or django I could help better with code referrences for it.
Related
I am creating a flutter android app which uses google sign in. Once logged in, I recieve accesstoken and idtoken. I want to use this token to authenticate my backend which uses django social auth and
Login and return the authoken, if the user has already signed up, or
Register the user , login and return the user id and authtoken.
Is this possible ? If so please suggest any documents online or please explain how should I approach this.
Over the years of doing this again and again, I found the solution below works well for me. It creates clear understanding of who is doing what.
Basically, you need:
Django Rest framework-backed token authentication for normal API requests. Mostly your app works on this. Link: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
Google or Facebook or any other login to issue an auth token in 1. Thus effectively FB/ Google shortcuts the process of typing in username and password.
This is achieved via the flow below:
New user comes in and signs in via FB/ Google
You get Fb/Google token and send it to your backend
You verify the validity of the token. Re-obtain user name and email from G/FB from the backend. Use these details to create a user account in your backend. DO NOT USE email provided from front-end for account creation (assuming email is your primary unique user identifier)
NOTE: Don't forget to check if account already exists. If it does, this is a returning user/ login and not a new user. In this case, validate and return valid Django Rest Token
Once 3 is complete, issue a Django REST framework Token in response to the request made in 3.
After 4, you have a token in your app. Use this token for normal requests.
Happy coding! Happy to answer follow-up questions.
it is possible,first you have to create your api using django Rest Framework,the link below can help you to create your backend and set a token for every user:
https://dev.to/amartyadev/flutter-app-authentication-with-django-backend-1-21cp
then you have to add social authentication to your backend,you can write it yourself or using link below to use library :
https://github.com/RealmTeam/django-rest-framework-social-oauth2
after this approach you have to create your flutter app,the below link is a useful resource to connect your backend and your flutter app :
https://www.asapdevelopers.com/flutter-login-app-with-python-backend/
MY goal is to setup the Cognito Hosted UI to validate users after login. I have followed the steps laid out in the OAuth2 blog here: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
My steps are as follows.
User logs into the AWS provided login screen.
It redirects to my website and I pull down the authorization code in Angular.
I send the code as part of my headers to the backend Nodejs
I use the code to get a token and then validate the token
This stream works but then what? I want to validate the AWS token for each API call but I have no idea how to access the token.
I am guessing that I am either missing the point of this procedure or that the token is somewhere I am unaware of.
Any help would be greatly appreciated.
Usually you have your own UI that redirects to Cognito to authenticate, after which the UI sends the access token to the API on every request.
All of the code samples on my Quick Start Page work like this and use Cognito.
If it helps, this is what the OAuth Technical Messages look like. Feel free to ask any follow up questions
I am running a working AWS Cognito service on a frontend application which can successfully do the basic stuff - login, logout, signup, etc..
Right now I am trying to get user attributes through the backend API, such that:
1) The user login in the application and gets a JWT.
2) The JWT is being sent to the backend server.
3) The server has to extract the email of the user by using the access token
The closest thing that I found to what I need is this Cognito service.
So I am making a GET request to "https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo"
With Authorization Header as they are asking for, but I keep getting this response:
{
"error": "invalid_token",
"error_description": "Access token does not contain openid scope"
}
I have tried searching for this error but couldn't find any explanation about the error.
Thanks by advance
Erez, are you using a custom UI?
Because the custom UI uses flows that are completely separated from the OAuth2 ones (USER_SRP_AUTH, USER_PASSWORD_AUTH). Tokens that are released with these flows are not OpenID Connect compliant (basically they don't contain the openid scope) so you cannot use them to gather user infos (since the userinfo endpoint is OpenID Connect compliant and needs to be invoked with jwts compliant with OIDC standard).
We're also struggling on that, i'm sorry.
I had this exact problem and it was my fault. I was sending the id_token instead of access_token property of the token.
I program in PHP, so I was sending as header "Authorization: Bearer ".$token->id_token instead of "Authorization: Bearer ".$token->access_token. Now it works.
Hope it helps you or someone.
I am still experiencing the same issue. My problem relies on programmatic use of signIn service (not Hosted UI via federated login) in Amplify framework. After a long googling, I have discovered that this is because "openid" is not including in the scope of token. Only "aws.cognito.signin.user.admin" is included.
