I am using PhoneGap to create a mobile app with HTML, CSS, and JS.
I need to implement some sort of authentication to connect to my API - and I am thinking that OAuth 1 or OAuth 2 should do the trick nicely.
However, with OAuth 1, I would need to store the consumer secret in my JS which would expose it to anybody with a brain.
With OAuth 2, I can get around exposing a secret by not using one altogether, and simply providing a redirect URL that was pre-registered with the API provider. This guarantees that the user is only ever sent back to the correct URL (they can't be hijacked).
However, with PhoneGap, I can't really provide a redirect url, because the PhoneGap url would be something like file://www/index.html...
How is it possible to use Oauth 1 or OAuth 2 with a mobile HTML5 app?
Libby has a good tutorial on how to do OAuth 1 with PhoneGap at:
http://www.mobiledevelopersolutions.com/home/start/twominutetutorials/tmt5p1
as for your consumer secret you could store it in the native code then use a Plugin to retrieve it from the native side from JavaScript. There is already one available for iOS called Keychain.
For people new to this topic, the Intel Developer Zone also has a tutorial on using OAuth2 with PhoneGap/Cordova. To avoid the use of the client secret within the application you would use the OAuth2 Implicit Flow. From the link above
Here are the steps involved in doing a Oauth2 Implicit Grant flow in a
Cordova* HTML5 app:
Open Oauth2 authorization page in Cordova InAppBrowser
Get the access_token from the redirected URL hash fragment using the loadstart event listener
Related
I am building a speech to text application for browser. Right now I am recording and sending the voice from frontend to backend, from backend calling the google api for converstion. Now the problem is processing time is high.
what I need is to call the google api from frontend itself. problem with this step is api key is getting exposed to user and leads to security issue.
So can I generate a session based auth token for speech to text api, which will be valid for client for some duration of time. any tutorial link will also do.
Just about everything Google creates supports OAuth 2.0. Text to Speech certainly does.
Authenticating is easy. Here is a link on how to use OAuth 2.0 with Google APIs.
Using OAuth 2.0 to Access Google APIs
Here is link on how to integrate Google Sign-In to your Web App:
Add Google Sign-In to Your Web App
And a link for adding OAuth 2 to your backend server in PHP:
Using OAuth 2.0 for Web Server Applications
I would use Google Accounts to start. Google Sign-In makes this easy to implement for the client. Either implement OAuth 2.0 on the backend (recommended) or on the client.
Once you complete the OAuth 2 flow, you will have a token that consists of an Access Token, Refresh Token and Client ID Token. You will use the Access Token to authorize API calls. You will use the Refresh Token to refresh the Access Token as it expires every 60 minutes. The Client ID Token will provide you with their identity information.
I am writing a project that lets users implement login integration for multiple web services (e.g. Google, Facebook etc.) to his/her website. I see Facebook allows us to manually build a login flow. Using this I can code everything myself and also let users use the script just by configuring it a bit (like setting app_secret and app_id). I am looking for a similar thing in Google. I don't wanna use the SDK because if I do that for multiple OAuth providers, then I think I'll mess things a lot. I also want to keep the client (JavaScript) side code at a minimum. So, can I build a manual login flow for Google, as I can for Facebook?
This information is given on the following page: https://developers.google.com/identity/protocols/OAuth2UserAgent (select the OAUTH 2.0 ENDPOINTS tabs)
Some excerpts:
The OAuth endpoint is https://accounts.google.com/o/oauth2/v2/auth
Token is returned like this: https://oauth2.example.com/callback#access_token=4/P7q7W91&token_type=Bearer&expires_in=3600
You can validate the token by using the tokeninfo endpoint: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>
I'm adding a login page for my mobile app, so that it integrates with Bluemix Single Sign On. I'm at the step to configure the Node.js app following the Bluemix Doc at Configuring a Node.js app. The example here about callback is for a web app. In the mobile app context, I don't have a redirect URL. So this code for example:
app.get('/auth/sso/callback',function(req,res,next) {...}
On the mobile client side, do I do a GET to /login?
I already have a login implemented using Mobile Client Access service. Is it something I can build up upon? For example,
app.post('/apps/:tenantId/:realmName/handleChallengeAnswer', function(req, res {...}
Can I call the Single Sign On API in here?
Thanks a lot for your help!
Jen
Is your mobile application based on nodejs? If so and you use a webview on your mobile application you could leave to the webview component to manage your authentication flow like working with a browser.
You instead have to manage authentication if your application is integrating with Rest APIs, in this case you could use SSO but your application has to manage cookies like a browser.
Bluemix Single Sign On so far has only been tested on web applications. I have no knowledge on whether Single Sign On would work smoothly on mobile applications.
Also, the Bluemix Single Sign On follows the OIDC protocol. So the redirect URL is a mandatory parameter when using the service, unfortunately.
Regarding building upon your login implementation, to my knowledge, it is not possible to include your implemented login in place of what is provided with the Single Sign On service. But you can choose to add the login implementation in addition to the login needed when using Single Sign On.
Hope that addresses your questions.
I am working on SPA and HTML5 Mobile application that's consume my server application via rest api. Server app connects to Google Adwords Api and then sending data to client app. My question is: is it possible to use google oauth login as login for my server api. And how?
Do I need to use FOSOAuthServerBundle?
Best,
Antonio
This is the flow for this use case: https://developers.google.com/identity/sign-in/web/server-side-flow
And after this you can use google token as your api token, or build your own oauth and use your own token.
Also it is possible to use FOSOAuthServerBundle with custom grant
I'm writing an packaged app using javascript for google chrome web store and I need to identify the users e-mail. using Identity I've retrieved OAuth 2.0 token (by chrome.identity.getAuthToken() command). What next?
I've found this documentation but i'm afraid it can be used only for hosted chrome apps.
The above documentation can be used also in cases where the application only has a client-side presence. You can extract the email_address from the id_token (https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo); that would be most efficient. Or you can use the access_token to retrieve the same data from the user_info endpoint, which requires another AJAX request (https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation).
If you manage to configure the G+ Sign-In widget for your extension you'll find out that it simplifies these tasks considerably. Note that G+ Sign-In has been recently updated and works for all Google account users (including Google Apps users) whether or not they have signed-up for the Google+ service. See https://developers.google.com/+/ for more information.