Is there any way to make an authentication system in laravel for both android and Web apps.
Since android apps doesn't have sessions it is hard for me to figure another way to make an authentication with laravel
Make login API for that .APIs use access tokens to authenticate users and they do not have session .
You can use laravel passport for that which help you to maintain Oauth2 server for your application. So it is basically like sending login request via api and get the access token as a callback which will be used through out your android and web app.
see below
https://laravel.com/docs/5.5/passport
https://itsolutionstuff.com/post/laravel-5-how-to-create-api-authentication-using-passport-example.html
Related
I have a application consist:
Web app.
Oauth2 server.
Resource server.
Normally, web app send request to Oauth2 server to get access_token then use it to call api from Resource server. This is grant_type: password flow.
As grant_type: authorization_code, web app send redirect to SSO server. If login successfuly, SSO server will redirect to web app with code. Web app will use this code to get access_token from SSO server. In here, i think SSO server and Oauth2 server is one and i config like that.
My issue is i want to custom UI of SSO formLogin(), using angular. So, i create second web app to do it. I think this web app can fetch authorization code from SSO server then check and redirect this code to primary web app then use code to fetch access_token like grant_type: password.
Is these possiable?
If SSO server additional social login like Google, Facebook.... My SSO server can do that?
Maybe my question is not exactly. So, give me your idea or please show to me what i wrong. Thanks all.
I google search many time about how to authenticate Restful API and Mobile App.
I found a lot answers but I feel not better, or perhaps because I am new in API.
My Willing:
Mobile App request or post data to Restful Server
Restful Server Authenticate Mobile App by Username And Password Login
I want to secure on Restful Server And avoid hacker steal password and request data.
After searching by google they told:
use Https with SSL
authenticate username or password then generate new token and signature
use token and signature to authenticate Mobile App.
Other way use Oauth 2.0. After reading Oauth 2.0 document,
I still think its structure still similar token and signature above.
I think if like that, mobile app can store or use token and signature,
or hacker can debug or see process log in by proxy request.
I feel still not secure
because we still use token and signature on requesting.
I just start my new knowledge in API. If I misunderstand,
I am sorry. I use PHP coding.
I would recommend jBoss's Keycloak (http://www.keycloak.org/). From the first page:
Add authentication to applications and secure services with minimum
fuss. No need to deal with storing users or authenticating users. It's
all available out of the box.
You'll even get advanced features such as User Federation, Identity
Brokering and Social Login.
For more details go to about and documentation, and don't forget to
try Keycloak. It's easy by design!
I've successfully implemented user login in my android app with Google Identity Toolkit. I've also created an App Engine Endpoint to communicate from the Android app. Now I want to secure the endpoints with auth.
I know I can create a custom Authenticator for endpoint and do any kind of verification of the data in request header in there and get the job done.
But I don't know how to do the Gitkit verification there.
Basically
What data should I pass to reach endpoint calls from Android app?(token ID?)
What should I do in the custom Authenticator of endpoint to ensure the requests are valid?
I saw people suggesting to use Session or cookies. Will these work if I'm using the endpoint from Android app? If yes please give me some reference on how it can be done.
Gitkit tokens are JWT format, so you validate them on server-side just as any other JWT token.
See example documentation on how to validate JWT here: https://developers.google.com/identity/sign-in/web/backend-auth It's the same format.
I have also my own project to integrate it with Jersey server:
https://github.com/dlazerka/gae-jersey-oauth2. It uses recommended com.google.api-client library to actually verify the token.
I'm building a backend for my Android app using GAE, and I'd like to authenticate users with their Google accounts, sent from the Android app.
Before OAuth2, you were able to use a Cookie retrieved from the _ah/login endpoint to authenticate users into your web app, but that method is deprecated and I'd like to be able to use the updated OAuth2 method.
In my Android app I've been able to generate a JSON Web Token using the following line:
String jwt = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "audience:server:client_id:1234567.apps.googleusercontent.com");
or an OAuth token:
String oauth2 = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "oauth2:server:client_id:1234567.apps.googleusercontent.com:api_scope:https://www.googleapis.com/auth/plus.login");
Either, manually, I can pass to my API and validate against Google. But I haven't been able to figure out a way to use a token like this to trigger authentication in GAE like the Cookie used to. The documentation seems to indicate passing it as a header: Authorization: Bearer <TOKEN> but that doesn't seem to work.
What is the correct way to retrieve and pass a token to my GAE endpoint so that it authenticates the user?
The correct and documented way to accomplish this is to:
1) Create an OAuth protected endpoint with the
https://www.googleapis.com/auth/plus.login
or
https://www.googleapis.com/auth/userinfo.email
scope and authorized Client ID for the Android client app.
2) Generate client library and integrate with your app.
I'd like to use the google universal analytics API on the server side. The idea is that there is a browser app showing some graphs which is open to the intranet and doesn't require a login at all. So server either does the login for client and provides the working token to the client or the server provides all the data to the client as well. Oauth login docs and libs from google rely on redirect urls etc which sounds painful for a server-side login . So is it possible and are there any tutorials?