You can find a reference here, thread is still open https://github.com/aws-amplify/amplify-js/issues/3732
This solution seems to be fine for me How to verify JWT from AWS Cognito in the API backend?
If I understand correctly, you are successfully getting the #id_token sent to your front end from Cognito (steps 1-3). You can enable scopes on the #id_token by selecting the following options in your Cognito Pool App Client Settings:
I had a similar issue and I spent a couple of hours to find a solution. The access token you received it from cognito in your frontend application you need to send it to your backend then decode it and verify it. here is a good documentation from aws: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
Let's say I have an AngularJS application that consumes the REST API of a Django application.
The Django application has got a built-in OAuth2 provider that can be called to retrieve an access token and use the protected endpoints of the API. This provider is using django-oauth-toolkit.
Let's assume there is a registered client with "password" grant type, so that the end users only need to provide their credentials in the front-end in order to get an access token from the back-end.
At some point we want to add some support for social networks login and we decide to use python-social-auth (PSA) to that end. Here is the workflow I want to achieve:
The user logs in on Facebook from the front-end (via the Facebook SDK) and we get an access token back from the OAuth2 provider of Facebook.
We send the Facebook token to an endpoint of our REST API. This endpoint uses the Facebook token and django-social-auth to authenticate the user in our Django application (basically matching a Facebook account to a standard account within the app).
If the authentication succeeds, the API endpoint requests an access token from the OAuth2 provider for this newly authenticated user.
The Django access token is sent back to the front-end and can be used to access the REST API in exactly the same way that a regular user (i.e. logged in with his credentials) would do.
Now my problem is: how do I achieve step 3? I first thought I would register a separate OAuth2 client with Client Credentials Grant but then the generated token is not user-specific so it does not make sense. Another option is to use the TokenAuthentication from DRF but that would add too much complexity to my project. I already have an OAuth server and I don't want to set up a second token provider to circumvent my problem, unless this is the only solution.
I think my understanding of PSA and django-oauth-toolkit is not deep enough to find the best way of reaching my goal, but there must be a way. Help!
I managed to get something working using urllib2. I can't speak towards whether or not this is good practice, but I can successfully generate an OAuth2 token within a view.
Normally when I'd generate an access token with cURL, it'd look like this:
curl -X POST -d "grant_type=password&username=<user_name>&password=<password>" -u"<client_id>:<client_secret>" http://localhost:8000/o/token/
So we're tasked with making urllib2 accomplish this. After playing around for some bit, it is fairly straightforward.
import urllib, urlib2, base64, json
# Housekeeping
token_url = 'http://localhost:8000/auth/token/'
data = urllib.urlencode({'grant_type':'password', 'username':<username>, 'password':<password>})
authentication = base64.b64encode('%s:%s' % (<client_id>, <client_secret>))
# Down to Business
request = urllib2.Request(token_url, data)
request.add_header("Authorization", "Basic %s" % authentication)
access_credentials = urllib2.urlopen(request)
json_credentials = json.load(access_credentials)
I reiterate, I do not know if this is in bad practice and I have not looked into whether or not this causes any issues with Django. AFAIK this will do this trick (as it did for me).
I am a new bee in using POSTMAN - Rest Client - Chrome API
I want to use the Basic Auth which is available in POSTMAN.
I am trying to login into my Google account at url - "https://www.gmail.com".
I provided my Username & Password in the Basic Auth and I had tried GET and POST.
I got a Status 200 OK which loads me the home page but it is not logged in.
I know that i need to change the url, but i am not able to find the correct one which to use?
It would be helpful if #examples are provided for the Different Types of Auth Provided as well.
The link you have provided is deprecated. I don't know if the Gmail API allowed Basic Auth at the time you asked the question, but right now it needs OAuth 2.0, as indicated in the opening lines here.
The correct url is https://accounts.google.com/o/oauth2/auth, and this link explains how to supply the parameters.
If I remember correctly, Google stopped allowing http clients(like Postman) accessing its APIs through Basic Auth one year back or more. Now, Google allowing its APIs to be accessed using OAuth 2.0.
For accessing Google APIs, you need to setup an OAuth Application, here
When you create this OAuth Application, Google will generate ClientId and ClientSecret.
With these clientId and clientSecret, you need to generate Access and Refresh Tokens and eventually, you will use these tokens to access Google APIs.
Read more about Google OAuth 2.0 and you will get more information about accessing APIs.