In a webapp I am currently using an OpenID Connect token to authenticate users. I am now looking into using a Services Worker and Push API to do notifications. I understand that I need to register the service worker with the messaging provider (FCM) then send the client information to the app server so it can send messages through the provider. What I don't understand is how I prevent the client devices from receiving notifications if the user has logged out.
extra info:
The existing webapp uses IdentityServer 4 for the authorization server and oidc-client in the client.
I read that FCM has its own token you can delete to stop notifications but what if that code fails or the OpenID Connect token expires while the client isn't open (background notifications), what would preventing the server from sending notifications to the browser with stateless authentication.
TLDR
With to dis-joined systems: OpenID Connect that authenticates users, and FCM that authenticates devices. How do I make them work together?
Related
Currently .Net Core app has APIs with OpenID Connect configured. It gets user token and validates.
Now have a requirement to implement client credential flow for 2 APIs leaving rest with OpenID connect. These two APIs are triggered by another backend system. By providing client id,secret and grant type = client credentials , back end system is able to invoke these two APIs. But problem is it can also invoke other APIs which i don't want.
Looking for a way to achieve this in .Net Core. Please advise
If you implement client credential flow, the access token will include the Application permissions.
If you implement OpenID Connect flow, the access token will include the Delegated permissions.
In order to control which API the client app can access, you need to verify the permission.
You can learn more configuration from how to verify Application permission and verify Delegated permission.
I'm currently thinking about using Firebase Auth system with my custom rest api service.
For example:
My custom api would authorise requests coming from angular app, but auth system begins in that
Angular app, so there I would get authenticated.
Later on, I would pass a token received from firebase to communicate with my service.
That service would check if token is ok and then let me in to resources.
Is it possible to do ?
I am using the ADAL3 for authenticating on the Azure AD app. Then I use the AuthenticatedClient Async for logging into the Azure backend.
What is the correct strategy for consuming Azure backend and working with token? Do you call AuthenticateClientAsync before each call to the backend to be sure that if the session expires on the backend the token will be used to start the session automatically? What append if the memory save token is expired, do you manually ask users to login again?
Someone has a sample of an app that popup a login page then call some service and popup a new login page if needed?
Thanks for your help.
According to your description, I assumed that Azure Mobile Apps would be the approach for you to work as your mobile backend. And you could authenticate your customers with AAD and leverage the client SDKs provided by Azure Mobile Apps to communicate with your azure mobile app backend.
I would recommend you follow this tutorial for creating your Azure Mobile App and download the sample project for getting started. Then, you could configure your mobile app to use AAD login, details you could follow here. Moreover, more details about how to use the client SDKs for Azure Mobile Apps in your xamarin project you could follow here.
Someone has a sample of an app that popup a login page then call some service and popup a new login page if needed?
After logged via MobileServiceClient.LoginAsync, you would retrieve a JWT token issued by your mobile app backend and you could get it by accessing MobileServiceClient.CurrentUser.MobileServiceAuthenticationToken. And you could cache the token for reusing it. You could wrap the operations against your mobile app backend and catch the exception when the token is expired and manually call LoginAsync to ask the user for logging again or validate the token in your client side and re-login if the token is invalid before you send requests to your mobile app backend. For caching the token and validate the token, you could follow adrian hall's book about Caching Tokens. For wrapping the table operations, you could follow here.
I'm building a web app that has a service worker, which displays a notification when a message is sent. I've been using the Web Push API example (https://web-push-codelab.glitch.me/) as it's backend.
But I'm not clear on how notifications are sent to a service worker. Do I need to create a backend service that pushes out notifications, and as part of the registration of the service worker, I have to subscribe to an endpoint that the backend server provides.
Also do I need a 3rd party service that sends out the notification? That my backend service talks to?
I know how to setup a service worker, but not how to create the service that the Push Manager subscribes to.
I have a web SPA that currently connects to a Rails backend, authentication handled via auth0. We have a new server that has some endpoints that the SPA needs to connect to. What is an elegant way of authenticating against both servers considering I have auth0 implemented in the SPA and the legacy server already? Is there some way to pass the authenticated token back to the new server from the legacy server? Or do I just authenticate against both servers when logging in as a user on the SPA? The user db sits in a separate db, shared by both servers.
If the credentials are stored in your database, then use an Auth0 Custom DB Connection to authenticate against Auth0 from your SPA. Auth0 has quickstart samples for all the popular SPA frameworks / libraries (angular 1.x, 2+, React.js etc). You authenticate against Auth0 (not the legacy or new server). As a result, you receive a (JWT) ID Token and a (JWT) Access Token. It is the Access Token you send from your SPA to each of of your Servers for the purpose of making Authorized requests. Your Server (legacy and new) should be secured to verify the JWT Access Token as valid and optionally check the scope attributes match the request endpoint. That's all that is required. The Auth0 documentation covers all this, and there are samples too that demonstrate how to set this up.