For security reasons I need Github to ask the user to login again to confirm it's actually the owner of the GitHub account trying to use the OAuth2 on my current single-sign-on project.
For Linkedin and Google I am having the same issue, for Facebook there is an option in developers.facebook.com that force reauth for OAuth2 everytime but for now I've used this code to force Facebook Reauth:
public function getRequestParams() {
return array(
'auth_type' => 'reauthenticate'
);
}
I've been searching all afternoon yesterday and have also spend my whole morning on it again now. This is a MANDATORY thing for the web application of the customer, the application MUST reauth for Linkedin/Facebook/Github/Google, I can probably get it to work with Linkedin/Google but I don't see any solution with Github.
Simply asking for a new token doesn't do anything either because then the Github account is still logged in and will just automatically authorize it. And obviously I can't temper with the cookies from a other URL.
Is there anyway I can do this? I am pretty sure there is no way at all to do it via a OAuth2 Parameter (or else I would be able to add it to my abstract class allowing it to work with any SingleSignOn I add, which would be optimal but seemingly impossible).
I've asked a similar question here for OAuth2 but I believe it's just not possible OAuth2 Single-sign-on component, force reauthentication
But specificly for Github, any possibility to force the user to login everytime there is an OAuth call made?
So I've been work quite a lot more on our SSO adapter and I've had to conclude that it is impossible to do this. These are the two conclusions I came to.
OAuth2 is a framework that does not offer any functionality, you use it for example to make something abstract and use the same methods for Github/Facebook/Linkedin/etc without having to use 5 different SDK's
If the Social Media doesn't offer the functionality then you can't do it. Unless you want to do some almost border line-hacking and destroy the users sessions/cookies whatever. Even if it was possible it possibly isn't legal and it surely isn't user friendly.
We've ended up accepting that there's a small chance that someone can exploit logging in to another users account like that, but considering you need physical access or have to be able to remote control someones computer we decide that this is something that the user is supposed to control and we really can't do more about unless we do not offer the social media at all.
Related
I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0
He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".
If yes, he renders the page, if not, he redirects the user to the login.
(So basically he does one oauth request per page view.)
I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?
He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)
He said I should "just also get the groups on each request" and that's it.
(Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)
My understanding of how this should work is the following:
The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.
Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.
But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.
So any explanations/opinions would be very welcome.
Additional informations about the project:
We use Laravel 5.4
I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)
If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.
There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?
I would consider creating a separate access management for the application if:
There is a chance of people outside of your company using the application.
You needed to modify existing Google groups (if there are some) just to make them fit your application.
It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.
I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.
The auth sequence you described looks correct.
i have 3 différents domains domain-a.com and domain-b.com also domaine-c.com
and i want to use SSO, if you log in to one of these domains you have access to all other domains.
1 - using cookies is impossible because we can't share the same cookie with differents domains
2 - i'm thinking about using webservice, but i'm not good in that so i'm wondering if it's a good solution
If you have any suggestion or recommandation or any thing Please i need you.
You can't share cookies but you don't need to.
Let's say your SSO runs on sso.domain.com
You want to log in on a.domain.com:
Make an XMLHTTPRequest request to sso.domain.com to check if you have a session.
If you have a session and are logged in you get a login token back.
You pass the token to application A with an XMLHTTPRequest. It sends a request to sso.domain.com to verify the token and get the user credentials.
You are now logged in on a.domain.com
This setup requires Cross-Site-Resource-Sharing to be enabled on the sso domain. The CORS implementation allows you to do the login process under water, no redirect is required.
Your an indepth look at CORS see: http://fritsvancampen.wordpress.com/2013/02/03/cross-site-origin-requests-aka-cross-origin-resource-sharing/
I use SimpleSAMLPHP.. (https://simplesamlphp.org/)
This allows me to make a single place I can ask if users a logged in. The whole thing uses SAML2 which is a secure markup language(http://en.wikipedia.org/wiki/SAML_2.0).
It can be a steep learning curve to make it work but its very safe and everything is encrypted using certificates. The nice thing is that you can use all the IDP's(identity providers) you can think of. This means you can implement facebook, google etc. log-in's as well as custom log-in's.
Another great thing is that it provides SLO(single logout) as well. This will trigger log-out's in all the applications that are currently logged on..
I am working on a website which will allow registered users to link with their Facebook account and periodically, the site will poll their information and post back to their Facebook page.
The site is Joomla based, so using the PHP API seemed most sensible, but I'm not sure.
I've looked at the Facebook documentation and it seems confusing. Do I need to write an app and get it approved, or is there a simpler way?
If I need to write an app, is there anyway to develop and debug the app before getting approval and only turn off sandbox mode after approval has been achieved?
What would be the simplest way to implement this so I can retrieve some Facebook info and make posts to Facebook pages at later dates?
In future, I may wish to allow users who are logged into Facebook to automatically login to my site, but for now, I do not want this.
You will need to register an application. Being that this is not an application hosted on facebook, there really isn't much of an approval process.
PHP SDK would be required for what you want to do.
In order to post to facebook or get facebook account information, the user would need to authorize your application and provide permission for what you want to do.
Keep in mind that although a user can grant your application a key via which you can do things on their behalf on facebook, this key will eventually expire if the user does not return to your application.
I would take a look at the Facebook API that was done for summer of code. It is currently in the platform tracker and you also need the OAuth1 API that she did. If if you use that you'll have a good start on what you need.
I am currently working on Contact Importer web app (in PHP) so I will be able to grab email address from a user's account on Gmail, Yahoo, etc and use them for my own evil purposes. Just kidding, my web app is very friendly.
