I have a web app that uses Firebase for authentication, more specifically it uses the signInWithPopup(provider) method. There is also a desktop client based on Electron which simply loads the same web app. With recent updates this method of authentication stopped working as Electron is regarded as unsecure environment.
Is there a way to open the login popup in the default browser (i.e. Chrome) which is secure, complete the login process there, and return to the Electron app with the login information?
If login popup in default browser, the same issue can happen with security. It needs both ends to be secure.
Can you try to generate certificate and use it in your electron ? Instead of self signed certificate, you can generate through Let’s Encrypt (Authorised CA). Hope this solves your issue.
Related
I want to secure my electron app with firebase auth. The idea is that the user has to click on a button in the renderer process to "Sign up/ Login" and then a new browser window opens in his default browser (not in electron), the user signs up or in and returns back to electron app which automatically signs the user in.
I'm using the following:
Electron: 13.6.9
Angular: 12.1.2
I tried the Electron Firebase repo but to be completely honest I was totally overwhelmed. It's well documented on how to setup but not on how to implement it to an existing app.
I also found this but this seems to be highly insecure to have an auth token exposed: https://pesto.app/blog/how-to-authenticate-with-google-in-electron
Could you guys help me to figure this out in a conceptual way (if you have code examples even better)?
Thanks in advance!
I'm working on an Electron app connected to a backend on AWS that handles the verification and creation of the user. If it matters I'm building the app with React.
Basically the backend flow is:
Navigates to backend.com/oauth/login
Backend prepares OAuth config, redirects to the Discord.com authentication url
User authenticates, redirects to backend.com/oauth/callback with the neccessary information to validate the authentication and create a user
I've got this part working. But if I would open backend.com/oauth/login in a separate browser window, how would I know the authentication was successful?
Are there some events I could listen to in the authentication window I've opened? Maybe let the callback redirect to backend.com/login/successful if the authentication was completed or otherwise backend.com/login/failed. This feels like such a hack but I'm way out of my expertise here.
Three ways to do it:
Once the authentication is successful, you redirect the user's browser to your backend where you load the authentication data in the user state. Your React/Electron app is also connected to this backend. You must be able to match those two connections
Once the authentication is successful, you redirect the user's browser to a custom URL protocol which is registered in the OS to open your Electron app
Once the authentication is successful, you redirect the user's browser to a port on your running Electron app
Most good Electron applications use number 2 - but it requires that your application knows how to register an URL handler on every OS it can potentially run. Number 1 is good if you can safely match the two connections. It requires passing some form of identification. Number 3 is a hack.
when login using Auth0 Webauth in React-Native it opens the browser for login.
I want to create a smooth login so that the user should not able to experienced whether I logged in using App or Browser jut like a webview anyone any idea?
Just to be clear are you asking if Auth0 supports doing this without a browser? Given that it's likely using OAuth2 or OpenID Connect then the short answer is no.
Further to that WebAuthn is a browser-based Javascript API so by definition would require a browser with these features to be available.
That said, there's probably nothing preventing you from implementing a native WebAuthn-like experience using CTAP2 (the protocol that sits underneath WebAuthn) directly or a platform-specific wrapper around the same.
We have a program that runs in IIS with Windows authentication, and which is available to the outside world.
Right now, we provide to every interested party a link to the program, along with guest credentials they then have to type.
Is there a possibility to do away with the credentials? Our internal people should be able to login as usual, but we want to provide a link to get into the guest account without typing any login credentials.
I have tried to add the credentials into the clickable url, but Internet Explorer and Edge browser do not support this, and Mobile Safari throws phishing warnings.
Can this be done universally, that the authentication is done invisibly in the background in all browsers, using some kind of redirect or XHR call with arguments or something like that?
I have made an app that will login automatically in the websites I use daily.
1 of them uses a security certificate which I have installed, when I browse it with IE I can accept the certificate and login, same with chrome, but when I browse with my app it will only show me
Navigation to the webpage was canceled
What you can try:
Refresh the page.
I'm thinking I have to somehow include that certificate on my app but I'm stuck, I've been googling about it but I can't find a straight answer.
I've read that the webbrowser control doesn't support HTTPS which the website I need to login is, if so is there any other way I can access the website within my app, maybe a different webbrowser control?
I'm using VB.net by the way.
some extra info:
I don't own the website so I cannot make any changes there.
I do have valid and legal access to the website using the certificate they issued for me.
The problem was I had browser.ScriptErrorsSuppressed = True
Somehow the browser control was taking the "Accept certificate" messagebox as script error.