I have an App Service with a Mobile App in Azure cloud platform. The backend API is made using the Easy APIs in Node.js. In the same Resource Group there is also a SQL Server and a SQL Database. The client applications(Android,iOS and a Web app in Angular, PHP or Python) have to authenticate in order to call the API apps.
I am very confused regarding the authentication mechanisms. I want to make a login page for my users in the iOS, Android and Web application but I don't know how to design the authentication mechanism. Potential users will be all the clients who download the mobile applications and a few premium clients.
Should I pick the Azure Active Directory solution or should I make my implementation using the database as storage?
Actually, Azure Mobile Apps in Node.js backend are express.js applications running on Azure App Services. And the Mobile-Apps-SDK in a middleware of express.js. So it depends your requirement. The default authentication mechanism in mobile-apps-sdk is implemented via Azure gateway auth. Also you can implement your own custom auth.
If you have control over your mobile app and you want to just use the regular Facebook, Twitter, Google and Microsoft sign-in controls, then use the Azure gateway available in Azure Mobile Apps to get a mobile apps token. There are controls available for iOS, Android, Apache Cordova and Xamarin. You can also do a redirect to use the web. You can refer to Add authentication to your Android app
Otherwise, you can custom authentication and can provide your own token generator. You can use a third party authentication provider like Auth0.
You can refer to https://shellmonger.com/2015/10/06/azure-mobile-apps-nodejs-and-authentication/ for more information.
Related
I use Google OAuth to sign in my Web Application which was created as a project in Google Cloud Platform i.e. Project1.
I have a user with custom role in this project. After I logged in with my Google account, I'm able to get userinfo using Google_Client (PHP library - google/apiclient). However, I'm having a hard time figuring out how to get the custom role for the logged in user. I tried using Google_Service_iam but get Uncaught Google_Service_Exception: 404 Not Found.
Is this a correct way of building a role based control web app utilizing Google IAM?
Although it would be somehow possible by building it yourself, I would not directly use IAM as an authentication provider. Instead, use the Identity Platform or something like Auth0 or Okta. Myself, I prefer Firebase Authentication, which integrates easily with all popular languages and frameworks.
IAM is meant to authorize users within GCP, and not in a custom web-app. In your setup, you would have to add every future user to Gsuite and IAM, which is very costly and not designed for this purpose.
I would recommend taking a look at the Authentication Strategies for application developers.
Since you need to grant to Google Cloud APIs on behalf of an end user, you may use the protocol OAuth 2.0 protocol. The application initiates an OAuth consent flow where you application will receive the user's credentials. With these credentials, it can call Google Cloud APIs on behalf of the user.
Another solutino as Nebulastic also suggested, is the Cloud Identity Platform, where you can configure custom claims to restrict a user's access to a resource depending on their role.
I'm dealing with a project where I have a frontend build with React, which connects to an API build with API Platform, and uses an external user provider which implements oauth2 and OpenID protocols (Keycloak).
I think that I can configure API platform as an oauth2 client (through oauth configuration section, but I'm not sure if it will be an oauth client or a server), but I also need to get user information from the OpenID server to store information about the user who has created an entity (the owner).
Is there any way to do that? Or is better to not use API Platform and implement my own API which connects to the OpenID server?
Thanks in advance!
Yes, It is advisable for API Platform to act as a Oauth 2.0 client for external oauth 2.0/OpenId provider in this case, Also It provides a benefit of storing the clientId, clientSecret and other configuration on API platform itself instead of storing on react frontend. Also you can store tokens, expiry, refresh tokens, Other scopes on API platform corresponding to the logged in userId and pass the same to react frontend when required.
For getting userinfo via openId connect, API call will be proxied via API platform to external OpenId provider i.e keycloak.
I've developed a website with the usual crud functionalities in Codeigniter and MySQL. I'm now tasked with creating a mobile app (with the same functionalities ) in Ionic 2.
To access my database with Ionic, I created a REST api -- which I was able to manipulate smoothly.
