I am building an application that has a web front end and a desktop client application. The web front end allows users to login using Facebook. It exposes a web service to the Desktop application for uploading data. The web service needs to insure that the desktop application uploading data for a user is really from that user. I have already implemented Facebook login on both the client and web interface using the Graph API. How would I go about using Facebook to validate that the user using the desktop application is who they say they are? Also, how can I make it so the user can login once and not need to login again on the desktop application?
After much struggle I figured out that it's possible to receive a session key that does not expire. You can do this by requesting offline access to a user's profile. I stored this in the database on the web side and retrieved and stored it on the desktop side. The only problem is the session key technically can be viewed and used by someone other than the user to make requests. Any other suggestion would be appreciated.
Related
I'm trying to build a plugin for a WordPress App, that uploads file to the users Google Drive space. I don't want the end user to create the Cloud Console Project. but rather just have him give consent so the plugin can access the needed data from his Google Drive account.
When I create OAuth 2.0 Client IDs in the Google Cloud Console (Web Application), Google asks for Authorized JavaScript origins and Authorized redirect URIs. Since the plugin will be portable and can be installed on different websites I can't define this.
How can this be solved that an OAuth2 Authentication by the user can be done, without knowing the URL where the app is running?
Thanks
You cant. Redirect uri must be configured properly, to point webserver the code authorization is running on.
You will need to instruct your users in how to create their own client.
Also as this is a WordPress application, you would need to share your client id and secret with the users. This is also against googles TOS.
possible workaround.
If you put up an authorization server on your own server. The users of your app could then login though that. A refresh token will be returned to their website running your app and stored locally. Your code could then run using the refresh token to access their data.
However you are then going to be responsible for verifying an app with google drive scopes.
I am working on integrating Cognito with the website my team is building for user authentication. I am having troubles with regard to number of app client that I should setup. In the AWS's official documentation, it says something like this:
You can create multiple apps for a user pool. Generally an app corresponds to the platform of an app. For example, you might create an app for a server-side application and a different Android app. Each app has its own app client ID.
So normally, lets say for a full stack application, do we need to set up two app clients, one for frontend and one for backend? or it is fine just creating one app client?
You do not need to create 2 app client values to require a user to authenticate to access your web site using a login such as this one:
You only need one App client id value to secure a web app (the note above is describing a web app and a separate mobile app).
To see an example of securing a web site (this example demonstrates how to secure a Spring boot Web app using the OAuth2 identity provider), see this:
Using Amazon Cognito to require a user to log into a web application
Background
I need to design a WebService REST API. This web service will be consumed from a Web page and some mobile apps (android and iOS). I will call all of them 'apps'. Apps will be developed by third parties, outside of our company. Mobile Apps requires a logged in user to display content, so it's easier for me to handle content authorization of my web service.
Web page is a bit tricky because it must provide some functionality even for non logged users, (eg: list latests products, display product details and search products), so even to non-logged in users:
It must be able to request some data (mostly /products and /products/{id} ) from my web service.
It must be able to consume /search endpoint.
Real question
I will use OAuth2 to handle authorization. On mobile apps this is not a problem, they will not be able to access any content until they get authorized, so once authorized all API will be working.
But I'm totally lost on how to handle connection with web app.
Should I leave some URL non-authorized to allow web dispatch content to non logged in users?
Should I create a special user 'anonimous' with higher API usage rate limits and tell Web app to authorize as 'anonimous' until user has been logged in ?
Greetings fellow Stackoverflowiens,
I have web services and a database setup in Windows Azure and I am using the javascript backend for the web services as this gives me basic CRUD calls without having to write the API. I also have a user table for all users that can login on the app with a field for username and password, I am trying to authenticate the user based on this table without writing the entire API. I can't just do a GET call to see if the user has entered a valid username and password as this would not be secure. And I can't use the Facebook, Twitter or other 3rd party authentication services as the requirement is to use a database of users.
Is there anyway of implementing a custom authentication into Azure without writing the entire API? Or is there another way of doing this that I am not aware of?
Any help that can be provided would be fantastic
I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.