I would like to authenticate a user from both a mobile app and a website, using a separate oAuth2 server (let say Identityserver4 and call it AUTHSERVER).
Both mobile app and the website have their own "Connect with Facebook" button, which uses the Facebook SDK. After a succesful Facebook login, the app/website get a Facebook ticket.
What is the standard flow to use this ticket with the existing oAuth2 server ?
I found this article How to sign in user on .NET Core server after authentication on Mobile App which does that manually using a custom API action.
I'm using dot.net core.
== EDIT ==
Finally will not use IdentityServer4, but a custom solution.
== EDIT2 ==
Found manual solution here
https://developers.google.com/identity/sign-in/web/backend-auth
Related
I have integrated the social login feature in my web app. When someone logs in using Google(OAuth2), it creates the user profile in my DB(basically register the user automatically) and provides the login token for my app to the end-user. I want to trigger the same flow using my mobile application built for Android and iOS using Flutter. Do I have to trigger the flow using the web browser, if that's the case then how can I get the login token back in my app??
I have a .Net Core Auth API with OpenIddict and a .Net Core Api 'client'. Now I'm building an Ionic 3 native app and I want to implement Facebook login where people can login via the native Facebook app. So far I only found examples where the Facebook web login is used.
So far I have:
a working .Net Core Auth API that returns Jwt tokens
a working .Net Core Client API that accepts these JWT tokens
a working Ionic 3 app that can login with username + password, get a token and use it.
a working Ionic 3 app with a Facebook login that logs in via the native Facebook app (via Cordova plugin)
It feels like the Code flow is the correct way to go, but all examples redirects to the Facebook login web page so the user probably still has to log in on Facebook while his native Facebook app is already logged in.
My question is: after a user is logged in via Facebook in my Ionic app, how can I get a JWT Token from the OpenIddict Auth Api so I can use my client API? Or should I change the flow somehow while the native Facebook app is used to log in?
update: In Ionic I do get Facebook UserId which is equal to the AspNetUserLogins.ProviderKey. Is that secure enough to login to your Api?
If using the code flow or opening the system browser to complete the authentication process interactively (including the FB authentication step) is definitely not an option for you, consider using a custom grant to allow your mobile app to redeem a FB access token (or authorization code) with an access token issued by OpenIddict.
For more information, see this other SO thread: Rich Twitter Digits/Google Auth with OpenIdDictServer
I'm creating a react native app and adding instagram authentication to it. I want users to be able to "add" their instagram accounts to their main user account, so I have a "connect your instagram" button.
I have this working on my web app fine.. The flow is as follows:
User clicks 'connect instagram' button and a new window opens and is directed to https://instagram.com/oauth/authorize/?client_id=xxxx blah blah
User authenticates and instagram redirects to my REDIRECT_URI with a CODE parameter
My API server takes the CODE parameter and sends a post request to instagram with all the credentials.
Instagram verifies this information and gives me the users ACCESS_TOKEN
Can someone tell me how this is supposed to work in an app?
What's my REDIRECT_URI supposed to be? The server api?
Is it the same flow as my web app? If so, how do I get the users back to my app after the window is closed. How does my app know that the user now has an access token?
With a native application the flow is similar to what you described for the web application.
The Auth0 Mobile + API architecture scenario describes what should happen when you need to authenticate a user for a mobile application and then later access an API on behalf of that user.
Summary
you will continue to use the authorization code grant;
if the authorization server in question supports it you should use the PKCE (Proof Key for Code Exchange by OAuth Public Clients) for added security;
you will need to select how you will receive the code in the native application; you can use a custom scheme com.myinstaapp:, a local web server with the http: scheme or a few other options; (see this answer on OAuth redirect URI for native application for other alternatives)
you exchange the code obtained by the native application with an access token in a similar way to what you would do for a web application; (except for the use of client secrets which are in general not useful for native applications as they would be easily leaked)
Additional Information
The flow described in the Auth0 scenario assumes that authentication will happen through an OpenID Connect compliant flow and in addition you'll get the access token as specified by OAuth2. I'm not overly familiar with Instagram so if they only support OAuth2 that part is of course not applicable.
Can we authenticate to facebook Via API not through User Interface which prompts for credentials?
Since facebook is turning off/removing the Offline_Access permission, Is there any way I can login using App? I am planning to use Facebook C# SDK v 6.0.
In otherwords, how to authenticate as an app by using Facebook C# SDK V 6.
I found this documentation on facebook http://developers.facebook.com/docs/authentication/applications/
I want to use app authentication and then post to pages which has already granted "manage_pages,publish_Stream" permissions to the app by using graph api explorer.
I am creating an android app that has access to an online Database. The initial app activity screen is a login form where the users credential are validated. If the credentials are valid then the app continues to the next activity. I've looked at OPENID and a few others methods. How would I implement OPENID or a another form of user authentication for my app. I would ultimately like to have a third party take care of user authentication and credential storage.
Have you tried looking at OAuth?
http://oauth.net/
OAuth Signpost is an android implementation of OAuth
http://code.google.com/p/oauth-signpost/
Server side, you need to provide an OAuth ready API, if your server is PHP, take a look at
http://code.google.com/p/oauth-php/