I am here with some general discussion very famous and interesting topic "Token Based Authentication".
I need my registered users to login with API. Scenario is quite simple, We want to pass our login details to Server. Server will check the credentials with database. If credentials are proper then Server will create "Session Id" and return back to user (client end). In subsequent requests user just need to pass that "Session Id" to authenticate and access protected data.
Plenty of people suggest about OAuth 2.0 and also some people suggest about Custom Logic. In custom logic they asked to be very sure about security. I read documentation of OAuth and it's good and descriptive. I'm also liking it to use. But wherever I search for OAuth authentication, they are giving example of third party login.
I had installed Php OAuth extension at my side for supporting this feature. In examples they asked to create Request Token first using "getRequestToken" function. Using that Request token they asked to call "getAccessToken" function to get "Access Token". Using that Access Token just need to call "fetch" to get protected data.
Now my questions are,
In my scenario, Do i need Request Token? Is that possible to get Access Token directly
What is OAuth Consumer Key and OAuth Consumer Secret key? Do I need such keys in my application? I believe it's used to allow third party applications only. In my case I'm the resource owner and i'm the consumer.
Do you guys have any example for me to study?
Do you know any well known framework for OAuth for PHP?
Is that need any additional database support except "user" table? For storing OAuth details?
Any additional documents to study for this would be highly appreciated.
I read different Grant Types in OAuth but confused how to use to achieve my approach.
Thanks in advance.
From what I read, you do not need OAuth at all. OAuth is need if there is a third party involved that needs access to your user resources.
As you mentioned, you just need a Login API something like https://myserver.com/signin?user=john.doe#gmail.com&password=12345
After successful login, the server generates a GUID and stores it against the user. You can call it sessionId/cookieId anything you like. Response could be something like '{user:john.doe#gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
For subsequent calls, the sessionId can be passed in the header.
Server validates the session and lets the user in.
Addtional considerations:
I am assuming your server is HTTPS and hence the user/pwd on the URL are encrypted.
For security you might want to invalidate the sessionId have the sessionId renewed periodically.
Have a logout on which you clear the sessionId against the User.
I think it standard stuff if not the logging in happening via REST.
The requirement that I posted before to login with OAuth2.0.
Usually people assume that OAuth2.0 is only for fetching data by Third Party application from resource center behalf of Resource Owner. That approach is called Authorization Code.
OAuth2.0 has various "Authorization Grant". There are four types,
Authrozation Code
Implicit
Resource Owner Credentials (User Credentials)
Client Credentials
After research, I realize that "Resource Owner Credentials" is best suitable for me. I found one perfect library that helps you to understand background process internally. Here's the GitHub link to download.
Found two major issues here,
When I use my Access Token created by my Mozila in Chrome. Surprisingly, It's allowing me to access my private data from other browser.
I'm unsure but will this approach work same with AJAX type of calls (jQuery tool)
If anyone has idea then please share.
Thanks,
Sanjay
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.
I read all the articles on FB regarding PHP login, JS login, Canvas app login, but something remains unclear to me. How does one keep a user logged in after the initial login in JavaScript? You receive a signed_request (which you can use to authenticate the user ONCE (on initial load of a canvas app and on login, right?), let's say you use that information to verify the user server-side. Ok, so far.. But what about subsequent page loads?
Basically my question is this.. Can I use the PHP FB SDK to verify a user is authenticated on each page load without an API call? How? Is there a way to do it that is compatible with canvas?
The reason I don't want any API calls is because I hit the limit once and my app went down for an entire night. Don't want that again...
A workaround I'm thinking of is to store the user token (which I want to anyway) and use that in a session/cookie to authenticate the user on every page load in PHP, but I'm not sure if this is the best approach, because: Using my own session/cookie would allow a user to stay logged in even if they are not logged in FB. Also, I presume FB wouldn't allow this for a canvas app.
I found these relevant questions, but the information is from 2011: PHP: Using Facebook OAuth with less API calls
Facebook Login: How to combine JavaScript with PHP SDK?
The workaround you mentioned is the right way of doing it. Saving tokens, using and updating them as they become expired - the way most companies stick to.
Only in cases of new users or expired tokens the OAuth should be used. The API you use is not important. You can actually retreive authentication through JavaScript and pass it to PHP for further usage.
Cheers.
I'm trying to automate a data pull from MY company page on linked in via the API. This will be a server side job with no user intervention.
