I'm using Firebase in my iOS and web app to handle user authentication. I need to make sure a user is logged in before he can make any requests to my API. How would I accomplish such a thing with Firebase?
I'm thinking about using Kong - https://getkong.org - as a middleman for my API. Kong has a few options in relation to authenticating incoming requests - https://getkong.org/plugins. What would work with Firebase? JWT authentication? OAuth authentication? Key authentication?
Can you point me in the direction of a basic example? Or give me a basic overview of what I should be looking for?
I ended up authentication the users token server-side, like this:
https://gist.github.com/holgersindbaek/2cc55efd89517e21fbb52b4e95125003
Firebase can allow you to require that a user be logged in with a third party service, such as Google or Facebook, before they can take certain data operations. There's fairly comprehensive documentation from Firebase themselves: https://firebase.google.com/docs/auth/
Related
I find keycloak restful authentication api in postman,like this:
I know this api will return keycloak token if I give correct username and password. But now, I want to custom a api to let keycloak to finish authenticate like this, then I can obtain a keycloak token.
I read keycloak doc, but I think authentication spi can't achieve.
Is there a way to achieve this?
Adding a new API (rest endpoint) to Keycloak is possible, but you should not (and probably can not) use it to add such a custom authentication. Keycloak as an identity provider is OAuth/OIDC Connect compliant and the endpoints to get/exchange a token are all part of those specifications. So if you want to protect your API using a token provided by Keycloak, you should follow the steps specified on those specs. I suggest you to read a couple of OAuth/OpenID Connect tutorials on the Internet or have a look at a post like this. You should first decided what OAuth flow matches your use-case. Then you can go to the Keycloak console and configure clients for your applications. I guess probably you would need one for the caller and one for the service that is going to be called so that they could authenticate themselves to Keycloak. I don't think that for your scenario, you would need any customization on Keycloak.
Currently, I am doing research on my Internship company. The company uses the OAuth2 method to do Integration between the company web app services and the partner's API, but it's not support knowing who the user is. Also, I found an issue that the company put the refresh token and access token in session storage on web browser. As far my research, the web application can be attacked using the Hijacking method.
The other thing is some of the integration only use API key to do handshakes.
My Hypothesis :
The company needs to implement OIDC before the OAuth2
The Refresh and Access token on session storage need to be encrypted, but I don't know it is possible or not
The company who only using API key need to implement OAuth2
my question :
is the OAuth2 method the best method secure an Authentication?
it is possible to encrypt token on session storage web browser?
Thanks in advance :D
Short answer: Yes
Your Hypothesis
OIDC is based on oAuth2 its an Authentication flow and itself has tokens
StackOverflow question
OIDC WebSite
OAuth2 is based entirely on HTTP requests, you can get the tokens and encrypt them with whatever encryption algorithms you want.
OAuth2 is not mandatory for APIs, if you already secure your APIs with keys (I don't know the security level and how these keys are created) you can only use them.
Question's answers
OAuth2 is one of the authorization and authentication methods, there are many, and it's not a "One size fits all" solution.
Of course! the token is a base64 string, you can use a Crypto library
Final considerations
I suggest you read about OAuth2 and try some flows, below are some resources where you can play and learn OAuth2
OAuth2 Docs
OAuth2 Playground
I'm looking for the best practice to make requests as a third-party app to Google Drive's APIs that are authenticated with Okta.
Assumptions:
Google's services are being authenticated using Okta (User go to drive.google.com >> redirect to Okta >> authentication >> Google Drive is available).
We have a public app on Google - all works easily for non-Okta users.
What will be the best practice solution? Creating an Okta app? Exchanging access tokens in runtime? Something else?
After investigating the main role of Okta in Google Workspace, I found that OAuth 2.0 works as same as it works if Google authenticates the user.
You should trigger a simple authentication with Google, which by the end of the process, you'll receive an access token you can use.
Actually, Google uses SMAL to authenticate the user and then show a consent screen for additional scopes.
Graphic flow in here
I’d like to use the Google Cloud App Engine to serve a SPA and a REST API, both secured behind an authentication wall.
Is there any recommended way of doing this?
So far, I’ve found tutorials on how to secure an API, but not an SPA. Both ends are served from different projects, but I’d like to have a unique authentication step.
Typical flow would be:
Before serving the SPA source code, ask for authentication
Once authenticated, serve the SPA and allow the SPA to access the API resources
Thank you!
So far I’ve reviewed the documentation, it doesn't seem like there is any specific recommended way to authenticate an SPA within Google Cloud.
However, I think a pretty secure way would be to authenticate your application using the Toolkit Identity API of Google. The procedure would be to call this API from App Engine as the first necessary requirement.
This method works with Oauth2 access tokens. I think you could request for authentication credentials to your users before launching your application and granting access to the other resources/APIs.
I have a question about using a 3rd-party API for authentication.
I would like to use firebase for building an application.
I would like to use data from a 3rd party like strava.
What is the best way to Inegrate the Strava-api with Firebase.
How can I implement Strava-authentication in Firebase?
Strava API OAuth2 protocol for authentication and the use of a Firebase product like FireBase Authentication are not related..
OAuth2 authentication for Strava is for authenticating against the API EndPoint. This will then get user consent and offers a secure way for accessing their data.. FireBase authentication is a way to authenticate users into your app and is a gateway to products like FireBase Storage or RealTime DataBase. Both can be used in conjunction but are not related in code..