Currently I am working on an WebApp with Ember.JS. Now I want my customers to log in with their Twitter account using OAuth but I don't want my App to reload when they do.
So my idea was to have the login button open an popup to the Twitter authentication page which redirects to my page which has some JS based on the result e.g
window.opener.success(userdata);
and
window.opener.failure(error);
But since it first redirects to Twitter (the popup) browsers remove the window.opener properties to prevent cross site scripting even though it does redirect back to my own domain (where the JS code is).
Is there another way to go about this?
edit: I could user postMessage, but this doesn't work in IE8/IE9 in a popup. Only in an iFrame.
Yes, you have the same idea as some other programmers at Vestorly; they made a social authentication plugin called Torii I would recommend this as they have probably also taken care of all your obvious security concerns.
Related
I was wondering if it's possible to enable/disable cookies within the chromium plugin browser for electron.
My application uses a third party authentication and renders a pop up window for it. I want to disable the cookies when the user is authenticating and then re-enable it after its completes since i only care about the tokens. There are other reasons for this that I don't want to go into with the way the app is designed.
The application use https://github.com/electron/electron/blob/master/docs/api/session.md. It talks about how to add/get/delete cookies, but not how to disable/enable it.
Any advice appreciated,
Thanks,
D
Most of the third party auth providers require cookies to work correctly. For example, some auth providers like live.com generate initial cookies before the user gets to the login page. These cookies are required when the login button is clicked.
The question itself is mute at this point, but it's interesting why electron doesn't give the user the ability to disable/enable cookies thou since it's just a shell for chromium which has the feature. Perhaps the use case isn't high.
We are building a Django backend with an iphone app and also would like to allow login through web/mobile browsers.
The requirement is to be able to register and logon from the website/mobile browser and also through the iphone app. I have also integrated django-registration for registration, login, logout etc.
What would be the preferred approach so that register, login, logout can be doen through the iphone app as well as mobile browser?
The most discussed approach seem to be the following:
Use tastypie for a RESTful API(or any other framework for REST) ( In
this case, I assume that means create an api for register and login)
For iphone, use RESTKIT to call and authenticate the backend to
perform login, registration etc.
Security and ability to only see relevant data for the user is important in our case as the data is highly sensitive.
Any advice is much appreciated and surely will help others too.
Thanks in advance.
Neo
If you have already integrated django-registration on your website, then you don't necessarily need to add tastypie just for login,logout etc.
Check out the documentation for django-registration at https://django-registration.readthedocs.org/en/latest/quickstart.html#setting-up-urls. If you follow the steps for the default setup, that should provide you with URLs for login, logout etc. If the section on "Required Templates" doesn't make sense to you here, read more about django at http://www.djangobook.com/en/2.0/chapter04.html
Once you have these URLs, you can simply make use of the AFNetworking library on iOS to create HTTP requests to login / logout etc.
Typically, a django view for registration will serve GET and POST requests differently. If you make a GET request, it will format the registration form and display the HTML page. If you make a POST request, it will first extract the information required for registration from the request and create a new user. This will happen automatically for the web.
Making use of AFNetworking, you can create a view that shows the form locally and then makes the corresponding POST request once the user wants to register. The same procedure applies for login.
I wonder what is the right technique to streamline the login to my site via Facebook.
Currently, I have a web site integrated with Facebook Login button. Right now, it's an independent web site, and not a "Facebook app" (running in the canvas). While this is not my decision, this could change in long term if matters.
The way the authentication work: the "fb-login-button" is redirected to my application URL using onlogin() event; the server side uses the cookie to retrieve the "access token" and perform further Graph API work. The business logic resides on the server side.
The current business requirement is the following:
Suppose someone posts a link to my site, somewhere in Facebook, for example in our site community page:
http://www.mysitedomain.com/offer1
A Facebook logged-in user clicking on the link - should get to the target page, after his Facebook identify got verified, and the result should be personalized for that user.