I have credentials to log into linkedin and a REST API Application with keys as per:
https://developer.linkedin.com/documents/quick-start-guide
I want to be able to pull the contents of my wall nightly to aggregate it to my social media site.
Is there a way to obtain and store the Oauth token server side and not require or fake the client session piece?
Thanks!
Yes you can, but a token can expire so you need renew it when needed.
Here is an example: https://github.com/EJTH/SLinkedIn/blob/master/examples/reusing-tokens.php
If you run a cron then dont authorize, but handle exceptions to reset the token and force the user to renew it on the next login.
I don't believe there is because LinkedIn doesn't allow it.
I've run into the same problem and it seems there may be a way to keep it open longer, but it looks like LinkedIn explicitly bans automated actions in their terms of service. Simply put, I don't believe any automated action can be initiated except by a member.
This gets into more detail on their stance on automated requests:
I'm working on a project which will use facebook authentication completely (no custom authentication implementation exists). Project uses PHP for server-side scripting. I looked around for implementing fast and secure authentication mechanism but i cannot find any detailed description about this subject. Facebook's documents are weak and does only provide basic information.
Which authentication method would be appropriate? There's a Javascript SDK and PHP SDK. As i understand, i have to use Javascript SDK for login, then using PHP SDK i will check my database for verifying credentials. But using Graph API with PHP SDK is slow. Is there a better way to validate session?
Will i need to check session server-side (PHP-SDK) on every request?
What I end up doing for my apps is pretty simple and relatively fast compared to any other method I've seen.
Check the signed_request if exists, parse it if it does. If it doesn't, set the $login flag to 1 in PHP
I check the user's session / cookie to see if the user was previously authenticated by the app (will come back to this later. If it is empty, set $login to 1.
If the login flag is set to 1, send the user to the installation url.
The user installs the app and is sent to a connector page. This page serves the purpose of getting an access_token and generating a session / cookie for the user. This means you won't likely need to check this access_token's validity for the life of the user's session. offline_access also creates new opportunities. You can store the access_token in your db as well.
Whenever you have a call that goes out to Facebook, check the exceptions, if you hit an authentication exception, clear the user's session and cookie. Next time it will force them to update their access_token, even if this process is invisible to the user.
I've done this on my apps, in most cases means I don't have to make queries to FB to see the validity of the access_token nor do I have to constantly get it on each page view. Our goal was to reduce latency on our apps, but Facebook was the biggest source of latency, doing this has cut it down considerably.
Answering my own question:
I used Javascript SDK for checking facebook authentication is available.
If fb authentication is OK and my application does not authenticated, i present user with a prefilled registration form of facebook.
If fb authentication isn't OK i present a facebook login button.
Registration Plugin authorizes my application and i call my fblogin.php to check this information using PHP SDK. When PHP SDK validates authorization, it stores this information on a session variable. So there's no need to check fb authentication on every request.
Login button does the same as Registration Plugin. These methods share same server-side functionality but their representation is different.
In order to catch facebook logout status, i used Javascript SDK to validate facebook authentication on every request. If user is logged out, my js code calls fblogout.php and current session is destroyed. There's a flaw on this method. If a user does not logout from my website explicitly, an attacker could do anything on behalf of user only disabling js on the same machine.
I cannot find a better solution with fast response time.
You can use one or the other or both.
You can use PHP SDK to generate the relevant URL's to send people to. And just wack that on a link.
Or you can use Javascript to make the Facebook Default login button.
After that you can use one or the other to maintain and verify the session.
I generally use PHP to do he grunt work with oAuth keys and use JavaScript SDK to make the nice Facebook buttons and some minor less important graph calls for session monitoring.
Anything that involves any heavy or multiple graph calls I push to PHP.
But there is flexibility there to do what you want. You don't have to use JavaScript SDK for login.
It's up to you if you want to verify every page load or not.
I tend to use the Javascript SDK to handle it and like Berk if the session is dead. Call a page redirect to a logout script.
As of the latest versions, PHP and JS SDK are now both able to access the same user session (login with JS or PHP [instead of having to do both]). Check out this blog post for a more detailed explanation and an example.
If you're worried about security, perhaps you could set the session cookie to expire sooner with session_set_cookie_params().
First, just remind you that you will need to save not only access_token, but ideally, you would like to save the user's facebook uid alongside with access token. This because typically, you will need to include the uid alongside with access token in your API call.
