This is related to OpenId authentication.
I have implemented the google and yahoo openId auth with java in struts2
but it is achieved through page redirection to openId provider auth page and then back to my own success web-page.
But what i wanted was same as facebook auth. were in json object is passed from fb and fb authentication is done in a pop-up. so that redirection can be avoided.
Plz help me out.
I have somewhat implemented which is mentioned in this post part1-part4: http://javadeveloperjournal.blogspot.in/2011/08/integrating-openid-into-my-struts-2-app.html
First, i will not suggest to use OpenID for Facebook and Facebook do not provides its own implementation for the OpenID but rely on certain third party implimentations.
Best way to go with OAuth which is quite similar to what OpenID is with only differences in the level of security and authentication.
While Constructing a URL to the OAuth Dialog, you can specify a parameter namely display indicating if you want a page redirect or pop-up, by default the value of this parameter is set to page
Please go through Facebook documentation for implementing OAuth
oauth using Facebook
That redirection is an mandatory part of the OpenID specification. Anyhow to authenticate users in that manner, whoever the OpenID Provider should support it. But facebook does't as far as I know. Use Oauth, facebook supports it and it is an open standard, so it is always better to go with open standards.
Well as the other answers have indicated, that passing you to the OpenID provider to login is part of the specification. Also in agreement with Umesh above, Facebook provides Facebook Connect, which isn't OpenId, but allows you to authenticate users using this method.
See: Is Facebook an OpenID provider?
What I do want to add however is clarification that you don't just run off and create an OAuth based authentication system because OpenID isn't what you want to use. OAuth provides you with more than just login authentication, there's more power in there - which strangely users are unaware of. OpenId passes along your credentials and OAuth passes along access to your data. So with OpenId the website can authenticate me, with OAuth the website can authenticate me and possibly have access to all my email or my documents in Google Drive. The good thing is that you the user has to explicitly allow this access.
But erring on the side of privacy you'd want to build a compelling case for an application that needs the power of OAuth. Like the picture in the article below, one's the different between asking for a notarized letter to prove your identity, and asking for a valet key to prove your identity.
A valet is OAuth, I need them to take my car and park it in the parking lot, so I give them a valet key. It can't open the glove compartment or the trunk, but they can open the driver's side door and start the ignition - which is all I need them to do, and no more. However I don't give the cashier at the grocery my valet key when I'm paying with a personal check, she just needs to see a photo ID, any gov't issued ID will work. Technically my valet key which will allow her to open my car and read my VIN and possibly authenticate it against a DMV database should also work, but that's probably overkill.
There are good uses for OpenId, OAuth and Federated logins, but as developers we need to understand when and where we should use each of them.
http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I google search many time about how to authenticate Restful API and Mobile App.
I found a lot answers but I feel not better, or perhaps because I am new in API.
My Willing:
Mobile App request or post data to Restful Server
Restful Server Authenticate Mobile App by Username And Password Login
I want to secure on Restful Server And avoid hacker steal password and request data.
After searching by google they told:
use Https with SSL
authenticate username or password then generate new token and signature
use token and signature to authenticate Mobile App.
Other way use Oauth 2.0. After reading Oauth 2.0 document,
I still think its structure still similar token and signature above.
I think if like that, mobile app can store or use token and signature,
or hacker can debug or see process log in by proxy request.
I feel still not secure
because we still use token and signature on requesting.
I just start my new knowledge in API. If I misunderstand,
I am sorry. I use PHP coding.
I would recommend jBoss's Keycloak (http://www.keycloak.org/). From the first page:
Add authentication to applications and secure services with minimum
fuss. No need to deal with storing users or authenticating users. It's
all available out of the box.
You'll even get advanced features such as User Federation, Identity
Brokering and Social Login.
For more details go to about and documentation, and don't forget to
try Keycloak. It's easy by design!
I'm developping a backend REST API for a mobile app and I am now looking to implement token-based authentication for it to avoid having to prompt the user to login on every run of the app ..
the user will have a token for a certain time before being obligated to give the username and password again, it's like managing sessions that have limited among of time, anyway I've gone through the APIs that provides this kind of Authentication mechanism and notice that OAuth is highly rated but haven't found any exemple that suits my cas ..
I do't know if this is the good way to ensure authentication for app or there's other mechanisms ..
if you have any suggestions, ideas or any sort of help, feel free to comment ..
I'm finding a lot of problems trying to develop a google app to place in the market, with OpenID and accesing some google apis like G+ from the backserver on GAE
I have applications running using google apis to acces G+ data, with 3 legged oAuth (code flow) without problems and i understand the "magic" behind the scenes, but i'm getting lost with OpenID and google market. Do i need to do the 3legged oAuth after the user pass the OpenID google filter, and send the user to acept the G+ permission API to use that token to access google apis? If this is the case, what happen if the user access the application from his company gmail account, and when prompted to accept the g+ access, he change accounts? Is there any good reading that make things easier with google apps, openID and access google apis from GAE?
Why I can't specify the scope of G+ when sending my application to the market, in the app conf files?
In this scenario, what is the best way of getting the user g+ profile (picture, fullname, nickname? What i'm missing? google documentation is really good, when you find the correct one ,but a lot of links are dead and millions of examples with deprecated gdata apis are flooding the net...
Ok, after further reading and testing i came up with this points:
Google Marketplace just alow you to access this apis without extra "oAuth dances"
If you want to access more APIs than the listed above, you need the oAuth exchange to get specific token/s for the APIs you want to access.
In my case, i want to access G+ API before the openID from market, so after logging the user with openID, i need to redirect him to google api oAuth accept screen (just for the first time)
More things about the market that take me long time to catch:
- Billing API and license API are deprecated, this mean you are responsible for billing your users and keep them tracked to know if a given user has paid the application or when the license has expired
- You need to map /_ah/login_required becouse your application should be setted (when you create it) to only accept federated logins, wich will lead to a redirection to /_ah/login_required from where you need to do the openID stuff.
A lot of links in the documentation are broken and the examples are too old :(
It's actually a little simpler now with the new Google Apps Marketplace experience. If you follow the steps in the docs and make sure you ask for the same scopes in your App Engine code, the user should never be prompted.
have anyone tried this, create openid4j servlet and try authenticate with google openid? i tried it and fail and so want to get confirmation from you all. i able to authenticate with yahoo_email and myopenid.com
I don't have personal knowledge of openid4j, but I can't imagine they wouldn't support Google's OpenID. Google OpenID is just standard OpenID 2.0, although they have a few notable differences in normal behavior that you should be aware of:
You should kick off authentication by supplying the URL https://www.google.com/accounts/o8/id instead of just gmail.com or google.com since Google hasn't made those simple domain names OP Identifiers yet.
They don't support delegation, and you cannot start an authentication using a user's claimed_id. Only OP Identifiers work.
If the user clicks "Always remember me" for the site during login, Google won't supply any AX attribute values to the RP on subsequent logins (the RP must store the initially received values).
Well, right now I'm logged in as a Google openid account. The trouble is that they have supported a strange blend of OAuth and OpenID, so I don't know how one would implement it on one's own servers. At least for Stack Overflow, my OpenID URL is www.google.com/accounts/o8/id, without the comma, obviously.