If a Facebook user already has an active session with my site - trivial.
Assuming a user had approved my site (app) in the past, but has no active session - here I am looking for the best practice to do the login.
Also, I would appreciate a hint how to handle the app authorization (i.e. showing the Facebook authorization dialog) in a most efficient way.
Thanks for any hint.
Check out FB Login Architecture and FB.getLoginStatus. Based on FB documentation, If you use javascript sdk, it only triggers a Popup on the same page and once authenticated it will go back to the same page. So once the login status is confirmed then you can get users information from graph api and update via AJAX on your page. You can also checkout this server side login. Hope this helps.
This issue is very common in stackoverflow, and there's a lot of different questions and answers about it, yet I couldn't find exactly what I need.
First, I'd like to define exactly what I need: the option to let users log in to my app using their Facebook credentials. The app will save a matching classic Django user. I will only need to use the user's profile picture and to make sure that each time the same Facebook user will be related to the matching Django user.
Unfortunately, I find it really frustrating to implement for the following reasons:
By now, after reading a lot, I couldn't find out what is the best package for this task.
Some people recommend django-social-auth and praise its functionality and documentation. Personally, I don't understand why, since it's not specifically for Facebook and there are no explanations about the client side, i.e the Facebook login button and how the whole flow works.
When you go to Facebook developers, you suddenly find yourself reading about some magical javascript sdk, and about a promise that that's all you need. Then you get frustrated again and can't understand how a client side related sdk can sign up users to your app.
I know developers somehow implement Facebook auth packages in their apps, but I just can't figure out how to do it.
If anyone could tell me: at this time point, what is the best way to add Facebook authentication to my Django app? I would also ask for detailed documentation / tutorial that explains how to log in a Facebook user, from settings and configuration level through signup to Django app and to client side code.
There are multiple ways to approach the problem, what is the "best" way is really subjective.
Subjectively speaking, you could opt for django-allauth. Here are a few pointers to help you get started:
If you want to keep the signup simple, set SOCIALACCOUNT_AUTO_SIGNUP to True in order to achieve a "no questions asked" login. Users simply approve the FB dialog and they end up logged in in your site right away.
Adding a login button to your template is merely a matter of:
Sign In
The app offers support for the JS SDK login (pro: users are accustomed to the typical FB popup that appears), or you can use your own OAuth flow. Whatever you please.
The fastest way understand FB's Oauth 2.0 flow is to play with FB's Javascript SDK. Once you get the hang of it, the FB's PHP library is similar. Also, other OAuth sites like Google, Twitter or Dropbox have almost identical implementation.
In baby steps:
Learn how to install FB Javascript SDK onto a simple page
Use FB.login to determine login status and obtain the login url.
Lastly, use FB.Event.Subscribe and subscribe to auth.statusChange to detect the login/logout changes.
Also, good to check out https://developers.facebook.com/roadmap/ on the upcoming features or features being removed.
django-social-auth is not just for Facebook, but that doesn't mean you should use all the backends available.
Project documentation is at http://django-social-auth.readthedocs.org/en/latest/index.html and Facebook backend details at http://django-social-auth.readthedocs.org/en/latest/backends/facebook.html.
I'm implementing a Facebook login button on my site via ...I'm using the auth.login function in javascript SDK to redirect the users. On a desktop the user is prompted for a username and pass, and then is redirected to the page first.php...However, on mobile devices, the user is prompted to verify, but is then redirected to the facebook home page..I think this is because of my redirection method, can anybody offer some help?
This answer is based on the comments below the original question. To use the authenticate dialog, you must have a Facebook application setup. If you don't want a Facebook application, then you cannot use the authenticate dialog. Remember, if you want to play in Facebook's sandbox, then you must play by their rules and not look for ways to "game the system".
So, to make it work on mobile devices, you must configure your application to work in the mobile environment. Go to your application settings and ensure you have the mobile part filled in correctly.