We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I know that CAS is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.
So, How can i use Jasig CAS server for android mobile applications ? some guidelines would be very useful!
Actually there exist two ways of doing this, each of them has some drawbacks.
1) Expose the REST interface (here you'll find a simple JAVA client that consumes them and a iOS sample how to use it on a mobile)
The problem here is that if somebody downloads your application from the store and checks the network traffic in it (or simply decomposes it) he'll find the calls you make. With this he could create an APP that does the same as you do, and log the passwords entered by the users (like a man-in-the-middle attack)
2) Open the real website in a web view inside your APP
You'll need to create a modle login page, or a responsive one on your CAS server so that it looks nice. Obviously even here somebody could theoretically copy your APP and the Website on your CAS fake both to look like your APP grab the username and password and send it in background to your CAS to give to the user the impression that everything went right but it is much more complex.
However even here u'll need to tweak the CAS; CAS is designed to accept a login for a service to which it would redirect after successful login. Therefore in this case you'll need to add a fake service to the CAS configuration and check if the webview will redirect to it. when that happens u'll find the TGT in the CASTGC cookie.
In our first APPs we used the REST version, but then as we use our CAS for websites too we wanted to restrict the REST access only to other servers in the facility, so we came up with the second solution which seems to fit better, but overall CAS seems not to be prepared for mobile APPs
You can set up CAS in order to expose REST service, this allow to validate credentials.
Documentation: https://wiki.jasig.org/display/casum/restful+api
I'm trying to implement a Facebook login for my site and am having a world of trouble. I understand the difference between the client (JavaScript SDK) and server-side implementations, but am confused as to which is the correct approach. What I need is to store the user's info in my database (userID, email, name, etc.), so I know I'll need the data on the server side. I don't want to log in via the JS SDK and send the data to the back end because it can easily be spoofed, so here's what I tried:
I've tried using the SDK and, once the user is logged in, refreshing the page to check for the cookie that Facebook puts in the session, but it doesn't seem to be present; the only cookie that's there is the session id.
Additionally, I tried doing a server-side implementation, but this caused the Facebook log in screen to be in the main browser window instead of a popup. This is undesirable because it takes the user away from my site. To force the login workflow to be in a separate window, I've thought about popping up a child window that points to my login url that ultimately redirects to Facebook, but then I don't know when the user is done logging in (I'd need to refresh the main page to hide the facebook login button, etc.).
Any help or ideas would be greatly appreciated! I'd like to do this the right way... not the easy way!
Bottom line: use spring-social in java applications for connection to the social networks. It's cake!
There is no official Facebook API for standard Java that I am aware of. Specifically for Facebook, your java app can use the REST API here http://restfb.com/
I'm basically trying to use Java to read some data from my school's website (homework assignments, which lessons I have and when, etc.) for personal use. However, my school requires one to be logged in to access this information.
Could anyone point me in the right direction for logging in with code and accessing this information?
Thanks,
Mike.
The Apache has a API for http client simulating.
Link: http://hc.apache.org/httpcomponents-client-ga/
You need to find out how the server handles logins. What authenticationer it used: cookies, url session id, etc.
Then you can send the server a login http form submit (as you would have done manually) and save the authenticationer.
With the authenticationer you can then access the secured sites.
I would use HtmlUnit, which is a programmatic web browser.
You tell it to load the authentication page, to fill the form with your credentials and to click on the submit button. The you click on links, just as you would do it with a real browser, but programmatically, using Java instructions.
And it even supports JavaScript, if necessary.
I'm trying to write a facebook application using Java tomcat with RestFB.
the restfb documentation shows the following:
Create a Facebook Application
Request https://graph.facebook.com/oauth/authorize?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& scope=publish_stream,offline_access,create_event
Facebook will redirect you to http://www.facebook.com/connect/login_success.html? code=MY_VERIFICATION_CODE
Request https://graph.facebook.com/oauth/access_token?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& client_secret=MY_APP_SECRET&code=MY_VERIFICATION_CODE
Facebook will respond with access_token=MY_ACCESS_TOKEN
I think that i may be looking at the wrong instructions and this is for a facebook connect or anything else besides an actual facebook application inside apps.facebook.com/app_name.
I would really appreciate any relevant information regarding the issue. I'm simply trying to create a simple facebook application that prints the name of the user.
In general after I fetch the acces token of the user i can do the following:
FacebookClient facebookClient = new DefaultFacebookClient(MY_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
My problem is how do i properly fetch the access token of the user? in the information i showed at the top of the post, it shows that i need to make 2 requests. the first for the code and the other for the acess token. and the request for the access token actually reveals my app secret key to the user because each time i forward him to a different page the user can easily view the get and set parameters.
so i guess i'm pretty lost here.
please help! :)
thanks
update after comments
with these instructions i need two times to redirect the user's page. first to get the code and then to get the access token. the user can see these two redirections and because of that he can easily see the facebook application key and secret key from the get parameters. how do i make sure that these steps are hidden from the user?
As stated in the comments, these are the steps you need to take to access Facebook's graph API. However, to answer your second question:
"How do I make sure that these steps
are hidden from the user?"
Only the first request should be performed by the user's browser. The purpose being that Facebook wants to make sure it is the sole authorization provide for the user's Facebook identity. Depending on the application you are writing, you would either use the redirect URL to point to the default redirect URL that you specified, or specify a custom url on your website that you will use to retrieve the token. The first approach is typically used by stand-alone applications such as mobile devices that can control how the browser handles redirects. The second approach would be used for a custom web-based application. Once you receive the access token, then you would perform the second operation within your code (using your favorite http apis) and not through the browser. The redirect on the access_token url is compared against the redirect url specified on the authentication-url. Facebook uses it for validation only and does not perform an actual redirect on the successful completion of the request.
Here are the high-level steps:
Redirect user's browser to the authentication-url specifying the appropriate redirect_uri
Retrieve verification token from redirected browser request
Perform access_token retrieval using your preferred HTTP framework (no user input required)
Parse results and retrieve access token
Initial restfb with token and use as needed
The REST API has been deprecated. You should look in to the JavaScript and Graph APIs instead - there is a good article on this here: http://ocpsoft.org/opensource/creating-a-facebook-app-setup-and-tool-installation/ (Three part series, very detailed :)