I thought I would start with Google. I found they have a fantastic little API called Google Contacts API which lets a programmer, like myself, to access a user's contacts.
After a couple of hours of struggling and throwing shitty code together, I ran into a few road-blocks. My main question is this:
Is there any way that I can have a user provide their username and password for Gmail on my website and have my code retrieve the contacts without that nasty redirection to a Google login page? It's kind of ruins the whole flow of my web app.
I've looked into AuthSub, and gotten that to work, but of course the catch is that you have to redirect the user to obtain the access token. It looks like OAuth will have this same catch.
The one ray of hope I have is the ClientLogin method of authentication. Again, there is a catch, sometimes Google throws you a CAPTCHA instead of the auth token. Again, the user flow is ruined.
I've noticed that our good ol' friends over at Twitter have it working just fine. Does anyone know how they do it?
Thanks!
I think you've identified a feature, not a bug. The whole point of OAuth is to prevent users from typing their passwords into third-party sites like yours: this way they can learn to only type their Google password when they're looking at a Google login page and not have to trust that you won't store their password and use it to read all of their email.
It does provide a small interruption in the flow of your web app, but OAuth generally provides a callback so that it shouldn't really be a large disruption. In exchange, your users can feel safer and you can avoid any issues of having to store (and then dispose of) user passwords.
In short, I don't think you'll be able to get around this. It's true that Twitter does currently allow it ("Basic Auth", where the username and password are sent directly), but that feature is planned to be deprecated by this summer.
I'm working on a web project that isn't all that dissimilar in principal to power.com, where I am attempting to unify several different social networking sites under a single website, allowing users to register once with the system, and then add as many of their individual social networking accounts (Facebook, MySpace, Orkut, etc) as the system is built to handle, allowing them to browse their respective profile information in a single place.
Simply put, I can't seem to find a way to authenticate arbitrary users into their social network accounts.
I've been poring over the OpenSocial specifications, as well as the OpenSocial PHP client project, but I seem to be missing something, as everything is appearing to be circularly dependent.
My first problem is that, for testing purposes, I have a MySpace consumer key and consumer secret, but whenever I attempt to perform a 3-legged authentication with MySpace, there's no option for logging in as someone else. Plus, it performs an external redirect, which is somewhat undesirable (as a user of this eventual social networking "portal", I'd rather not have to go through that redirection process every time I add a new account).
How would I programmatically authenticate an arbitrary user and allow them access to their account information (preferably without the external redirection)?
Second, the 2-legged authentication requires a userId (usually an arbitrary integer) that identifies the arbitrary user to retrieve information for. However, when I enter my MySpace OpenSocial ID, along with the given consumer key and consumer secret, I am given a 401 Access Denied error. Furthermore, in order to use this ID in the future, it seems that I would need to authenticate the user first...but that authentication appears to require the ID.
I'm pretty convinced that I'm missing something trivial, but for the life of me can't figure out what it is. Help is greatly appreciated!
Technically this isn't my answer, but the developers at OpenSocial have provided me with the following information regarding my question (emphasis mine):
3-legged OAuth is built around the
redirect back to the site you're
authenticating with, and there's no
way to avoid it. It's not the most
convenient experience, but allows
users to share their data with your
website while keeping their passwords
private. Any design which requires
users to enter their MySpace password
into a form on your website is
considered an anti-pattern and should
be avoided. You could potentially
attempt the redirect in a popup window
in order to make the experience a bit
less jarring for the user (currently
the PHP client doesn't make this that
easy, but if you followed up at
opensocial-client-libraries#googlegroups.com
someone could help you work through
that process).
With regard to not being able to
change the user, what I believe
MySpace is doing in your case is
checking for a MySpace cookie and
pre-populating your account
information. If you were a user
visiting the site and not logged into
MySpace, you should get a full
username/login box combination. There
should also be a button or link
somewhere to say "I'm not this user"
and log in with other credentials.
As for 2-legged, you would need to
have the application associated with
the consumer key/secret installed on
the profile of any user whose data you
wish to access. 2-legged is mostly
intended for developers who are
currently running a social gadget on a
container and wish to access social
data for their application users out
of band with a gadget render. In this
case, the application server would
already have the user's OpenSocial ID
(from a signed makeRequest) and the
user would already have the app
installed on their MySpace profile).
Most of this is covered
in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif
you want more information.
Essentially, this makes any use of 2-legged authentication on an external application impossible; 2-legged was explicitly designed not to be used in this sort of situation. Furthermore, it seems that power.com is indeed employing the anti-pattern of having users supply their actual Orkut/MySpace/etc credentials, so that explains that bit.
Clearing out my cookies worked to authenticate me through MySpace. However, I followed up with another question about how Orkut authentication would work, since it doesn't seem to support 3-legged auth. Here was the response I received:
Orkut is interested in supporting
this, so you'll be able to allow users
to share their information with your
application "correctly" in the future.
The corresponding two-legged app would
need to forward the current viewer's
OpenSocial ID back to your server,
probably along with an authorization
token you generate yourself so that
you can link a user's session on orkut
with a session on your own server.
Honestly, it's probably not usable
enough to support a standalone login
system.
Essentially, no, Orkut really can't be hooked into an external app (at least, not yet) without resorting to the anti-pattern.
If anyone has any further information on this topic, please feel free to share!
The pattern is also mentioned here http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
Essentially a lot of the mashups would want this feature :
A 3rd party site which DOES NOT have a
gadget wants to get the end-users
permission to access their data at the
social network, for example to
download their friend list, or to get
permission to post to their activity
stream