How to retrieve Microsoft Azure ACS claims from Facebook as Identity Provider - facebook-graph-api

this is my first ever proper post, apologies for breaking any formatting conventions.
I am working on a simple app that is using the Microsoft Azure ACS for authentication and Facebook as the Identity Provider. At the moment this is just a index.php page which echoes out a big HTML chunk rendering the login page and accessing the Facebook API.
So far I have been able to set up my ACS account with the correct settings and successfully add Facebook as an identity provider. I am able to login with Facebook and return to my app, as well as use the Facebook API to get information about the user. However, I would like to get the original claims generated by ACS back from Facebook, like the "AccessToken" and "emailaddress" which are set in the ACS management, so that I can later provide this token back to ACS and continue with authentication. I cannot seem to find how to do this anywhere in the Microsoft Doc or Facebook API.
Any help would be appreciated !

I would not recommend using ACS as Microsoft is discontinuing it. You should either consider integrating directly with FB (multiple frameworks for this, and quite a bit of docs if you search for it), or consider using an alternative to ACS like Auth0.
Disclaimer: I work in Auth0.

Related

Google Identity Platform 3rd party access?

My question is how a 3rd party developer would login users through my Identity Platform? I looked at the documentation but found nothing.
Essentially I want to use Identity Platform as an OIDC Provider, but I don't know if that's supported.
Cloud Identity Platform is based on Firebase Auth product (literally because the documentation and the Javascript to add are still in Firebase perimeter!).
This product allows you to delegate the authentication to a third party, either Firebase auth if you use login/password authentication, or to connect Identity Provider (IdP).
There is several built in IdP like Google, LinkedIn, Facebook, Twitter,... and you can add custom Auth0 provider (SAML) and OAuth2 provider (OIDC).
The platform only allow you to perform an authentication and then redirect the user to YOUR app. Then, it's to YOUR app to ensure the correct authorisations and roles of the user.
All of this for saying to you:
Think about firebase Auth feature: originally, it has been designed to authenticate user that wants to connect to Mobile App, on Android. Today it's the same thing but, in addition, for your web app
It's designed for YOUR application with YOUR roles and authorisations. By the way, if your target is to allow your 3rd party developers to log into Google Cloud console thanks to this authentication mode, it's not possible.
But, stay tuned, awesome things are coming soon on this field
John is right, more details would help. But if I had to guess you are referring to the fact that Google Cloud Platform IAM does not handle Identity part only authorisation. You could, however use G Suite or Google Directory Sync (which can integrate with LDAP server or Active Directory.
You can refer to the link below which shows you how you can integrate with OIDC:
https://cloud.google.com/solutions/authenticating-corporate-users-in-a-hybrid-environment

How to integrate Google Cloud Identity with classic username/password authorization?

I am looking for a solution to integrate Google Cloud Identity into an existing project. The idea is that there are two applications - old and new one. Within old application the users are right now logging with username and password, within the new one I plan to introduce GCI.
Is there any way to have backward compatibility with the old application authorization model while having already Cloud Identity established in the new app?
The problem is that user is supposed to be able to authorize both in old and new applications and I can't think of a solution that would not force me to change authorization model in the old application which I would really prefer not to.
After thorough research I came to a conclusion that the best way to integrate classic authorization by username and password with Google Cloud Identity would be thanks to Firebase.
Firebase Authentication supports password authentication in addition to federated sign in with Google, Facebook, Twitter, and more, allowing you to easily scale your authentication system as you grow on desktop and mobile. Apart from that Firebase is also provided out of box when using Google Cloud Platform.
Using Firebase I will be able to implement simple login with username and password in the old app and use Google Sign In within the new app.

