I'm working in an SPA (single page app), witch my idea is to deploy it in app.mydomain.com, and the thing is when a make a request to the API (CakePHP3 in mydomain.com) I cannot get data from authenticated user (if there is one).
I think I have two options, share session between domains, or use an user_token to make an authenticated call, but i'm not sure how it's works.
Any ideas / recomendations?
Regards!
I would recommend to use an "user_token". You could add an authentication endpoint to your API where the user sends the credentials and the endpoint returns an JWT. Then you should include this JWT in every subsequently request to your API (in the Authorization header). The API can then validate the request based on the JWT. In PHP there are already some good libraries to create and validate an JWT. If you have the time you should also take a look at OAuth2.
Related
I have a CodeIgniter App that is made of 3 parts:
The API, basically is a separate entity, with its own location
The CodeIgniter back-end that renders the pages
The FrontEnd of the app, mostly jQuery.
I have a login system based on session and cookies. Basically the authentification data is stored on the client (browser).
A user authentificates with email and password. The backend looks for a authentification cookie and knows if it is logged in or not. If I make an AJAX request to the API directly, the API also knows if the user is authentificated.
Problem: I want to render some data server-side (That means I need to make a call to the API from the backend. It's a server to server communication. They are located on the same machine. ).
The API tells the backend that it's not authentificated, because obviously no cookie is set on the backend.
How do you pass authentification data from backend to api?
I might pass the userID via a secure endpoint that can be accessed only via the server to server communication, but I don't like the idea.
Any solutions to this? I read about oAuth and JWT but don't understand how they might help me.
the API should be built on top of the back-end. meaning the request is handled by API, then activates a function in the back-end and sends a response back to the client who sent the request(according to the result of the function in the back end). JWT json web token, is a token provider which means once you log in you get back a token "string" that is stored in the data base, in the request for the API you add the token to the header named Authorization instead of sending user and password everytime and you can extract the user info out of the token itself.but still there is need to check the validity of user and pass somehow at the first time.
basically you should send from client to API, API to server and then for response server to API and API to client. by server i mean back-end.
I am developing an application from where I would like to create Campaign with list. The application flow is like this, User will click a Button then user will redirected to MailChimp login page, User will come back to my site after Logged in where URL is http://127.0.0.1:8000/home?code=f0f6949c8b5286c38a90aa4820776e14.This code is Authorization Code.
Now I would like to fetch Lists of that specific user who is logged in few moments ago. I can fetch my Lists using API key, but I need users Lists, I don't know users API key.
How can do that ?
I think I need OAuth 2 token of MailChimp API call to fetch User's Lists. How can I get OAuth 2 token of MailChimp API call ?
Thanks
From the MailChimp documentation (source: http://developer.mailchimp.com/documentation/mailchimp/guides/how-to-use-oauth2/)
How to Use OAuth2
For developers integrating platforms that require clients to access MailChimp’s servers, we recommend using OAuth2 for authorization. OAuth2 is a secure option that allows third-party applications to access a server without passing user credentials or API keys.
Before You Start
Here are some things to know before you begin the OAuth2 process.
Our server implements v10 of the OAuth2 specification, and supports Web Server Flow.
On the server side, OAuth2 is pure HTTPS, so we recommend using HTTPS for your redirect_uri.
We don’t expire tokens, so you won’t need to use refresh_token.
Register Your Application
When you’re ready to begin, register your application with MailChimp:
In your MailChimp account, navigate to the Account page.
In the account drop-down menu, click Extras, and choose API Keys.
Under the “Developing an App?” heading, click Register and Manage Your Apps.
Click Register an App.
In the fields provided, input your application’s information and click Create.
When creation is successful, you’ll see an Application created message appear, and more information at the end of your form, including the Client_ID and Client Secret. Do not share the Client_ID and Client Secret.
On this screen, you don’t need to save or change the information. Click Update or Cancel to go back to the Registered Apps page, or close the window.
Endpoints
OAuth2 exposes three specific endpoints, and one for metadata.
