I just started to use the facebook login app for my website. After login success, I received the response which contains some info like userID, access_token, signedRequest, etc. I need to pass this info to my server side to get user data (email, picture) and add that to my database. If I use ajax call to my server, my server API will be exposed. My question is how can I pass that info to server-side without worrying my server will be exposed?
Note: I'm using ASP.Net.
Thank you!
Pass the Access Token only, and use a server side API call (including appsecret_proof) to get the User ID. Only store the User ID.
More information: https://developers.facebook.com/docs/graph-api/securing-requests
Related
My current setup is the following:
Single Page Application with Vue
Rest Backend
The SPA has social login functionality. It uses the authorization code flow with PKCE to retrieve:
Access Token / Refresh Token
ID-Token
As it is an SPA, the information is stored in local storage and therefore not 100% secure.
But how do I use this information to actually authenticate against my rest backend? The rest backend actually contains the user data I need after all.
Originally, I thought I could just send my access token or id token to my backend and the backend uses this as proof that I'm the correct user.
Main problems I see:
Make sure the access token / id token is actually from my application (the SPA)
Be protected if the tokens are stolen / Minimize the impact of this
For the first problem, the client_id might help, which is embedded in the id-token. It is kind of public information (because it is an SPA) and there is no client_secret. But the redirect_uri is specific to my SPA. Is this enough protection?
If it is my backend could have a list of allowed client ids and providers and check if the client id of the token is one of them.
The second problem is the lifetime of the token. Access tokens are only valid for a short time period and refresh token should be rotated. So it's kind of okay to store these in local storage. But the id_token is valid for a longer time. What do to about this?
Is this in general the right track? Or is my approach completely wrong?
We are trying to access data from D365 API's,
We are flowing the flow like Getting the token by using the Client ID and client secret
We are getting the token, New trying to access other app url's but getting the response are unauthorised
here the thing we are missing is we need validate the user. I am not getting exact api, where we can validate the user and then access the data.
This is the first API, we are calling
https://login.microsoftonline.com/ tenant ID /oauth2/token
passing client_secret, Client_id and grant_type
For that we are getting the token.
with that token we are not able access out D365 API's
But here where we need to login the user ? Any references ?
Thanks to this page api_key_authentication I have an authentication system which works well.
So, basically every user has his own api_key field (stored into the fos_user table), when I perform a request with any api_key from fos_user I see in the response that the user is recognized.
The question is: What does an API user do to retrieve his api_key?
You can generate api key and send it to the user (somehow) or make auth api where user send you his login and password and then you generate and send him his api key (this is the most known way).
I want to implement oauth2 in my website.
I have the server configured.
In current scenario there is a login page, where user puts her credentials which in turn is submitted to my login controller. Now I want to authenticate user using oauth2. Since the server and client are part of same application I am wondering how to go ahead.
I want to authenticate the user via oauth and return the dashboard along with the bearer token so that next call can me made from here.
Please suggest how to go ahead. If there is a better way to do i am more than happy to adapt it.
Thanks
Configure authorization server with spring-security-oauth. All the necessary endpoints will be mapped automatically (including /oauth/token)
Make a simple webpage with login form
Make POST request to /oauth/token with the username and password. In addition you have to send field called grant_type which will be filled with 'password' value.
As a response you will receive the access token. This means that you are authenticated.
P.S. Please pay attention that Oauth is the authorization standard, not the authentication one!
I want to enable Facebook authentication and the FB-Graph in my website, which already has forms authentication. Using http://multitiered.wordpress.com/2010/08/05/getting-started-with-the-facebook-c-sharp-sdk/, I was able to figure out how to login server-side.
However, the problem with this approach is that a secure cookie will not be created, since the call returns the authentication code in the querystring via a callback. This means that the user will have to login every time.
I can see two ways around this:
Store the access token in a secure cookie manually
Instead of the above approach, use the FB JS API to login - this stores a secure cookie with the access token automatically
I would prefer not to use the second approach, as I would like the login code to be server-side.
Which would be the better approach? Am I missing something?
I use the JavaScript method to first authenticate the user, the JS SDK then writes an encrypted cookie (called "fbs_[YourAppID]") when a connected user hits your page; using one of the many Facebook c# SDKs, this cookie can be decoded using your application secret giving you the user ID, oAuth token, expiry date etc.
Then I hook into the AuthenticateRequest event of my .NET application, check the presence of the cookie, decode if it found, and then find a user who has been assigned this facebook ID (your user table must have a extra field for storing the ID of their facebook account).
If a match is found, I write a normal forms authentication cookie for this user, then .NET will recognise them for all future requests. If no user is found, then this is a brand new user who has just connected. Use the SDK again to query the graph API using their oAuth token, get things like their name/email etc and create a new account, then issue a authentication token as normal.
By writing a normal authetication cookie, the user will stay logged into to your site for all requests, just as if they were a normal user.
One side point, when using email address, check for duplicates, and check for the facebook cookie in all requests. For example, an existing registered logged in user may have just connected.