I'm new to Vaadin Flow and I'm trying to port an android application, in which Firebase is used as the only authentication provider. My (dumb) problem is that I can't find any resource or binding to Firebase API. Have some of you succeeded in using Firebase auth in a flow project ?
I created this example application couple of weeks ago. It user Firebase Authentication and it's JavaScript library to do authentication. Then the JWT token is sent to the Vaadin Flow server, validated and stored so that it can be used to detect who the active user is.
https://github.com/mstahv/vaadin-firebase-auth-example
Are you using Spring for security, or your own solution?
If you're using a custom solution, maybe the reply in this thread is of use
Firebase user authentication for java application (Not Android)
The token can be saved in the session and used as you wish.
Here's a question that might be relevant if you're using Spring boot
How to use Firebase with Spring boot REST Application?
Related
I am building a SPA using React and Redux on top of dotnet core 2.0. Unfortunately, the vs2017 template for this does not include Authentication/Authorization.
In looking around, I saw many people talking about the use of JWT's and suggesting things like Identity Server or OpenIddict to handle this, but I have only ever used ASP.NET identity to handle security before.
My question is, is it possible to secure a react app by using ASP.NET identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
I will try to answer by your questions.
Q.1. Is it possible to secure a react app by using aspnet identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Q.2. Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
Answer To First Question(this question technically related to difference between cookie based and token based authentication approach.)
Cookie based authentication system
cookie based session is StateFull. as here server needs track of active session,while on front end/client end a cookie is created that holds a session identifier.
you can secure your web api using cookie based authentication system. but in a very limited scope, because ,cookie based system doesn't work well, on native clients or suppose if your web api is going to be consumed by some other web api,
Token based authentication system
it is StateLess as server doesn't keep here the track of which token are issued or which users are log in.
Here server needs to verify only the validity of the token. so token based approach is more decupled than cokie based.
Sources
https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
Update Above(Auth0) link not working any more Updated Link
https://learn.microsoft.com/en-us/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/
Answer To Second Question
Yes you can implement cookie based authentication in spa by using OWIN Cookie Authentication middileware .
you can find more information regarding it on following link.
https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
Hope above will help.
If you are going to have React and API in one domain, and the SPA would be the only client of API it may be recommended to use cookie based authentication with SameSite Cookies.
https://www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/
(section same-domain apps)
longer post: https://blog.cdivilly.com/2020/06/10/oauth-browser-apps
I am using the ADAL3 for authenticating on the Azure AD app. Then I use the AuthenticatedClient Async for logging into the Azure backend.
What is the correct strategy for consuming Azure backend and working with token? Do you call AuthenticateClientAsync before each call to the backend to be sure that if the session expires on the backend the token will be used to start the session automatically? What append if the memory save token is expired, do you manually ask users to login again?
Someone has a sample of an app that popup a login page then call some service and popup a new login page if needed?
Thanks for your help.
According to your description, I assumed that Azure Mobile Apps would be the approach for you to work as your mobile backend. And you could authenticate your customers with AAD and leverage the client SDKs provided by Azure Mobile Apps to communicate with your azure mobile app backend.
I would recommend you follow this tutorial for creating your Azure Mobile App and download the sample project for getting started. Then, you could configure your mobile app to use AAD login, details you could follow here. Moreover, more details about how to use the client SDKs for Azure Mobile Apps in your xamarin project you could follow here.
Someone has a sample of an app that popup a login page then call some service and popup a new login page if needed?
After logged via MobileServiceClient.LoginAsync, you would retrieve a JWT token issued by your mobile app backend and you could get it by accessing MobileServiceClient.CurrentUser.MobileServiceAuthenticationToken. And you could cache the token for reusing it. You could wrap the operations against your mobile app backend and catch the exception when the token is expired and manually call LoginAsync to ask the user for logging again or validate the token in your client side and re-login if the token is invalid before you send requests to your mobile app backend. For caching the token and validate the token, you could follow adrian hall's book about Caching Tokens. For wrapping the table operations, you could follow here.
I want custom firebase authentication where a user manages the roles of subordinate users. I need guidance on understanding on how to implement my own backend authentication system. Everywhere the documentation keeps mentioning that 'send the username and password to your backend that will generate a custom token'. What is this backend? where do I pursue this? My knowledge domain is firebase, firebase functions, angular 2/4, ionic2 for this discussion... thanks
To use custom authentication, you need to create a JSON Web Token (JWT) on your existing backend server, after you have used your existing backend server to validate the username and password of the user (or however else your backend server validates your users).
To create that JWT, use the configuration described at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
There is PHP and Ruby code available at that page, for anyone using a language that does not have an SDK available from Google, but which does have a JWT library available.
The JWT is signed with your private key, which you can obtain as indicated at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
Although that page describes initializing the SDK, this section also has instructions for creating the private key for your service account using the Firebase console at https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts/adminsdk
You will have to send the email password to the firebase sdk in using javascript in web then when the sdk success functions tell that the user has been authenticated the web page will send result to your backend server (can be nodejs or php etc) from there you have to manage your own database to handle all the role base access.
Firebase is basically authenticating the user for you and telling you that you can identify this user using the following userid and then build your own system.
Firebase has access rules but those you have to define first you cannot fully customize them for each user.
For password auth see this:
https://firebase.google.com/docs/auth/web/password-auth
An easy way to do custom auth with Firebase is using an external identity provider. Auth0 is an example of such a provider.
Guide:
https://shusson.info/post/using-firebase-and-auth0-together
code:
https://github.com/shusson/firebase-custom-auth
I'm trying to authenticate my app users with their credentials used at the website
I managed to authenticate users via Xamarin.Auth to login via Google, Twitter... etc but could not figure out how to authenticate them via ASP.Net Identity provider.
any ideas or examples ?
Your problem is not a new one, and is one that will be easily fixed in the near future (see note below).
When you're authenticating with a provider like Google or Facebook, you're receiving a token that you can then use to send to the API. Unfortunately Asp.Net Identity does not do this out of the box. You can either configure your API to use JwtBearer tokens, or check out the Identity4 project along with their samples. Note that if you're using Asp.Net Identity you'll probably want a cross between Quickstart 6 and Quickstart 8 so that all of the necessary persistent stores are in your database.
NOTE: You might also want to follow the Templating Team's PR #700 which is adding token based auth in the new templates which will soon allow you to rapidly create new Api's with Token Based Authentication for your mobile apps.
I write a webapp with mvc5 and Identity for authentication. It's work fine.
Now I need to authenticate same client (ios app, windows phone app, and android app) with users that are registered. Think to use a specific webapi where user can register, modify, autheticate ours user. So when they are autenticated the use can access other webapi for get data. Is this correct procedure? How I can use Identity into webapi?
Thanks
You want to look into oAuth and JWT tokens. There is already a library built for this which works really well called Thinktecure. When you are authenticating from a mobile app you really want to go the route of stateless authentication and just pass a token with the necessary claims to identify the user. There is plenty of documentation on the site as well as a sample repo (below).
https://github.com/IdentityServer/IdentityServer3.Samples/