Is it possible to simulate user behaviour on some twitter service that use oauth autorization(you have to enter your twiter credentials and allow to application access to it)?
For example, I have some routine actions with couple of twitter accounts on some twitter service and wanted to write a program(java\python etc.) to make it automatically.
Is there any way to login in such services?
It is possible ton automatize application authorization using username and password. You need to "simulate" user acceptation (on the auth web page) and parse the PIN code on the resulting page.
You need username and password (or manual acceptation) one time only if you retrieve and save user tokens (key and secret).
Some OAuth libs already provide such features
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I am working on a design problem where I need to authenticate users if they are coming from an email that I sent them.
These are the details.
I have users with email ID already created in my system.
I will send emails to users with an encrypted link which has the
user ID also with some metadata.
If the user clicks on the email link, he should be directed to a website
where he can see details related to him.
The website is a client-side only website which is calling a BE server to get data and display it the user. Now I want to have OAuth authentication for the api communication between the FE website and the BE server.
Assuming that we already have an Oauth2.0(2-Legged) implemented in BE APIs, the approach I am thinking for the same is
When the user goes to website from the email, the FE application
gets the encrypted token from the redirecting URL and call a BE API with
the token in the payload.
This particular BE API is not secured by OAuth as FE does not have a token yet
and since it is a client-side application, I can not store the
client id and secret in the codebase.
The BE API parses the encrypted token, gets the User ID from it and
also generates an oauth access token with grant type as "Implicit".
This token is a short-lived token and scope is limited to the user ID.
The BE API returns the token and the user ID to FE.
FE uses the user ID and the token to acccess user data through other
APIs as all the other APIs are secured with OAuth.
This flow is designed for easier access for the user to this data with maintaining acceptable security. The assumption is that with token encryption we have ensured enough randomness that a user will not be able to access somebody else's data by randomly modifying his token from the email.
This is an open-ended question. I am looking for suggestions on the above-mentioned approach.
Are there any obvious Gotchas that I am missing?
Is there any big security risk with the approach?
Am I using the correct grant type?
Are there well-documented approaches for the similar requirement?
I read online and understand how to use the FB connect and how to create an app that uses the fb login. What I want to know is whether it is possible to manipulate the data between the authentication.
So here's what I am confuse about. So we have
FB server
my application
my server.
So when I open my application, my application will ask for fb login and pw, we send those info to FB server. The FB server then give my application a token, then my application will send the token to my server, then my server will verify with FB server? Is this how it works?
If that's the way it works why there's no hacking in FB login, can't people make fake tokens?
By your question , even a set of "fake" credentials for all purposes of you app will be a vaid login ( because the user exists on facebook) . Facebook is essentially authenticating that the person is a valid person. A person cannot make a fake facebook token because it is signed
Facebook uses OAuth 2.0, which is a current standard for open authorization. This is a short description from wikipedia:
OAuth provides client applications a 'secure delegated access' to
server resources on behalf of a resource owner. It specifies a process
for resource owners to authorize third-party access to their server
resources without sharing their credentials. Designed specifically to
work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows
access tokens to be issued to third-party clients by an authorization
server, with the approval of the resource owner, or end-user. The
client then uses the access token to access the protected resources
hosted by the resource server.[1] OAuth is commonly used as a way for
web surfers to log into third party web sites using their Google,
Facebook or Twitter passwords, without worrying about their access
credentials being compromised.
You can read the RFC specification for more details: https://www.rfc-editor.org/rfc/rfc6749
You can also read information about the different integrations: http://oauth.net/2/
You cannot create a fake token. The user receives a token after typing his username and passwords, which means stealing his token is equivalent to stealing his credentials, as the token is randomly generated.
I will explain the flow shortly:
I'm an user, using in general facebook and your application. I log in facebook and reach your application in facebook or via external link and click on it. Then facebook will ask me if I want to share my personal information with your application (this is because I am logged in. If I were not, then it would ask me for my username and password). If I agree, facebook will send an access token to your application and with it you will access of my personal information. Thus this access will be highly restricted and you won't be able to do anything harmful and as well it will expire after a couple of time, depending on the implementation, but should be around one hour.
I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.
Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service
So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.
Thanks in advance
Asanka
If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information.
You've got to hit this link - https://graph.facebook.com/me with the access token.
Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object.
(if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.
Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.
PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!
I have developed many stateless RESTful webservices for a mobile application in Java and they are working very well.
For example:
http://.../api/coupon
http://.../api/coupon/{id}
...
Now, I have to extend these services because I have to send different data back to the mobile for every user. So I need to know on the server side which user try to get or set information. And I have to prevent the serve of unauthorized users.
There are two different way how user can login into the mobile application:
log in with facebook account
log in with an application account
I need to develop two login and a logout services because the users who use the mobile application have to login into the application.
I read lots of article about auth and RESTful and OAuth.
I think I have to develop two login services with two imput parameters: username and password.
For example:
localLogin(String username, String password) -> token
facebookLogin(String username, String password) -> token
These logon services have to generate a same token and send it back to the mobile application in the http header. And after the login process the mobile client has a token. And the client has to send this token to the server when it makes a RESTful server call.
What do you think? Is my idea good?
If it is, could you help me how can I start to develop this in Java?
If it is not, could you tell me the good way?
You do not need 2 log in procedures. Just use the Facebook SDK!!
i) In your app would be a login with facebook button.
ii) User clicks on it and is then redirected to the facebook login page, where the user enters his credentials and facebook returns a token to you. You do not have to worry about the user's facebook credentials or storing them anywhere! Facebook will handle that for you. Consider the FB login part as black box to your app - you simply make a FB SDK's login call and it will do some processes and give back a access token to your app.
iii) Now, you can exchange the access token for the user's profile information. Enter this profile info to your database - that will ensure authenticated call.
Once you have verified that the user is logged on you can do whatever you want.