I'm starting a new project with Spring boot as backend and React.js as frontent.
Right now I'm struggling with Login/Authentication issue. I would like to provide Account-Kit from facebook but have few queries.
One of them is from where should I create a request to FB sdk for access token? Should it be server (spring), or react which then posts that data to server? Is it possible to call Accout-Kit from java?
I'm quite new to the topic and would be grateful for any answer.
You should call AccountKit from your client side js. For additional security, you can use code flow (instead of token flow) and pass the code to your server side. From there you can make a REST call to the Graph API and exchange that code + app secret for a token from server side. There is an example on the documentation that shows this flow using node.js, you should be able to make some server side changes to make it run on your setup.
Also, have you tried using react-account-kit-web?
Related
I am trying to implement Google's reCAPTCHA on a Vue app that has a backend of Java. I started an implementation that validates reCAPTCHA on backend side as shown on the following link:
https://dzone.com/articles/using-google-recaptcha-with-spring-boot-applicatio
However, I am not sure if there is a need to make the validation on backend side or what the difference between using only frontend or frontend + backend for this reCAPTCHA validation. At first glance, I think making the validation on frontend side seems better and there is no need to pass the request to the backend if the reCAPTCHA is nor validated.
So, could you pls clarify me about this issues? And if you have an experience, could you give me an example implementation page or example for Vue and Java (Spring)?
You cannot validate on the frontend as this would expose your reCaptcha secret key. Validation has to be done by a backend service.
You should have a look to reCaptcha documentation, it's relatively straight forward to implement: https://developers.google.com/recaptcha/intro
First of all, you always need backend validation because frontend validation cannot be trusted. However, you should still have client side (frontend) validation so that your server can take a break sometimes.
Secondly, you will get 2 keys from google (reCAPTCHA V2): site-key & secrete-key.
NEVER expose secrete-key to frontend (html page), NEVER!
It takes only the site-key to do the job on client side validation.
Secret-key is for backend validation. It's always more safe there(at the server).
I'm using google cloud functions with no problem in my mobile app using specific sdk for iOS and swift. For integrations reason I would now need to call one of my functions from a java springboot server.
I cannot find any example for that, does a specific client and example exist ?
I can find examples for other platform but not for java. Am I missing something ? can someone move me in the right direction ?
Thanks
You could simply do HTTP requests, that will trigger the cloud functions. Here is the documentation
GCP has documentation regarding the authentication on Cloud Functions. Since you need to authenticate on a Cloud Function from a VM inside your GCP project, I recommend you to read this section.
As explained, you should get an Identity Token that can authenticate on Cloud Functions. You can fetch the token either from gcloud or the metadata server. After you have that in whatever format you can access it without compromising your credentials (e.g. environment variable, file outside the repository) just perform the HTTP request to the trigger of the function.
In the end you should have something like this:
cf_trigger = "https://<region>-<project_id>.cloudfunctions.net/<function_name>"
identity_token = "foo"
HttpRequest.newBuilder()
.uri(URI.create(cf_trigger))
.header("Authorization", "bearer " + identity_token)
.build();
Let's say I have a simple application.
How to set up OAuth2 to allow another application to access to some parts of my application.
For example, when devs want to use the Facebook API, they use the Facebook API User interface that generate Client id, client secret etc.
So, this is what i want my website do. provide client credentials when they request them.Not necessary by building an UI but programmatically (JAVA).
In other words, what is the stack behind the facebook API OAuth UI ? Is there a simple framework to set it up quickly and easily ?
thank you
There are lots of frameworks for setting up OAuth in a Java application. I would recommend having a look at Spring Boot, for example.
Working on a jhipster project and love it. Its fantastic.
I am wondering if its possible to have both session based and x-auth-token or oauth together ?
We want our users to be able to access the the web interface but also call the API from server code.
Thanks
If there any reason not to have web and API access via existing OAuth2 - see an example here: jhipster oauth : How can i get the access_token via CURL
I am new to appengine. I will write application which consist of two parts.
1) Core written in app engine with REST interface for clients.
2) Client application written in J2EE on my other (not appengine) server. But here, client may use any other technology (android, swing etc.)
I dont know, how to handle authentication of users in this schema. I think that I am in the middle between standard login and installed applications.
The simplest solution that occured to me, that the client will request username+password, pass it to appengine application via https and it will authenticate.
But dont know how to synchronized the login with client app, because it will need also data from google applications...
Is there any solution or pre-prepared facility in Java how to handle this?
Thanks
You probably want to use OAuth for this; client login or using username+password is not a good way to do this, and informed users will be -- or SHOULD be -- hesitant to give away their passwords. There is a page for using OAuth within AppEngine applications written in Java which may be of use. There is also some support for Oauth in the GData client library for Java. The OAuth in the Google Data Protocol Client Libraries document may help you to understand how to use those features.