Currently, I have Google, Github, Twitter account registration/login (merge them by email). But I want to give a currently logged-in user ability to manually connect another social account (with a different email). For authorization, I use JWT and store them in localStorage on frontend.
The problem comes when we redirect user to some of social login providers and when he returns back we don't know who it is. It can be user that connects an additional social account to the main account or a new user that firstly login by some social provider.
What possible solution for getting logged-in user after redirect from Social login provider when using JWT for auth?
or
What best solution for linking social account to existing main account when using JWT for auth?
By "social login provider" I mean Github, Google, Twitter, etc
Ok, I just create separate routes for connecting and store JWT in cookies to ease auth check.
Related
Using the kuzzle auth passport oauth plugin, how would you handle having multiple social providers able to login to the same Kuzzle account?
I got the login working with Facebook and Google, and I let users create an unique username for their account when the user login with a new social provider.
At this username creation step they get the option to connect with the other social provider to prevent creating multiple accounts or if they already signed up through another provider.
What's the proper way to have a single Kuzzle account having multiple login strategies attached to it from different oauth providers?
I'm implementing Facebook and Google SSO on my website using custom workflow (redirect urls, parsing on server side etc. - no javascript) and I got to the point I have access_token, token_type and expires_in and from Google also id_token and I am confused what to do next to authenticate the user.
I read a little about authorization vs authentication, and that Facebook and Google SSO is OAuth2 which provides authorization, but not authentication, from which I understand that this way my web application is authorized to do something on behalf of the user, but I cannot be sure the user is the one who I think he is? My main source is this: OAuth Authorization vs Authentication
So, my question is, what should I do to be able to can consider the user logged in.
Thank you
In your case google (and facebook) is authenticators. This services just tells your application that user who try to login to your system is the one who he wants to appear.
Assume you differentiate users by unique email.
Your application flow should be next:
The user try to login to application using google Application do all redirection google flow stuff and gives you tokens
Application need to store this tokens for future use
Application check if this user's email presented in database
If email is presented and google returns tokens (google authenticate your user successfully) you can login user in your app
If email isn't presented in database but google authenticate user successfully you can store this user (with email) to your database - sign it up - this is new user in your system
Same flow with Facebook. Surely you can extend this logic to be more your application specific.
SSO and OAuth are different. OAuth is authorization protocol.
You are dealing Google and Facebook oauth.
OAuth
In case of oauth, after successful authentication(google/facebook) you will get access token. You can use token for maintaining the user session.
With this token user is authorized, Now you should check whether the user is present in your database, if yes then authenticate the user and redirect to your application.
SSO
SSO is user authentication service. There are way to implementing SSO like kerberos SSO, ADFS SSO.
We should never use OAuth2 access token for authentication.
For details, please refer
https://oauth.net/articles/authentication/
The OpenIDConnect, built on top of OAuth2, can be used for authentication.
Google supports OpenIDConnect
https://developers.google.com/identity/protocols/OpenIDConnect
The basic idea is Google will issue the client app (your application) a ID Token after the user has login his Google account. You can then extract user information (e.g. email, unique user id) from this ID token and proceed your login flow.
I need to build a custom auth system with and i don't know what to choose between Firebase Auth and Google OAuth/OpenID.
I don't want my users to sign in through google accounts nor facebook nor twitter etc.
I want to use my own user database to authenticate my users.
So what is the best and more secure, reliable,scalable option to setup this ?
Thanks
If you have an existing list of user credentials (e.g. Active Directory, LDAP or a database with user names and passwords) you can authenticate those users yourself and then tell Firebase about them with Custom Authentication tokens.
Using Google authentication makes no sense in that case, since the credentials you have are not for Google accounts.
I have created an API that uses the FOSUserBundle and the FOSOAuthServerBundle for user accounts and Authorization.
Is it possible to add, login via facebook or google, functionality using the FOSOAuthServerBundle?
I have seen people mentioning the HWIOAuthBundle as a way to integrate Facebook and other social logins. I have not seen an example of integrating the two bundles (FOSOAuthServer and HWIOAuth) so that users can create accounts on the system and authenticate (FOS) while at the same time being able to create accounts / login via FB (HWIO).
I found this post about using custom grant types with FOSOAuthBundle:
http://blog.tankist.de/blog/2013/08/20/oauth2-explained-part-4-implementing-custom-grant-type-symfony2-fosoauthserverbundle/
The idea is to create a service that takes the facebook token and validates it with facebook. If successful an OAuth Token should be returned.
The HWIOBundle is not necessary
I was just wondering, I want to associate a Twitter and LinkedIn account with my systems accounts. Which would allow them to post to interact with them without needing to log in to the other systems.
Is there a way to store the social (twitter / LI) usernames and passwords and associate them with my system and vis versa.
E.g. If I login using my native details (email / password) I can access the API features of my social network accounts?
Thanks in advance,
Chris
I can't speak for Twitter, but with LinkedIn you could follow this basic workflow:
Register an 'application' with LinkedIn. Your site will use this application for all communication with the LinkedIn API.
Have the user authorize your site (your application really), to access their account via the LinkedIn API.
Retrieve the user's unique LinkedIn ID, as well as their access tokens, and store those in your user account database, associated with their existing account.
Then, when they return and log in to your site, any calls you need to make to LinkedIn can be done via the stored access token, rather than having to have them manually allow you to have access again.