I am currently working on a project that requires a user to Login to the app using Google credentials but without redirection to the google authentication website. The user needs to enter his Gmail id and password in the app window and somehow I need to verify these credentials with Google (without redirecting). Is there a way to do this?
EDIT:
One approach I got is to send these credentials to google which would authenticate the credentials and return an authentication token. But the feasibility of this approach is questionable.
Related
I'm looking for the best practice to make requests as a third-party app to Google Drive's APIs that are authenticated with Okta.
Assumptions:
Google's services are being authenticated using Okta (User go to drive.google.com >> redirect to Okta >> authentication >> Google Drive is available).
We have a public app on Google - all works easily for non-Okta users.
What will be the best practice solution? Creating an Okta app? Exchanging access tokens in runtime? Something else?
After investigating the main role of Okta in Google Workspace, I found that OAuth 2.0 works as same as it works if Google authenticates the user.
You should trigger a simple authentication with Google, which by the end of the process, you'll receive an access token you can use.
Actually, Google uses SMAL to authenticate the user and then show a consent screen for additional scopes.
Graphic flow in here
I'm implementing Facebook and Google SSO on my website using custom workflow (redirect urls, parsing on server side etc. - no javascript) and I got to the point I have access_token, token_type and expires_in and from Google also id_token and I am confused what to do next to authenticate the user.
I read a little about authorization vs authentication, and that Facebook and Google SSO is OAuth2 which provides authorization, but not authentication, from which I understand that this way my web application is authorized to do something on behalf of the user, but I cannot be sure the user is the one who I think he is? My main source is this: OAuth Authorization vs Authentication
So, my question is, what should I do to be able to can consider the user logged in.
Thank you
In your case google (and facebook) is authenticators. This services just tells your application that user who try to login to your system is the one who he wants to appear.
Assume you differentiate users by unique email.
Your application flow should be next:
The user try to login to application using google Application do all redirection google flow stuff and gives you tokens
Application need to store this tokens for future use
Application check if this user's email presented in database
If email is presented and google returns tokens (google authenticate your user successfully) you can login user in your app
If email isn't presented in database but google authenticate user successfully you can store this user (with email) to your database - sign it up - this is new user in your system
Same flow with Facebook. Surely you can extend this logic to be more your application specific.
SSO and OAuth are different. OAuth is authorization protocol.
You are dealing Google and Facebook oauth.
OAuth
In case of oauth, after successful authentication(google/facebook) you will get access token. You can use token for maintaining the user session.
With this token user is authorized, Now you should check whether the user is present in your database, if yes then authenticate the user and redirect to your application.
SSO
SSO is user authentication service. There are way to implementing SSO like kerberos SSO, ADFS SSO.
We should never use OAuth2 access token for authentication.
For details, please refer
https://oauth.net/articles/authentication/
The OpenIDConnect, built on top of OAuth2, can be used for authentication.
Google supports OpenIDConnect
https://developers.google.com/identity/protocols/OpenIDConnect
The basic idea is Google will issue the client app (your application) a ID Token after the user has login his Google account. You can then extract user information (e.g. email, unique user id) from this ID token and proceed your login flow.
I am trying to get an access token using my dropbox username and password.
I don't want to go and generate it from there site, as mentioned in there help documents.
No, Dropbox API apps should use the OAuth app authorization flow to get an access token for the user, so that the app doesn't have to directly handle the user's credentials. You can find more information on this process here:
https://www.dropbox.com/developers/reference/oauthguide
The method of generating it on the App Console that you mentioned only works for the owner of the app, but the OAuth app authorization flow can be used for any account.
Note that while this does require manual user intervention, it generally only needs to be done once per user. Once the app has an access token for a user, it can store and re-use the token for future API calls without further manual user intervention.
Dropbox API access tokens don't expire by themselves, though they can be manually revoked by the user.
I have been successfully able to run a Custom Login Page for Google Apps until today. I used to use Client for the Google Apps Provisioning service. using which we could send email (username) and password as parameters and obtain the authentication token.
With OAuth2 (as per Google we need to upgrade to OAuth2 starting 20th April, 2015) I can't find a solution! There's no way I can send/ check if a username/ password pair is correct.
There is no way now to do what you want. You could use SAML2 and then use Google as the source IDP via OpenID but you would end seeing the Google Login page again. It seems that you are trying to hide the fact that it is a Google shop.
SAML2 auth lets you design your own login screen but requires that you use your own user database.
I am trying to use facebook API to provide a silent login feature.
Application has to login onto facebook without prompting for user name and password. The authentication can be done through the application.
I want to know whether this can be done using the facebook API. I'd also want to know whether some paid facility is available to do that.
Facebook does not support silent login. Facebook only permits authorization through its own servers and browser windows, because it does not trust third party developers to handle their passwords.
You will have to authenticate once, then get an access token, and you can keep using the access token to auto login the user, until it expires. Have a look here or search google on "how to get Facebook access token c#"
Auto Facebook OAuth from ASP.NET C#