Single page applications built using Angular/React/Vue/Svelte and statically generated sites get served same way when hosted on github pages or firebase hosting.
If Single page applications can have authentication then why can not statically generated sites have authentication for hosting on github pages? After all both are getting served same way.
Related
IIS on Windows Server 2012 setup with 2 projects:
example.com: ASP.NET Core MVC project with VueJS as javascript framework.
api.example.com: ASP.NET Core Web API project whichs feeds the UI project.
The example.com is setup using Windows Authentication, the api.example.com is setup with both Anonymous and Windows Authentication.
Both projects have a seperated Application Pool.
Everything is working fine except when I go to the example.com website, I get a prompt to input my AD credentials for example.com, after that I get another one for api.example.com.
So the user needs to enter his credentials twice. Is there a way to reduce this to one and send the credentials to both websites?
I am using Google Chrome as browser to use the website.
Ok reduced the login to zero. Disabled the Windows authentication on the example.com because all authentication is done on the API project so no need to apply it here. Then added the api.example.com under Internet Explorer > Settings > Security > Intranet sites and kow the client can work directly without applying credentials when working inside the domain.
Per the GitHub V4 API, using GraphQL requires authentication. The GitHub API V4 docs state the following:
Warning: Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs.
This is understandable. However, I'd like to publish my source code on GitHub and host the app on GitHub Pages.
Question: If I set up the authentication token as an environment variable, how will the actual app itself, once published, be able to use GraphQL to authenticate? Won't it break?
If you're using server-side code, set the environment variable and be done with it.
If you're using GitHub Pages, you can't host a server-side app.
GitHub Pages is a static site hosting service designed to host your personal, organization, or project pages directly from a GitHub repository.
GitHub Pages is a static site hosting service and doesn't support server-side code such as, PHP, Ruby, or Python.
It's only for static files: HTML, CSS, Javascript. These are executed in the browser. There is no environment variable to set. No place to hide secrets from the user.
Instead, build it as an OAuth App. OAuth allows the user to authorize your web site to use their account to access the Github API. This is how Github's own GraphQL API Exporer works.
We are developing a Single Page Application (SPA) using Durandal. I have a view Test.html.
This view will be consumed by another application (App2 which is not SPA) via iFrame. App2 will access Test.html directly via the application url - http://localhost/App1/#Test
My question is
Since we have two separate applications, how do I authenticate the user logged in App2 and display the view Test.html when requested by App2 via iFrame?
It really does not matter if you are embedding your app2 in an iframe or using it directly.
What matters is whether you deploy these apps under one domain or different domains.
In case of single domain you don't realy have to do anything on the frontend - just use the authentication cookie from your NOT-SPA app in your SPA app for authenticated requests.
In case of different domains, try implementing oauth implicit grant flow (probably with a server-side proxy).
I have a Silverlight control that's used to author some graphical content, and I am starting work to integrate it to Facebook so people can have access to their pictures. Things are working well, I am using the JavaScript API on the host page of my Silverlight control to interact with Facebook (log in/out, authenticate, etc).
The problem comes when I register my app with Facebook as a web app. This hostpage/Silverlight Control is hosted under several domains. From what I understand, I can register my web app with a domain like www.example.com, and www.example.net, and things will work for similar roots like site.example.com.
But not for www.example2.com. For my application to be able to log in to Facebook under this domain, I would need to register a separate web app with Facebook specifying this second domain, hence having a second Facebook App ID.
Am I understanding correctly? I have a lot of these domains (10+), and will have more in the future. Is there another (better way) to handle this situation?
I'm trying to figure out, how to use OAuth 2.0 to access Google APIs from my web app. The problem is, that the protocol require developer to register redirect_uri (URL of page receiving access token). But my application can be distributed to many customers and can be hosted on endless number of servers. There is no way to know redirect_uri beforehand.
Google offers another option for installed applications, but I cannot use this variant neither. Auth server returns access code in window title and this information cannot be accessed from javascript of our page (JS cannot access content of window opened using window.open(); if that content comes from different server).
To conclude:
Cannot use method for web applications, because I don't know all URLs where will our app run in the future.
Cannot use method for installed applications, because window title is not accessible from our JavaScript code.
Is there any recommendation, how to use Google's OAuth 2.0 from distributable web application running on a lots of servers? Thank you.
Are you sure you cannot access the window title? If your app is opening the window, it should be able to access it. It should be possible to do this in a similar way you would do it in a mobile app.
If all attempts fail, you could set up a proxy server (that has a known redirect URI) and hands out the Google tokens to all your clients. Or better each of the apps could have its own proxy server - the server it was downloaded from. But then if each OAuth client can only have one redirect URI, each app would have to be a separate OAuth client.