I am building a backend rest api for a android application. It authenticates user and sends the token in Authorization HEADER. I am extracting the token from header in a custom middleware . Now I tried to check with Socialite whether it provides a way for me to get the user by token. If user does not exist we will create a user else send response as success to android application.
Now in Socialite I cannot implement specific method getUserByToken($token) since its protected.
I am not proficient with laravel. Can some one guide me?
Thanks, Pavan
Socialite is not an authentication library but a library that provides and interface to Oauth for many social networks.
In order to do what you want you should look at the auth library http://laravel.com/docs/5.0/authentication and I guess that the getUserByToken should go to your User model.
Related
I'm having difficulties combining Laravel passport with Laravel Socialite. I have an API with OAuth2 implementation using passport. The API is used by a SPA (Nuxt). The SPA uses the password grant flow for 'regular' login using an email and password. The SPA also provides the options to login through Google or Facebook. Socialite handles the login flow with google/facebook but I don't know how to get access/refresh tokens for my API after the socialite flow.
I can't use the password grant since this requires a password. Which grant could/should I use and for what reason? Also how do I get the access/refresh token from my API to my SPA in the google/facebook callback? SPA -> API communication is straight forward but two way communication would require event broadcasting (WebSockets) or some sort of solution.
For clarification:
Single sign on flow:
In the SPA login view open google/facebook login through button
Login on google/facebook
Redirects to API on success
Handle callback (get access/refresh tokens and send these to SPA).
The scenario
So I am building an app that should display data from my Xero account to the users. Users should not be able to login via OAuth2 to my web app so that's why I need persistent auth token that is independent from the users login. The current API authentication implementation from Xero does not allow that and the token expires in 30 minutes so I need a way to do this somehow in the background or with any kind of persistent token (which is not available as I can see in their docs for Auth)
Stack
I am using Laravel with the package Xero Laravel and this one's using the XeroPHP package in its core as dependency. Currently I am using Postman to do refresh token requests and I am adding the token manually (for testing purposes of course). This should not be the case when it goes on production, though. So I need a way to somehow "store" or refresh the token globally for the whole app and using only my account as an Authorization to Xero.
Problem summary
My web app need to fetch data (invoices data in particular) from my Xero account and no OAuth tokenization is required for the users (since I am using the native Laravel Auth for this purpos) that are going to read this data in a GUI.
How should I accomplish this without OAuth2 (if there is any way) or how I can do this if only my account is the "global" one for the app?
The other comments are correct that there is an initial required step to have the user that you are calling API endpoints on behalf of to authorize your API application.
Once you have their valid token_set ( access_token, refresh_token, expiry, etc.. ) you can store that securely and continue making offline_access api calls on their behalf. Note that you must programmatically refresh the token_set at least once every 60 days for it to remain valid.
I'd also recommend checking out the Xero supported libraries for help getting started quickly:
https://github.com/XeroAPI/xero-php-oauth2
https://github.com/XeroAPI/xero-php-oauth2-starter
Thanks to #droopsnoot for linking the video explaining how this works:
https://www.youtube.com/watch?v=Zcf_64yreVI
I am developing an android application and using firebase for the authentication. When a user signs up or logs in, I save the uid generated by firebase on my DB through my API which is built using laravel framework. How exactly do I go about protecting my API endpoints as authentication is not carried out through the API but with firebase? Thanks
Even though your authentication is completed by Firebase, you would just need to prevent unauthenticated requests to your API to be responded and this is done entirely on your API, once a user is authenticated through Firebase, you handle all control to your API, else return to Firebase for authentication.
I'm using UserFrosting to manage users with PHP, in my API and I want to use the login function in controller with POST method.
When i call the login function it return me as response
The CSRF code was invalid or not provided.
I still cannot get the csrf_token
Any idea?
There is a UserFrosting Sprinkle that implements JWT authentication: https://github.com/x00x70/tokeniser
Join us in chat if you have any questions about its use!
If you're developing an API (either for it to be consumed by an webplatform or mobile app) I belive it's better to have a different kind of authentication, namely, JWT authentication. In Laravel you have Passport to handle this Authentication with ease.
I'm not sure how userFroasting uses laravel but if laravel version is above 5.3 you can use it.
If it isn't there's always the option of making a costum JWT authentication.
Here is the latest documentation for Passport https://laravel.com/docs/5.5/passport.
We have an app that uses the OAuth2 Google sign-in system and we want to store data from the users that sign in into our app on our back-end during the initial registration.
This is the way we got it set up:
Users signs in with the app using Google sign-in
We get an ID Token and send this to the server
On the server we verify this token is valid using Google library and save the info we get back from the verification
We also need the user to be able to update/insert data into the back-end when he's authenticated.
After the initial registration, how do we do this?
Do we send the ID Token from client to server each time they call the API on our back-end? In this case how to handle expired tokens?
If you want to make your API a first-class citizen in your system and have it require access tokens that are specifically issued to it instead of accepting Google authentication related tokens that were issued to your client application then you need to have an authorization server that specifically issues tokens for your API.
This authorization server can still delegate user authentication to Google, but then after verifying the user identity it will issue API specific access tokens that better satisfy your requirements, like for example, including specific scopes then used by your API to perform authorization decisions.
For a more complete description of this scenario you can check Auth0 Mobile + API architecture scenario.
In this scenario you have a mobile application ("Client") which talks to an API ("Resource Server"). The application will use OpenID Connect with the Authorization Code Grant using Proof Key for Code Exchange (PKCE) to authenticate users.
The information is Auth0 specific and you can indeed use Auth0 as an authorization server for your own API while still maintaining Google authentication support, however, most of the theory would also apply to any OAuth 2.0 compliant provider.
Disclosure: I'm an Auth0 engineer.