We are looking at building a gmail add-on for our application. Our application uses custom authentication (different from gmail or google Oauth).
There are few questions:
Is it possible to launch a single page application(eg. angularJS application) in gmail add-on?
What is the recommended way of authentication and authorization?
Is it possible to render or redirect to/from a secure html or jsp page in a gmail add-on?
How can we implement authentication flow to get tokens from application which use custom authentication eg. form based authentication?
Related
How to authenticate with liferay by passing the parameters as user email and password. If authentication is success then I will redirect to different web web application.Actually i want to authenticate user without using sign in portlet.Is there any way we can hit a url and it gives a response text so we can identify that user is authenticated. i followed this link but i didn't get proper response.
Liferay integrates with a lot of different SSO (Single-Sign-On) systems on the market. Instead of reinventing the wheel, you should use one of those integrations. This way you're free to use whatever your SSO uses to authenticate the user and it will provide your user's identity to Liferay as well as to any other application.
For Liferay EE, you also have the option to make Liferay your "SSO" by utilizing the SAML plugin and creating Liferay into an IdP (Identity Provider) and by making your other application an SP (Service Provider).
The whole field of forwarding the identity of users has been solved and one shouldn't mock around with redirecting with any self-invented authentication scheme IMHO.
I'm trying to figure out what I need to do in order to achieve seamless SSO sign up.
When an administrator of a domain installs my google app, all of the users on his/her domain, should be able to sign-in through SSO without seeing any confirmation prompts. I'm looking into documentation on how to set this up:
Instead of displaying a confirmation page, your application should
match the value of the openid.realm parameter in the OpenID request
against the value declared in the application's manifest.
Is there an example of this? Also, I think Google stopped using XML manifest files once they switched from OpendID to OAuth 2.0. If so, how does this whitelist process work with OAuth 2.0?
Should I be utilizing Google Admin SDK?
Since google is moving away from OpenId, white listing instructions are obsolete. Found a blog post about Domain-wide delegation with Oauth 2.0. Google recommends the following:
the recommended authorization mechanism is now to use OAuth 2.0 and
service accounts. Google Apps domain administrators can delegate domain-wide authority to the service account’s credentials for a set of APIs. This results in allowing the application, by using the service account’s credentials, to act on behalf of the Google Apps domain’s users.
instructions on how to set up domain wide delegation - https://developers.google.com/drive/web/delegation
you can find detailed step to achieve seamless SSO sign up at the following url
http://david-codes.blogspot.com/2014/07/how-to-provide-seamless-single-sign-on.html
I use Google Webtoolkit together with Phonegap to build a mobile app. My app is communicating over a REST APi with my Backend Server.
What I want to do is a user authentication, i.e., my app user should be able to signup and login. If a user closes the app and reopens it, he should be authenticated again if he has not logged out before.
Usually, with Spring Security you do the authentication on the server by calling the required methods. The client (browser) then contains some cookie information for a persistent login.
1. How can achieve this kind of authentication for my app?
2. Should I do the authentication as for a normal web site with the only difference that the authentication methods are called by the REST api methods?
3. Is there another way of doing the authentication for my mobile app?
I think user authentication for the mobile app will be the same as for a normal web-app.
The Spring backend will create a session once a user is authenticated. By default the user is authenticated for the duration of the specific session (until the user closes the browser/app).
Spring Security has a Remember-me functionality that is typically based on a Cookie approach and allows the user to be re-authenticated automatically..
I don't know if phonegap work with Cookies (see here for some pointers). I guess it depends on the plattform (if webview supports cookies).
May be this will help you I wrote an article that show how to adapt Spring Security to secure REST services.
You can check it in here : http://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/
I also posted a working example which shows how I did use that with GWT on GitHub.
What is the best way to architect the following solution for authentication?
I have a standalone (not integrated with MVC) ServiceStack REST service layer. This service is the entry point to all my data. No data is stored on the client.
I have multiple clients (ASP.Net MVC 4 site, MonoTouch app, MonoDroid app, Silverlight app, MonoMac app, etc).
I would like to provide authentication (Facebook, Twitter, etc) at the service level, including storing the users in the MongoDBAuthRepository, but allow the clients to provide the login UI (do I want this?). For example, for the MVC site, I'd like to integrate the remote ServiceStack authentication service (including Facebook, Twitter), with MVC's authentication system. It seems like the actual authentication should occur on the service side, but the client side needs to hold on to the authentication response.
I've read the wiki, looked at SocialBootstrap, and read the forum, but I'm still confused as to how this is supposed to work in a distributed way.
For OAuth options like Twitter + Facebook your authentication should happen in a browser as they each require redirections from their respected auth provider to capture trusted verification from each user. Some mobile apps do this by embedding a browser widget for Twitter + FB Auth.
Once a user is authenticated with Twitter + Facebook and Credentials in the same authenticated session, ServiceStack's AuthProviders automatically merges all Auth info into the same account. So later you will be able to login with 1 auth provider but get access to info available on all 3. The SocialBootstrapApi project provides an example of this.
I am looking to create a WCF (possibly WebApi) web service that sits on top of some of our existing code. Eventually this service will be used by external clients but we are going to start using it with our own mobile app.
As some clients will want to use Gmail and ADFS authentication it seems to make sense to use Azure ACS (this is where our webservices are hosted). However we won't need multiple providers for a while and we will start by using a custom STS that authenticates users against our existing authentication logic.
We already have a rough prototype of the above working using a MVC web application acting as the client.
My problem is how do I integrate this with a mobile application? It looks as if the mobile app will be written using AppCelerator which means I need to authenticate using javascript. We only want users to authenticate to our custom STS so would I need to use Active Authentication? I.e.
Ask user to enter username and password
Directly authenticate with custom STS and retrieve token
Pass STS token to ACS and retrieve ACS token
Pass ACS token to wcf service for each request.
I guess my questions are: am I on the right track and if so how would I achieve this in javascript?
If you want to support mobile devices, it is recommended to provide a web based login interface in your STS. In most cases, a mobile device will navigate to your STS’s sign in page in a web browser. After your STS authenticates the user, it sends claims to ACS. ACS in turn uses JavaScript notification to notify the host application.
You can refer to http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSAndWindowsPhone7 for a tutorial about working with ACS in Windows Phone. Similar process can be used for other mobile devices.
Hope this helps.
I think it is possible to issue SAML over Https request. As a starting point Id suggest to look at Thinktecture IdentityServer sources by Dominick Baier. This will help to understand different strategies and how you can use em(there are some goodies for WebApi on Github also):
http://identityserver.codeplex.com/