Has anyone tried to adapt parse server to use the auth0 express-jwt authentication mechanism?
I.e. I'd like my mobile app users to authenticate via auth0, then make requests to my self-hosted parse server with the http header including the Bearer jwt token provided by auth0. My parse server with express-jwt would validate the token, extract the user_id and then I can use that in the parse server per usual as a key for that user.
Am I thinking about this the right way? Anyone tried this already? Perhaps it's trivial to integrate auth0 into express and thus parse server will "just work"?
Related
I'm trying to figure out the proper way of handling Facebook SSO, with a mobile client and an ExpressJS server using PassportJS.
Right now, I have a mobile client that's able to authenticate itself against Facebook SSO.
What's the proper way of handling authentication against my own Express server?
I'll try to explain myself here: Once the client gets the auth token from FB's APIs, he'll probably call my Express server to register the user, e.g. /api/user/register?fb_auth_token=.....
Do I then have to implement my own OAuth token logic (using Passport), so I can supply the client with some token so he can prove who he is for subsequent calls to my APIs?
Essentially give him a unique token for his user account in my DB?
Or do I simply save FB's auth token in my DB, and use that token for authentication in subsequent calls?
I know this is a bit more high level of a question than usual for this site, I'm just trying to figure out the main flow of using such SSO methods.
I am setting up a next.js app and was planning on using next-auth's JWT strategy for auth. I understand how the workflow works to protect your next.js routes and api endpoints within your API folder, but I have a separate express.js server that handles an API to my database that this app will be using.
My question is, is there some way to send the JWT token to my express server along with any api calls, and hold the secret on that server as well to authenticate the session and give the user access to the api routes?
My thought was to do this either in a next-auth callback or just send the jwt token along when needed. I was just having trouble finding a way to view the full jwt server side. All of the server-side hooks next-auth provide parse out the data from the JWT.
Thanks for any insight.
Yes you can achieve this using the CredentialsProvider what you have to do is call your login endpoint to recive your JWT tokens once the user logged in and store them in next-auth session then you can access it using useSession() from anywhere to get the token you need and send it along with any REQUEST you want to send to your backend server.
I have a NextJS web app and I'm adding firebase authentication to it.
I want to make secure GET calls to my server, and was wondering what is the token I should use with the server and where to set it?
Should I use the firebase user's AccessToken?
And should I send it in the URL query parameter (or header)? Aren't both alternatives exposed to whomever sees the URL and they can impersonate the user?
Thank you in advance for the help.
Are you talking about your API keys? if you are they are supposed to be visible, you need to write Security Rules which are pretty simple to use.
Read more here: Learn about using and managing API keys for Firebase
If you want your own server-side code to use the caller's Firebase Authentication credentials to ensure they are authorized for the operation they are trying to perform, you should:
Pass the users ID token from the client to your server over a secure connection. This is typically done in the Authorization header of the HTTP request.
On the server decode the ID token, and then check your own authorization logic to see if the call is allowed.
The entire process is quite well described in the Firebase documentation on verifying ID tokens, so I recommend checking that out too.
I need to retrieve some AssetBundles that are stored on a remote server. This server requires authentication.
I have been looking into the AssetBundleManager, which seems an easy way to do that. However, I can't find any way to provide the authentication credentials to the AssetBundleManager.
So my question is this. Can I access AssetBundles in a server that requires authentication with the AssetBundleManager or do I have to go another way?
In case the second is true. Is using UnityWebRequest the only way to pass the authentication credentials in the header of the request?
EDIT: As requested in the comments
I am using C#.
The authentication is token authentication (JWT) in the form of
Autorization header: bearer token
I was wondering, how can I authenticate requests to FireBase?
I have created new firebase account, marked Enable Email & Password Authentication, created a user with e-mail/password and using { ".read": "auth != null" } in security rules for read access.
Using PostMan plugin for chrome, selected basic auth, entered e-mail/password, GET to https://crackling-fire-NNNN.firebaseio.com/key.json but I always get { "error": "Permission denied" }. It is working if I remove security rules.
HTTPS Basic Auth is not allowed in FireBase?
Can anyone provide some simples examples in pure HTTP how to authenticate GET/PUT/DELETE requests?
Thanks!
I am posting this answer only to help other users to understand how FireBase works.
What I needed was to create an application that allows user (with password) to access his data stored on some server using REST. I thought that I could use FireBase to do that.
But. I have investigated a little bit and find out that FireBase uses JSON Web Tokens (JWT) to authenticate users. Token generation should be done on (other) server side, because it uses FireBase secret. So, apparently you can't send username&password to FireBase. FireBase SDK to be used by another server, and not client. Please feel free to correct me if I am wrong.
Firebase authentication when using the REST API requires an auth token to be passed.
See:
https://www.firebase.com/docs/rest/api/#section-query-parameters
https://www.firebase.com/docs/rest/guide/user-auth.html#section-rest-server-authentication
https://www.firebase.com/docs/rest/guide/user-auth.html
If I understand you question, you would like to use firebase purely with REST services, including authentication. For what I understand, if you want to do that you will need a server that generates a token that then you can append to the querystring. So if what you want is a serverless app that uses REST services, including logging in, the answer is you cannot. Correct me If I'm wrong