I am developing an android application and using firebase for the authentication. When a user signs up or logs in, I save the uid generated by firebase on my DB through my API which is built using laravel framework. How exactly do I go about protecting my API endpoints as authentication is not carried out through the API but with firebase? Thanks
Even though your authentication is completed by Firebase, you would just need to prevent unauthenticated requests to your API to be responded and this is done entirely on your API, once a user is authenticated through Firebase, you handle all control to your API, else return to Firebase for authentication.
Related
What's the different if I used a column in users table api_token for token auth, and if I used JWT or passport Laravel ???
My app is an e-commerce contains an API for mobile apps!
Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the website or app that the token has been issued for, rather than having to re-enter credentials each time they go back to the same webpage, app, or any resource protected with that same token.
JWT is aJSON web token (JWT) is an open standard. The finished product allows for safe, secure communication between two parties. Data is verified with a digital signature, and if it's sent via HTTP, encryption keeps the data secure
JWT has some limitations like,JWTs rely on a single key. If that key is compromised, the entire system is at risk and you can’t push messages to all clients, and you can’t manage clients from the server side.
Laravel Passport is native OAuth 2 server for Laravel apps. Like Cashier and Scout, you'll bring it into your app with Composer. It uses the League OAuth2 Server package as a dependency but provides a simple, easy-to-learn and easy-to-implement syntax.Passport exposes a JSON API for your frontend to consume to let you manage your clients and tokens.
Out of the box, Passport comes with Vue components that show how you might want to interact with this API in your app. You could use these components and call it done, or you could write your own tool to interact with the API.
You have to do long working Laravel Passport and it is time consuming and cinfusing.
Token-based authentication is better than JWT annd Laravel passport.
Currently I developing web application client using laravel 5.7. The web client is thin and mainly processing via REST API from AWS gateway. The user authentication also handle by Cognito user pool via AWS gateway (which returned access, refresh token upon username&password).
As described above, is this belongs good practice? I looking way to build the user controller methods (to validate and handle access/refresh token) and best way to store the client id and client secret. My view in laravel will pass the user data(in plain request) in form to controller.
I studied the laravel pasport which might useful but since my web client totally depends on API gateway. I don't think I should implement API again in my web client using Pasport. (correct me if I'm wrong)
Any example/article/tutorial/suggestion?
I am creating an react-native-ios app that communicates with a php web app hosted on azure.
How I understand it works:
The user signs up to the app, the server communicates with auth0 server which then returns a JWT token to the php server, saves the token to the database and then sends the token back to the client-device where it is then stored on device.
The user must send the JWT token as a header whenever communicating with the server.
Whenever the user logs out the token is deleted and when signing in, a new JWT must be received.
The user can sign in via using credentials that match what is on the database or sign-in with Google or facebook.
Or is Auth0 just for signing-in with enterprises such as Google or can I use it to sign in to my app also that has login credentials on the database?
I have found the
npm react-native-lock-ios but it doesn't work the way I described above.
In summary, How should I go about this and is what I have explained above correct?
The main problem here is that you did not understand how to work with JWTs. I would advise you to take a deeper look on how this technology works and how Auth0 can help you. But, in summary, this is the workflow for authentication that you must aim:
Your user will choose one of the many identity providers supported by Auth0(e.g. Facebook, Twitter, LinkedIn, SAML, WS Federate and so on).
Your react native app will communicate directly to Auth0 API through the react native lock.
Auth0 will interface with the chosen provider and redirect the user to an authorization page in this provider (case it is needed and it is the first time the user logs in).
Auth0 will generate a JWT and send back to your react native app.
Your react native app will send this JWT to the server (usually on the Authorization HTTP header) when issuing requests to your endpoints.
Your PHP backend will check if this JWT is really valid. This is can be done with Auth0 PHP SDK.
In case the JWT sent has not been tampered (changed irregularly), your backend will accept it as the user identifier and respond the request as expected by your react native app.
As you can see the biggest issue in the approach that you thought you would follow is that the login process does not go through your backend server. It happens on your front-end app (react native) communicating with Auth0 and the identity provider chosen.
JWTs are tokens that hold information (claims) about a subject. These tokens can be validated by anyone that possess a key (public or private). That is, having this key you can validate the token and can rest assured that it has not been changed improperly.
Further more, to answer the question regarding the usage of Auth0 with credentials on your database, you can bet that you can use it. Auth0 provides ways to integrate with your own database to check the existence of a user. This is called a customer user store.
Happy studying.
We have an app that uses the OAuth2 Google sign-in system and we want to store data from the users that sign in into our app on our back-end during the initial registration.
This is the way we got it set up:
Users signs in with the app using Google sign-in
We get an ID Token and send this to the server
On the server we verify this token is valid using Google library and save the info we get back from the verification
We also need the user to be able to update/insert data into the back-end when he's authenticated.
After the initial registration, how do we do this?
Do we send the ID Token from client to server each time they call the API on our back-end? In this case how to handle expired tokens?
If you want to make your API a first-class citizen in your system and have it require access tokens that are specifically issued to it instead of accepting Google authentication related tokens that were issued to your client application then you need to have an authorization server that specifically issues tokens for your API.
This authorization server can still delegate user authentication to Google, but then after verifying the user identity it will issue API specific access tokens that better satisfy your requirements, like for example, including specific scopes then used by your API to perform authorization decisions.
For a more complete description of this scenario you can check Auth0 Mobile + API architecture scenario.
In this scenario you have a mobile application ("Client") which talks to an API ("Resource Server"). The application will use OpenID Connect with the Authorization Code Grant using Proof Key for Code Exchange (PKCE) to authenticate users.
The information is Auth0 specific and you can indeed use Auth0 as an authorization server for your own API while still maintaining Google authentication support, however, most of the theory would also apply to any OAuth 2.0 compliant provider.
Disclosure: I'm an Auth0 engineer.
I am building a backend rest api for a android application. It authenticates user and sends the token in Authorization HEADER. I am extracting the token from header in a custom middleware . Now I tried to check with Socialite whether it provides a way for me to get the user by token. If user does not exist we will create a user else send response as success to android application.
Now in Socialite I cannot implement specific method getUserByToken($token) since its protected.
I am not proficient with laravel. Can some one guide me?
Thanks, Pavan
Socialite is not an authentication library but a library that provides and interface to Oauth for many social networks.
In order to do what you want you should look at the auth library http://laravel.com/docs/5.0/authentication and I guess that the getUserByToken should go to your User model.