Is it possible to have Single Sign On feature for Facebook integration from other application?
As Facebook uses OAuth 2.0 it seems client and resource owners both needs to be authenticated as token have limited lifetime.
Reason I want to have this feature is for write operation resource owner (Facebook user) authentication seems good but to read or display summary of user/page stat it might be annoying for user to log on to social network.
I am using Java (Spring Social APIs).
the offline_access permission is probably you're best route. This creates a long lasting token for the user that you can use. Make sure you're not using it to do anything against the FB TOS or you'll probably get your app banned.
Related
I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants
I works like a charm when keycloak manages users and passwords on its own.
But, my scenario is different:
I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP
How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?
Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).
Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.
So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.
Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.
Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.
This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html
Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.
To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.
I'm a bit confused on how I can implement a user system into my application.
For a small overview, the mobile application needs to allow users to login or register, follow other users, and favorite/like items.
I've checkout out the documentation on Google Cloud Platform for implementing User Auth:
https://developers.google.com/identity/protocols/OpenIDConnect
https://cloud.google.com/appengine/docs/standard/java/users/
https://cloud.google.com/appengine/docs/standard/java/oauth/
I've used Parse in the past, and would expect the Firebase User Auth system to offer a similar experience, however due to Firebase conflicts with App Engine, that route is a no-go.
I understand there is also the User API, which can be used for things like restricting Cloud Endpoints calls to logged in users.
How can I roll a user auth system for my application? The best solution that comes to mind would be to just store user emails and passwords in Google Cloud Datastore, and check if the combination exists when a user logs in. However, I'm fairly unfamiliar with creating user systems and this seems like it would come with some sort of security issues.
you can use Firebase Authentication with Google App Engine. Your information that you have to use manual scaling instance is not correct. This was a bug and were fixed. Please see the following post for more informations
Verify Firebase Token at Google App Engine
Imagine you've to implement following user story:
"User should be able to publish message on social media(facebook/twitter/etc) using simple web form and one-click button[without need to login in fb/twitter/etc]."
In general, authentication in social networks is based on OAuth 2.0. Facebook distinguish three types of access tokens:
User access token
App access token
Page access token
I've tried first option with facebook4j, and it's working - however, we are supposed to supply token each time, we want to use it. I've found long-lived tokens, but their validity is also limited - 60 days.
Generating app access tokens is very simple, but I haven't succeed in publishing any post. From facebook docs:
App access tokens can also be used to publish content to Facebook on
behalf of a person who has granted an open graph publishing permission
to your application.
Page access tokens - I haven't tried. Is it possible to publish message on fb/twitter simultaneously, without login, of course, to predefined destination(fb wall)? If so, please provide me with any working example :)
Thanks in advance
Hey all, i want to integrate my Blackberry App with Twitter, and found that the way to do it is with OAuth. The problem I have is that i would like to do the verification of this from my server as to put less strain on the device, but I have no idea how to get the OAuth PIN from the server to be displayed on the device so the user can enter it, any ideas as to how i can do this? or an alternative ?
You can't. OAuth was designed such that only the service provider can provide authentication (so that the developers don't have to store their client passwords on their database servers and if the client changes their passwords, then it would have to be managed also on the developers side too). There is only one source of authentication and that's from the service provider (Twitter, in this case). Sharing of passwords is therefore eliminated.
OAuth doesn't work on PINs but rather using Request/Access Token. Follow the Beginners' Guide to OAuth and Twitter Developer's Auth Page to see how you can incorporate OAuth to Twitter. Just to give you an heads up, you will have to register your application to Twitter.
Update For Mobile and Desktop applications, rather go through Twitter's xAuth. Here's a documentation on how to register and use your application to use xAuth.
Twitter OAuth FAQ.
Hi I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
First, please do not whine about not getting answers after only an hour, particularly when it's Sunday in much of the world. If you want responses in less than an hour on a weekend, hire an expensive consultant.
Hi I am developing an Android App
where I require a user to authenticate
his session before using the app.
Why?
Any Suggestions and comments?
Most Android applications do not require authentication for local use. They may require authentication for access to online content (e.g., Web service), in which case the authentication is handled by the Web service and uses technology dictated by the Web service.
Bear in mind that any online authentication process (e.g., OAuth, Facebook Connect) means your application cannot be used in offline mode.
If your goal is to use authentication as some means of helping to combat piracy, you might consider using the new LVL system that Google released this week.