I m building a website and a mobile application where both of them uses common resources from my server using APIs. Is it possible to use Social Login like Facebook / Twitter / Gmail to authenticate users to use my application? This will benefit me by not creating my own security layer and rely entirely on their security mechanism to secure my APIs.
OAuth documentation states that Users grant access to their Protected Resources without sharing their credentials with the Consumer.
In my case, by giving Login via Facebook, I want these Facebook Users to login to my application and use the Protected Resources which are exposed by my APIs.
Let me know if I am on the right track or not ? How do I achieve this.
Of course you can use Facebook (or Google+) for a login mechanism on your website.
Facebook offers a button for this: https://developers.facebook.com/docs/reference/plugins/login/
Here´s more information about the Facebook login: https://developers.facebook.com/docs/concepts/login/
If you don´t want to use the Login Social Plugin, the best way is to use the JavaScript SDK: https://developers.facebook.com/docs/howtos/login/getting-started/
Google+ offers a login button too: https://developers.google.com/+/features/sign-in
I did not use the Google+ solution yet, but with the Facebook login it´s quite easy. You can just store the Facebook ID for registration and stuff.
Related
I'm looking for the best practice to make requests as a third-party app to Google Drive's APIs that are authenticated with Okta.
Assumptions:
Google's services are being authenticated using Okta (User go to drive.google.com >> redirect to Okta >> authentication >> Google Drive is available).
We have a public app on Google - all works easily for non-Okta users.
What will be the best practice solution? Creating an Okta app? Exchanging access tokens in runtime? Something else?
After investigating the main role of Okta in Google Workspace, I found that OAuth 2.0 works as same as it works if Google authenticates the user.
You should trigger a simple authentication with Google, which by the end of the process, you'll receive an access token you can use.
Actually, Google uses SMAL to authenticate the user and then show a consent screen for additional scopes.
Graphic flow in here
I'am working on an project where we have a Vue.js Frontend and a Microservices architecture for the backend hosted in Azure Service Fabric.
We wan't to add an IdentityService for authentication using IdentityServer4.
What we want to achieve is a login that is basically the same as stackoverflow provides:
You can login on the website with an embedded login or use external providers like Google and Facebook.
My question only concerns the embedded login.
I have read articles that state using Authorization Code Grant with PKCE is the best way in my scenario. Moreover they say, that Ressource Owner Password Grant should not be used.
But as far as I know, with this flow it is not possible to embed the login to our own website. It will always be a redirect to the IdentityService.
How do Stackoverflow achieve this? Do they use Resource Owner Passwort Grant?
Thank you!
First of all, I welcome you to check how Stackoverflow (SO) handle their user registration process.
SO allows you three options. Login through Google, Facebook or register directly to SO. When someone use Google Or Facebook, SO uses Authorization code flow. User is redirected to respective login page. Once you login there, SO receive user profile details from those identity providers, which allows SO to complete the profile and onboard the user.
But when someone use built in register page, it is simply good old registration page. There is no OAuth involved there. SO obtain end user credentials, complete the profile and save them at their backend.
In your scenario also, you can omit OAuth and use a built in registration or login page. Only concern is the maintenance burden of end user credentials.
I have created an API that uses the FOSUserBundle and the FOSOAuthServerBundle for user accounts and Authorization.
Is it possible to add, login via facebook or google, functionality using the FOSOAuthServerBundle?
I have seen people mentioning the HWIOAuthBundle as a way to integrate Facebook and other social logins. I have not seen an example of integrating the two bundles (FOSOAuthServer and HWIOAuth) so that users can create accounts on the system and authenticate (FOS) while at the same time being able to create accounts / login via FB (HWIO).
I found this post about using custom grant types with FOSOAuthBundle:
http://blog.tankist.de/blog/2013/08/20/oauth2-explained-part-4-implementing-custom-grant-type-symfony2-fosoauthserverbundle/
The idea is to create a service that takes the facebook token and validates it with facebook. If successful an OAuth Token should be returned.
The HWIOBundle is not necessary
I am using Twitter API for retrieving user information for specific name searches. The method I am using is users/search. You can find details of this method here: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-users-search.
Right now I am trying to use OAuth in my application as Twitter announced that they will no longer support basic authentication. The issue with using QAuth is that I don't require the users to connect to their Twitter account and so I can not generate user token. My application is using Twitter just for showing information about people, it's not posting/updating anything. I will really appreciate if anyone has any suggestions on using OAuth for Twitter without using Twitter user's login information.
I would suggest that you create an account for your application and use that account to perform user search if your application is a webapp.
If your application is an desktop app, I think it's understandable to user that they need to authorize your application to do the user search.
Should I use oAuth, for example LinkedIn or Twitter, as my signin mechanism for my app? It seems that most apps just use oAuth to connect other services to it, but they make you set up your own user/password after you use oAuth (including StackOverflow), and I'm not really sure why this is. Would love some insight here. Thank you.
Why not use OpenId, to allow people to sign into your application, without having to type any specific login/password ?
Quoting the corresponding wikipedia entry :
OpenID is an open, decentralized
standard for authenticating users
which can be used for access control,
allowing users to log on to different
services with the same digital
identity where these services trust
the authentication body. OpenID
replaces the common log on process
that uses a login-name and a password,
...
BTW, that's exactly how one logs-in on stackoverflow ;-)
OAuth purpose is not authenticating your users with your site, is letting your users allow you (the oauth consumer) access to their protected resources in other sites (oauth providers) like LinkedIn, Twitter, Google APIs etc.
For authentication, you should use OpenId as others have pointed
Twitter provides a Sign in with Twitter flow that is OAuth but provides a faster redirect if it is an existing user of your service and they are already authenticated with Twitter.
http://apiwiki.twitter.com/Sign-in-with-Twitter
If you are building a Twitter centric application this makes a lot of since to use and you won't have to implement an entire alternate authentication method like OpenID.
Be careful if you let users authenticate with both Twitter and LinkedIn as users will inadvertently create two accounts and need them to be merged.
Facebook and Twitter both have the "Login with Facebook/Twitter" APIs to actually allow users to login without having to create an account for your website. Both of them will return you a valid session that may (or may not) expire. So you actually wouldn't have to ask users to decide on a username/password, as you can fetch both from the APIs (you can not get the users email address when using Twitter though)
So why add those functions to your website?
Users are in general more likely to hit the "Login with ..." button than going through the whole mail address authorization process and entering their name, etc...
Linkedin only has OAuth for usage to its API. It will also depend on what type of language you are writing your webapp in, they should have premade wrapper libraries you could tap on to.