Is it possible that AWS Cognito redirects user to a http endpoint with user's access token if the user is authenticate user with Cognito? I need to implement this authorization flow in react web application. Basic idea is that user gives his credentials such as user's email address and password, then Cognito takes them to check if he is authenticate user or not. If he is, it should redirect user by passing the token to callback URL (in my case this is an http endpoint). After then the URL gets the token, it gives him access as final step.
This is possible. But you need to make sure your HTTP endpoint is able to redirect back to an UI page (Or React route) or render HTML after accessing the token retrieved in parameters.
Note: Simply having a HTTP backend URL won't work since the authentication flow requires to redirect the user to the application.
Related
I'm setting up a service which needs to authorize against an existing Gitlab as OAuth Provider.
The service is a SPA which gets served by a webpack dev server in dev mode and a nginx server in production mode.
I'm also setting up an external API which should handle the Database and make request to the given gitlab instance (for example pull repos).
My SPA is authorizing against the Gitlab OAuth with the implicit_grant flow and is getting an access token. Currently I pass the access_token after the redirect to my API backend and there I get the Gitlab userid and username via a request to the gitlab instance with the access_token. With these I generate a jwt and send it to the client (SPA) and save it there so I can authorize my API with this JWT.
How would I handle the initial access_token in my backend (cause I need the token to make gitlab calls)?
Currently I'm thinking about writing it to the user in the database and get the user everytime he makes a request (normal passport flow), so I also have the token. But what if the token gets invalid or expires?
Should I use an interceptor in the backend and if the token is invalid (gitlab would give me a 401) redirect the 401 to my client, let him get a new token and pass it back to the backend, generate a new JWT, send this again to the client and let him do the same request as original reuested(via interceptor, too)?
Or should I just redirect the 401 to my client, let him get a new token, let him post this token to for example /renewToken and save the token to the database and use the old JWT?
Hope someone can help me unserstand this flow.
The Credential Management API should be what your looking for on the client. That will retrieve the id and access tokens to that you can compare access tokens with your server/ap and then validate the id token.
Haven't seen a Git example but there are Google and Facebook examples.
You could let the user send the initial access token and your backend API will just act based on the initial access token. Seems to me that it is not necessary to produce another JWT token in this case.
Created a web based application which needs to integrate forms authentication and SSO. Currently forms authentication will validate all the registered users.
What I need is to integrate SSO as well in to the application. ie, If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application, validate and response to landing page. Please can you help on this. Please let me know if any more information is required.
Can you please explain this statement " If the user not authenticated then redirect to identity server (Okta) configured with WS-Fed and added the application"?
Please see this link https://github.com/okta/okta-music-store. Under section "Adding Single-sign on to your Music Store" you can see how C# sdk can be used to implement single sign on.
Essentially what you need is a cookieToken from Okta. Using cookieToken as one time token and a redirect url (Can be your app url) you can use /login/sessionCookieRedirect?token=&redirectUrl=. This will create active session with Okta and redirect your user to your app or redirect uri.
Cookie token is obtained via series of two calls. Authentication that gives you session token in response. Session token is exchanged for cookie token via create session call.
A new website I'm working has the following components:
AngularJS/HTML5 Front-End
Web API Back-End that supports Front-End
OAuth Server - Authenticates user and provides tokens
The workflow for an unauthenticated user:
Views Front-End, which calls Web API to determine if authenticated
If not authenticated the user is redirected to OAuth Server
After successful authentication, the browser is redirected back to website with Auth Code
Auth Code is sent to Web API
Web API logic requests Access Token from OAuth server
A cookie is used to associate the token to the user
Additional requests send the cookie, which is used to authorize the user.
My question is what should I send for the HTTP Status Code for Step 1? Normally you send 401 for not unauthorized, but that is if you are using HTTP Authentication. Since the authentication is handled by a different server, that wouldn't make sense. 403 doesn't seem correct either because it implies a that the status will not change.
Should I just use a generic 400 or a custom 400.X code?
Although there is nothing wrong with sending HTTP 401 Unauthorized as a response in your case, a much better alternative would be to send HTTP 302 Found, which would imply that when the user was trying to access the front-end view, the applicable resource in this case (OAuth Server Url) was found somewhere else.
You can mention the OAuth Server Url in the Location header of the response, so the client would redirect the unauthenticated user to the intended location.
HTTP 302 Found
Location: https://oath-server-url.com
I am making an app that uses Kinvey as a backend. I want to access the Github api. I need the user to authenticate with OAuth. Can I do that with Business Logic? As far as I can tell, every request needs to be authenticated as a user, when Github redirects to my Business logic it won't have those credentials. I feel like I am missing something simple(never worked with oauth before).
Can this be done with Kinvey alone?
The OAuth2 callback does not have to be to Kinvey. If the user is interacting with the system and authorizing the token via OAuth, the redirect should actually be back to your web server - this way the user is redirected away from the authorization page, and back to your site. From there, you can get the token from the callback URL query string, make a request to store that token in Kinvey, and redirect the user to the appropriate page on your site.
If you are doing the server-side OAuth flow, you can set your callback to be any collection (you can create a dummy collection for this purpose.) Endpoints will not work for this, because endpoints only currently accept POST requests, and the OAuth2 callback is a GET request. In this use case, you would create a pre-save endpoint that receives the callback, obtains the token from the query string, and then does whatever processing it needs to do.
I'm accessing the Google Contacts API using OAuth.
I see from the docs that I have an authorize URL (https://www.google.com/accounts/OAuthAuthorizeToken), used to get the access token, but not an authenticate URL, a thing other services implementing OAuth use to automatically redirect the user to my site when he has previously given me the permission to access his data.
Linkedin does it
https://www.linkedin.com/uas/oauth/authorize
https://www.linkedin.com/uas/oauth/authenticate
Twitter does it
https://twitter.com/oauth/authenticate
https://twitter.com/oauth/authorize
But I couldn't find a way to do this using the Google API.
Anyone knows if it's there?
Thanks
Google uses the same url for authentication and authorization, so just redirect your users to the authorize url with the appropriate parameters in the query string. Google then determines if the user needs to login, authorize your app, or both.
The flow would go something like this...
Get the request token
Redirect your users to the authorization link
https://www.google.com/accounts/OAuthAuthorizeToken?scope=http%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds&oauth_token=REQUEST_TOKEN&oauth_callback=http%3A%2F%2Fwww.mysite.com%2Fcallback
User authorizes your app, then exchange the requst token for an access token.