EmberJS - Handling 3rd party redirect authentication - ember.js

I'm using ember-simple-auth for my Ember app, but I don't have an API endpoint to authenticate users, rather it does a page redirect to the form and signs a user in, then redirects back to my app. (I don't own the authentication)
After authentication, it gets redirected back to me, so I know on the server side when a user has been successfully authenticated. How do I manually authenticate the users' session when they are redirected back to my app?
Currently I did a hack to write two cookies: ember_simple_auth:access_token and ember_simple_auth:authenticator.

I think setting up the session store manually is an ok solution in this scenario as that will trigger the session to be restored after the redirect (which is on startup of the Ember application). I'd maybe configure a custom authenticator that redirects to the external login page in the authenticate method. That way you have that redirect centralized and it will also be triggered automatically whenever Ember Simple Auth automatically enforces session authentication (e.g. from the AuthenticatedRouteMixin).

Related

Django Sessions: Correct way to get logged in user data from server?

I have my API set up using SessionAuthentication. Once a user logs in, I redirect them to their profile page in React. Once they are redirected to their profile page, I want to make a REST call to retrieve their profile data and insert it in the proper location on the page. I see a couple ways I can do this:
When a user logs in, put their User ID into the Response object (DRF) and then store that in the client somewhere (Redux store, session storage, or local storage). Then when they are redirected to the login page, make a REST call to /users/users_id.
With Django sessions the logged in user is automatically tied to each request. So do I even need to follow Rest here? I can make a call to /users, and if the user is authenticated, return their data.
I would appreciate any help with this. Thank you.
With SessionAuthentication, after a successful login, the browser saves a sessionId cookie for that domain (or ip:port) automatically. Sending a request will send that cookie from the same domain no matter with Django or React, and authenticate the user, making your request.user a user.
You can check for the cookie when you inspect the page -> Application -> Cookies -> Your domain -> sessionId
Basically, you can login via Django and it will login you with React as well. No need to store anything manually. Just use the same domain for both.

Django OAuth Toolkit how to log the user out

I have set up Django OAuth Toolkit in my project where the authorization server is separate from the application server (i.e accounts.example.com and app.example.com). App server redirects to accounts server using authorize flow; the user inputs credentials to sign in to auth server, then auth server redirects the user back to application; so that the app can retrieve tokens.
The above flow currently works as expected. If I do not click explicitly Log out the user and the application signs out (e.g session expires or browser cookies are cleared), the above flow will be performed again and there won't be a need for credentials because auth server still knows who is signed it.
However, I am having trouble with explicitly logging the user out of the application. If a user explicitly clicks login, firstly, the token must be revoked and secondly, the auth server must sign out. What is the proper way to achieve this? As far as I am concerned, I won't be able to use Ajax to log out the user because the session must be destroyed in auth server.
So, I have been thinking of redirecting the user to accounts.example.com/signout?token=${accessToken}&client_id=${clientID}. However, I am not sure if this is the right approach. Is this how these sign out requests work with OAuth? Does that mean that when I sign out from the system, I need to always provide Access Token and Client ID?

Login from on site into another with different domains and server

I'm using Django and I have the following case.
My main website on dummy.com has the normal login form from Django.
The Django application is providing an API.
I have a Single Page Application on another server with the domain auth.dummy.com
My SPA is using JWT to authenticate the user so he can be logged in into the page auth.dummy.com by using the API provided by dummy.com
How can I archive it that the user who logs in on the domain auth.dummy.com automatically gets logged in into the main website dummy.com?
But I always want to keep the default behaviour from Django so Users can log in into the site from the main domain as well and not only from auth.dummy.com
Is there a special name for this kind of authentication?
I'm confused by all this names: JWT, SSO, OAuth etc.
Have your SPA set the session cookie at the same time you store the JWT. Also make sure to use the same SESSION_COOKIE_DOMAIN on both sites.

Bypass Django admin login by using another authentication method

Is there a way, when hitting Django admin site, it redirects to a 3rd party authentication page. User logs in there, then gets redirected back to Admin site without having to log in again?
Basically I want to replace Django admin login by another authentication, so I can insert a link to my web app and admins can access admin page right away.
EDIT:
did a bit more research and will refine my problem.
Say I want to login from http://localhost:8000/admin/login/, I assume I need to redirect the user/admin to the 3rd party login page, then once the auth is successful, I should redirect him back to the next page after login. Where/what should I modify?
EDIT2:
I'm following this example
https://auth0.com/docs/sso/current/single-page-apps
Could get the server to run on 5000 but the auth still fails and returns 400
How do I get from my React app in localhost:3000 to my django admin page in localhost:8000 without needing to log in again?
Yes, its possible, you can use authenticate functions to authenticate your request, so when your come back from your 3rd party authentication page you get your response being success or failed and run authenticate function and now your user will be logged... this is kinda a dirty way to do that...
You can also write your own Authentication method and setup at your settings
https://docs.djangoproject.com/en/2.0/topics/auth/customizing/

Django-allauth, JWT, Oauth

I have an AngularJS Single Page Application that uses a Django backend API based on the Django Rest Framework. The API is protected via django-rest-framework-jwt. I would like to use django-allauth for account management and authentication on the server side.
I am just missing one single piece in the flow: How does my Oauth-Token from the client get transferred into a JWT-token? Basically, I would like to do as described here http://blog.wizer.fr/2013/11/angularjs-facebook-with-a-django-rest-api/ based on python-social-auth.
So my question is, how do I implement the ObtainAuthToken class from the link with django-allauth?
There are usually two login flows with social login: client-side ("Javascript SDK") and server-side. If your server needs to be authorised, it's usually a lot easier to go through the server-side flow. And that's also what all-auth does I think (and you didn't mention you use a frontend library like the blogpost you mentioned does).
Now the challenge is to provide the token from the server to the frontend. You would probably load the token in the HTML of the initialisation of the SPA, and then from Angular save the token client side (cookie, localStorage, etc.) so the session isn't lost on a refresh.
If you don't want the user to leave your app, you can open your /accounts/login/ or /accounts/signup/ url in a new window. In that new window they authorise your app, and your server receives the token upon return. There, you will have to generate a JWT token manually, and render that into the template so that javascript can access it. With js in that popup window, you can then communicate with your app that opened the popup and pass it the token – see this SO answer for an example – so it can save it.
Django-allauth provides signals that let you hook into the social login process. In your case, I would recommend subscribing to the allauth.socialaccount.signals.pre_social_login signal. The code will look something like this:
from allauth.socialaccount.signals import pre_social_login
#receiver(pre_social_login)
def create_jwt_token(sender, request, sociallogin, **kwargs):
# dig into the sociallogin object to find the new access token.
We used hello.js for O-Auth at the company I worked at.
You provide a shim on the Python end and get the refresh token and whatever other data needed once the user connects their social account.
We redirect them via Django to the page they attempted to access from their OAuth provider's page.
Each user still has their own email account which is needed for the JWT, but you could assume that whatever email is in the scope of their social account is their email then use django's functionality to create new users: User.objects.create(email=emailStringFromOauthData) etc.