I currently use Devise 2.1 + Rails 3.2.x to authenticate users. I'm also going to be adding OmniAuth-Facebook and Twitter support soon.
I wanted to use this existing infrastructure with Backbone.js. Can you let me know if this is the correct workflow from authentication perspective?
User login via Devise (or OmniAuth)
Use Devise's Token Authenticatable to return a token?
Backbone to access the token somehow and append that as part of API call? I don't need the API to create user, that's being handled by Devise.
Questions:
1. Is this how you'd implement it?
2. Any suggestions/code samples on #2 and #3?
3. How would you handle authorization with this? I don't think CanCan will work.
P.S. I read through many articles, including this:
http://jessewolgamott.com/blog/2012/01/19/the-one-with-a-json-api-login-using-devise/.
They seem to be focused on authentication using the API, rather than securing the API resources after authentication is completed.
I actually got this to even a little easier by:
User logs in via Devise/OmniAuth, no authentication token needs to be created
If I use the same action that is Devise enabled to serve up the REST API, it'll automatically use the session info to authenticate, so no additional token capture/resend is needed.
P.S. RABL is generate for creating API's in Rails.
The workflow is correct.
I found bits and pieces on the interwebs, maybe I can blog post about it later
Correct. You can override Backbone.sync, or if you're using jQuery you can confiugure jQuery globally. Example here
Authorization would be handled the same on the server side, unless you want the client to know about its roles. On the server side, you'll find the current user via its token and authorize accordingly. If you do need to know what roles a user have, you can send the roles when the user authenticates.
Related
We are trying to implement Auth0 in our next+fastify based application. The login page is custom and we want to integrate the login using the embedded login from the fastify server.
I am naive to oAuth and Auth0, I have a few doubts around it:
How do we verify the token? Do we verify the JWT and maintain the token on or fastify server or should we always the validate the token on Auth0 endpoint? I tried calling the userinfo endpoint which resulted in rate limiting. So, I interpret if we just verify the JWT on server instead of sending to Auth0 server. Also we send and maintain the JWT in cookies to validate the client always. Is the understading correct?
Is embedded login safe enough to be used in production? Are there any risk associated around it?
Is the approach correct? Is there any alternative way to implement the login flow? We also need to integrate reset password and rest of the functionality. I have read the SDK docs and it seems to have support for all.
Thanks a lot in advance
There are several options to validate a token issued by auth0, they recommend you to take advantage of middleware to verify the token. Multiple frameworks have their own middleware to check and validate JWT. It's as easy as integrate middleware with your application and perform validation when you need it. Check this:
https://auth0.com/docs/tokens/json-web-tokens/validate-json-web-tokens
In my opinion, it is always better to go with the Universal Login option of auth0, since embedded login sometimes incur into the cross origin authentication issue. Remember, when a user tries to log into your application using auth0, it redirects the user to another domain that differs from the one serving your application. In my experience, using the universal login provides you more information about the login process of your users, and that makes the process of debugging errors and auth processes easier. You can read more about login with auth0 here:
https://auth0.com/docs/login/embedded-login
https://auth0.com/docs/login/embedded-login/cross-origin-authentication
Yep, you can integrate the reset password process, which is almost entirely handled by auth0 itself. As I said earlier, we use Universal Login for our applications since it provides more control over the authentication flow. That doesn't mean you can't use Embedded login, it is a very good option too, but it seems more focused in UX rather than control auth flow.
Check this link if you still have doubts about the best approach: https://auth0.com/docs/universal-login/universal-vs-embedded-login
I am pretty new on Laravel + Guzzle + JWT.
Well, I came across with a project which requires to consume an API that is already running.
I could get every data I need from API using Guzzle such as JWT itself, user details, etc.
My worry is, how should I store this token to make future calls and how can give permission to users to access restricted pages?
I think it can be used Laravel Auth, but how?
Plus, the API accepts Facebook, Twitter and email logins. Is there a way to combine everything using Laravel Auth?
Could someone give an overview or provide a link? I am a bit lost, actually.
Here is the complete step by step article that I used to authenticate by jwt in laravel as backend and angularjs as frontend.
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
Thanks to Ryan and Tino
I'm looking over the auth docs
https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization
Basically what I would LOOOVE to do is simplify our service auth. Basically say "If this is being run in the context of an authenticated CMS user (in the API) use that person, if user is ANON, check for a JWT in the header, and run in the context of that user"
So I assume this would all be some sort of custom attribute? (I mean ideally I'd like an attribute or something). Right now we just have a method that lives at the top of every call to do this validation... would love to abstract it all out if possible somehow.
Anyone have any suggestions?
Steve
It's not included in the framework itself however there are a couple of external projects that enable token-based authentication with ServiceStack:
StatelessAuthentication
Using IdentityServer 4 with ServiceStack and Angular
Auth0 ServiceStack Integration
ServiceStack JWT Token validation for Auth0
I have built my own REST API with Symfony2. To query this API, user have to authenticate himself with OAuth protocol (three legs flow).
Now, I'm going to develop the front office based on a Angularjs app and I want to use my own Rest API from angularjs. What's the best way to login users to my api from the front office and fetch a token ?
I dont want users have to authorize my own app.
Does the three legs flow is really adapted for this case ? Maybe is better to support xauth authentication with a username/password login ?
Ok after some research, it seems that the most easy way to manage login/authentication between JS client and Symfony2 backend is to use password grant type (thanks #ricoux) which allows user to get a token with an username/password, like this:
http://host.com/oauth/v2/token?grant_type=password&username=Bat&password=test&client_id=clientidkey&client_secret=clientsecretkey
With fosoauthserverbundle, you need to set allowed grant type when you create your client:
$clientManager = $this->container->get('fos_oauth_server.client_manager.default');
$client = $clientManager->createClient();
$client->setName('ApiTest');
$client->setRedirectUris(array('URL' => 'http://callbackurl.com'));
$client->setAllowedGrantTypes(array('token', 'authorization_code', 'password'));
I try to do exactly the same thing : REST API with symfony2 and a javascript client with angularjs...
As Nisam said, FOSOAuthServerBundle is the best bundle to integrate OAuth2 authorization server in your symfony2 app.
I your case, if you don't want users have to authorise your own app, maybe a client with password grant type is the solution. In theory the password grant type can be used to exchange a username and password for an access token directly, but I never experiment it with FOSUserBundle, and I find no example in the doc.
When you ready to use third party bundles, FOSOAuthServerBundle is one of the best solution
I need to create "tokens" for users to send when they make calls to my API. My question is, what should I do to go about generating these tokens?
I should mention that I'm currently using modules such as everyauth and passport for authentication middleware, incase they include anything to help with this.
The typical way to issue tokens is using OAuth 2.0. OAuth2orize is a sibling project of Passport that provides a toolkit for implementing OAuth 2.0 authorization servers.
Although, based on your comment "They would be per session and they would not be given to third parties", I'm not sure what your use case is. How do you define a "session" outside of a browser context. And if this is in-browser, your best off using the built-in session support provided by Express.