Use Twitter as Identity Provider in AWS Cognito

I'm want to implement social-sign in with twitter in Cognito and test it using the build in UI page but I cannot find any relevant guidelines to do this.
My use case is to authenticate user with twitter credentials and obtain user information like firstname, lastname, email, country.
I've found this relatively old post: https://aws.amazon.com/blogs/mobile/announcing-twitter-and-digits-support-for-amazon-cognito/
But it seems that the native support for twitter was removed from Cognito? Because in Cognito under Identity Providers there is no twitter option.
Does anyone know what happened regarding this?
From what I've found in the twitter documentation regarding using twitter as a IdP it seems that it is not using OpenID Connect specification but some OAuth1 custom extension (I'm not sure if what I stated is correct): https://developer.twitter.com/en/docs/twitter-for-websites/log-in-with-twitter/guides/implementing-sign-in-with-twitter
But I did not find any OpenId Connect endpoints for twitter like the ones from Microsoft for example (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration)
Is there any way that I can implement sign-in with twitter in cognito? And also to test this using the cognito build-in login UI?
As far as I know Twitter's current sign-in mechanism is based on OAuth 1.0 which is not OpenID Connect. So I would suggest you building some custom Auth Mechanism using OpenID (there might be already open source solutions), link it to Cognito and inside this custom auth app you authenticate with Twitter OAuth 1.0. So in other words, build a bridge between Cognito and Twitter via custom OpenID app.

FB Graph API - cannot enter with my own App token

i facing an issue regarding the FaceBook Graph API.
actually a friend of me, have an FB App whitch can be used for the Graph API.
But in that case I activate a FB dev APP for myself, i'm not able to generate a valid security Token with the App-ID and App-Security.
At first the App is live and activated. For that I don't understand the error message at the end.
Second I don't want to have a User-Token with a validation for an hour.
These are the step's i following:
getting App Token
https://graph.facebook.com/oauth/access_token? client_id=20179479xxxxxx&client_secret=3048xxxxxxxxxxxxxxx&grant_type=client_credentials
The result i'm receving:
"access_token": "20179479xxxxxxx|Pqxxxxxxxxxxxxxxxxx",
Now if im trying to use the Graph API Explorer and trying these token as authentication, I'm facing an #200 OAuthexception
my request:
Get -> /v2.12/coca-cola
"(#200) Access to this data is temporarily disabled for non-active apps or apps that have not recently accessed this data due to changes we are making to the Facebook Platform. https://developers.facebook.com/status/issues/205942813488872/",
Have somebody any ideas how to solve or what i'm missing here?
With the Security Token from my friend he can use the example with coca-cola from the developer like in the documentation and example from FaceBook as well.
Thanks in advance
Facebook is changing the API due to a security issue. This means new apps have more restrictions and less access (for the minute) than apps that were already registered and using the API, probably why your friends key works. Seen as your app is either new or hasn't recently accessed the data you are requesting, you currently cannot fetch it.
Its not known what features will be removed from the API following this incident - as a result I wouldn't come to rely to heavily on any feature the API offers.
Im hearing that the ability to retrieve events could either be removed or the data you can access from an event is going to be severely limited, however thats not from any official facebook source. All apps will be subjected to a review according to this official facebook post, before they are granted access to the Events API, Groups API, and Pages API.

Google Cross Domain Authentication

I have various sites (on their own domain) with their own authentication systems. What I'm trying to do is combine all the authentication into Google's authentication so the users will only have to log in with their Google credentials. What I'm thinking of is that they would log in with their Google credentials and be redirected to a dashboard which has image links to the other sites. The user should be able to go to any of the sites and be automatically logged in since they were already authenticated. I saw that there's an authentication for Google Apps but is this the same thing for my websites?
What I'm not sure about is how does this happen cross domain? How do the other domains know that the user is already authenticated?
Also, if the user logs out, they should not be able to access any of the sites anymore.
Anyone have any experience implementing something like this? Any resources are much appreciated. I will be implementing this in Coldfusion so Coldfusion resources are a bonus.
Your talking about using Google to login/signup i.e. Using OAuth 2.0.
You will need to register each of your app domains with Google. The user will need to confirm each application to allow access (in your case for signup/login).
Resource on Google Login with ColdFusion by Raymond Camden
The point is you need to establish a certain protocol to build a trust.
Other options are:
Google oauth javascript cross domain