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
redirect_uri
Client-side, made available to the browser in use.
metadata
https://login.mailchimp.com/oauth2/metadata
Note
We support wildcards for the redirect_uri so you can provide
data-center-specific information for proper API calls. Wildcards work
as long as the redirect_uri appears to be a user-registerable domain
under a top level domain. For example, if you enter https://co.uk/ as
a redirect_uri, wildcard support won’t work. If you enter
https://mydomain.co.uk/, wildcard support will work. Domain detection
is based on these criteria.
A redirect_uri will also override the path portion of a URL, as well.
For example, a redirect_uri set to https://test.example.com/oauth.php
means that any URI starting with either test.example.com or
*.test.example.com will work (i.e.: https://test.example.com/somethingelse.php is valid).
Flow
To start your application’s connection to MailChimp, start by sending the user to the authorize_uri.
The user will input their username and password to approve your application. “Remember Me” cookies aren’t permitted here.
After the user authorizes your application, our server will redirect your user back to the redirect_uri, along with a code you can exchange for an access_token. The code is valid for 30 seconds.
Your application should then make an out-of-band request to the access_token_uri using the code our server provided.
Our server returns an access_token, which completes the official OAuth2 flow.
To complete the MailChimp flow, make another RESTful request using an OAuth2 client to the metadata_uri.
Our server will return a datacenter string, API endpoint, and login URL, as described in the following list.
dc:
The data center string, like us1, us2. If your API wrapper is data center aware, use access_token-dc as a standard API key.
api_endpoint:
Use https://{dc}.api.mailchimp.com. If you your API wrapper isn’t datacenter-aware, use this API endpoint and the access_token as your API key.
login_url:
https://login.mailchimp.com
Note
The access_token is used as an API key. Users don’t have access to these keys because they are tied directly to your
application. But, the user can de-authorize your application in
MailChimp, which removes and invalidates the token.
Configuration information
User-Specific configuration
client_id
635959587059
client_secret
0da3e7744949e1406b7b250051ee1a95
redirect_uri
http://192.168.1.8/oauth/complete.php
MailChimp standard OAuth2 configuration
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
base_uri
https://login.mailchimp.com/oauth2/
MailChimp custom configuration
metadata_uri
https://login.mailchimp.com/oauth2/metadata
I am developing a backend for mobile app. I have developed a user authentication module where, the app will be sending the username and password as basic auth and if the user is authenticated I will sent back a jwt token which can be used in the rest of the requests.
On the client side, once after a user is logged in, the app shows him a feeds screen which contains some data.
Now do I need to seperate these two APIs? Like once a user is logged in successfully, he will be sent back the jwt token and well some user details. Should I sent the data which is required for the dashboard screen as well as a response for login? In that the case the app will get datas in a single api request (login) and doest have to make another call to my API.
Is this a right approach?
Ideally it should be kept seperately but I think that depends. If making that single request is (and will ever be) the only thing the application does, I see no reason for making 2 requests. You can simplify things by making just 1 request.
But, if your application is going to be extended or if its already got other features i think it is best to keep them seperate. Since then you'll have more flexibility with your application.
Yes ,You should separate those two authentication and dashboard REST API as-
It could be possible that there should be more client app using your Rest API in future and they may not require dashboard data.However you can have mechanism to share user detail in authentication API itself as you are anyway authenticating user .However share access token in authentication api along with it's expiration timestamp .Some of Client app which are using your REST API might have use case of autologout from app based on accesstoken get expire.In such case expiration time would help.
I am working with PHP and Laravel at the moment, I have a restful api that the user needs to authenticate with to make sure they can only access things they own etc.
What I want to know is where should the token from the server be saved on the client? In a session a cookie? The servers database?
I suggest to go the following route:
the user logs into your site and requests a API usage token
when a new request to your API comes in, compare the token from the incomming request, with the token in the db. if it is found, it's a valid request. the REST client could use the Authorization header to send the token.
send the answer for the request
While the login system of your website, might be session-based with cookies on client-side, the REST API is token-based and doesn't need a cookie or session.
Please take a look at this for more details:
https://softwareengineering.stackexchange.com/a/141434/111803
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.