My questions are:
How, or can I, use my MySQL users' credentials to log in on my Ionic 2 app?
How can my web and mobile can share the same database?
I've been reading a lot about Fire base,etc. However, my tiny brain is unable to comprehend whatever I read. If anyone can point me to right direction, I would highly appreciate it. Thanks!
When developing an Ionic App you have to think of it as if you were developing a regular website. The only difference is that you have access to native device features with cordova plugins, but the whole flow is almost exactly like in a regular website (it is an angular application after all).
This means you can use your API just like you use it in your website. There is no need to use firebase. (Firebase is kind of like a database itself that you could use INSTEAD of your MySQL backend)
Totally agree with #Andreas. When you build a modern application that supports on the different platforms such as web or mobile, you need to design a standard API and then next step is to build a web application/mobile app to consume this API. And because of all the web/devices are all consuming from the same API, they are interacted with the same database. Unless they are using different API.
Can refer to the image below for easy understanding.
So talk about how authentication and authorization can be done from the mobile app or from the web app. You should take a look at OAuth2. It is a protocol for securing API services from untrusted devices, and it provides a nice way to authenticate mobile users via what is called token authentication.
The workflow will look like below, on both web and mobile app.
A user opens up your mobile app and is prompted for their username or email and password.
You send a POST request from your mobile app to your API service with the user’s username or email and password data included (OVER SSL for sure. If you don't know about it, google it).
You validate the user credentials, and create an access token for the user that expires after a certain amount of time.
You store this access token on the mobile device, treating it like an API key which lets you access your API service.
Once the access token expires and no longer works, you re-prompt the user for their username or email and password.
Reference
REST API from PHP
The ultimate guide for Mobile Security
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
Seeking for guidance on the subject as I'm really stuck on this, I have a internal URL for an App made on PHP and I want to connect to Azure Active Directory.
So far I've reviewed an example from Microsoft using SimpleSAML but it's really outdated and I'm having troubles adapting it for the newer SimpleSAMl code.
Is there a better way to integrate a web application with Azure AD? I read somewhere that I may use Get started with Mobile Services but I would like to hear from previous experiences on what is the best/current method for using Azure AD for login on PHP?.
-- EDIT --
By integrate I mean to allow people authenticate and retrieve the email address or EmployeeID from the Azure AD to provide SSO support.
There are several scenarios Azure AD supports, depend on what you use Azure AD for. Basically, to access the resources via Azure AD from PHP web application, you can refer to Web Application to Web API section to understand this scenario and get started.
To integrate Azure AD in PHP web applications, we need to follow authorization code grant flow steps to build several custom HTTP requests. E.G. To get access token via OAuth 2.0 protocol, we should refer to the steps on Authorization Code Grant Flow, generally, we will build 2 HTTP requests to get access token:
1,Request an authorization code
The build-up URL will redirect to the sso page, after login we can get the code value which will be used in next step.
2,Use the Authorization Code to Request an Access Token:
Then we can use the access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the resource web API.
Here is a PHP test project provided by Azure for your reference.
we are migrating our AD to Azure AD and we would like to have SSO support for the internal web apps, so that when they log in into their PCs the use the azure app proxy and they're signed automatically on the PHP web apps. Is this possible?
#Vladimir, Base on my experience, it is possible. There are some scenarios you can refer to. You may need use Azure AD Connect to sync your local AD to Azure AD, and enable Azure AD SSO to integrate with you php application in your scenario.
Firstly, If you wants to integrate your On-premise AD on Azure AD, you should use the tool -- Azure AD Connect, which is used to sync up your AD into Azure AD. Please see this tutorials and video. For this action, you need have the IT administrator permission.
Secondly, you need use Federated Single Sign-On and other methods for your application on Azure Portal. You may need to configure your PHP application like this video:https://channel9.msdn.com/Blogs/Open/Using-SimpleSAML-to-authenticate-PHP-applications-with-Azure-AD.
And if you wants to get the users information, you may need use Azure Graph API as Gary's post.