Second, from Facebook Documentation
Note: If the application has not requested offline_access permission,
the access token is time-bounded. Time-bounded access token also get
invalidated when the user logs out of Facebook. If the application has
obtained offline_access permission from the user, the access token
does not have an expiry. However it gets invalidated whenever the user
changes his/her password.
Third, the purpose of having access_token and uid, is to perform an API call, right? Start from there. Do the authentification, if only the access_token is (somehow) become invalid. How to check whether its valid or not then? Well, you can use cURL (Reference) or Proxy Library(but you may need to modify it lil bit, since it originally was written for CI) to make an API call as a validation proccess. Sample (*sigh, using my Proxy Library)...
// Suppose we are try to publish a status from our fb app
// $access_token hold the user access_token, which you saved into your database
// $uid hold the user facebook uid, which you saved into your database
$proxy = new Proxy;
// This is equal with perform regular HTTP POST request with cURL
$api_call = $proxy->http('post','https://graph.facebook.com/'.$uid.'/feed', array('access_token' => $access_token,'message' => 'foo'));
// Now we can validate...
// If the API success, it will be returned a post id, with json format
// if not, it will be outputing json like...
// "{"error":{"type":"OAuthException","message":"Invalid OAuth access token."}}"
// so...
$result = (array) json_decode($api_call);
if(array_key_exists('error', $result))
{
// Here you can perform an oAuth authentification, to get fresh access_token and update your database
// ...
// After it done, process the previous api call with valid access_token
$proxy->http('post','https://graph.facebook.com/'.$uid.'/feed', array('access_token' => $access_token,'message' => 'foo'));
}
The Facebook Connect documentation is rather limited. It doesn't really tell you what it is doing, only how to do it. I personally don't use either SDK. I have built my own framework for my development projects.
Both SDKs as well as the JavaScript in the tutorial are, IMO, fairly outdated.
If you want to stick to one of the FB SDKs here is my suggestion. Use the JS SDK only if your Graph API queries and the like are sent to a PHP backend via Ajax. Otherwise stick with the PHP SDK.
Introduction
Facebook uses oAuth v2. They describe two different methods of flow... Server side and client side. This would be implemented just the same as any other application authenticating against an oAuth v2 service. They both do the same thing. The only difference may be you can use 'code' as a request_type to get an authorization code for obtaining a token in the future.
Authentication
As far as FB Connect is concerned ll your script needs to to is make sure you have an auth token or auth code whenever you require authentication. If you don't have that then you need to get it. You can use the presence of an auth code or token as a condition for which FB button to show (login or logout).
Redirect the user to oAuth for authentication. Facebook has their oAuth implementation bundled in to their dialog API. More information on the oAuth Dialog here: http://developers.facebook.com/docs/reference/dialogs/oauth/
You can use the optional state parameter for something such as CSRF protection. It retains it's value after the process and is sent with the callback as a GET parameter.
Application Interaction
Basically you're going to write your application the same way you normally would. The differences would be:
Your user database no longer stores a password, just the FB UID. Also, according to the FB Dev ToS you really can't store any user information. If you want to store user information you need to get it from the user. You can populate this information for them with FB information, you just need them to submit it.
Your registration method won't have a form frontend posting to it any longer. It will be called when an authenticated user does not have an entry in the DB.
API Interaction
If you went with code instead of token you need to request a token by sending code. This is done with the Graph API oauth. This part is not documented at all other than in their authentication tutorial. http://developers.facebook.com/docs/authentication/
With your access token, whichever method you may have used to obtain it. You can now query the Graph API however you desire. This will return a JSON encoded object.
Conclusion
As far as a fast and secure implementation goes, the Facebook PHP SDK does the job. It handles everything I covered here, including the CSRF. How to go about learning it, I have yet to find decent documentation on it. Everything is either old or the writer doesn't really know and is going off of other tutorials.
Your best bet is to dig deep in those libraries and figure out how it works for yourself. Do some trial and error, experiment.
The way I learned was by writing my own framework for it. I suggest you do the same. You can extend the Facebook SDK classes if you like. It's really limited, but it gives you all you need. I took my most commonly used API calls and placed them in as well. I now have a very quick and simple end result that is driven from my library.
I think you don't need to implement SDKs.
1, You need to get permission from the user, to access his/her data. So you need to redirect them to Facebook. It is few (3-5) line of code in php.
https://graph.facebook.com/oauth/authorize?
client_id=YOUR_APP_ID&scope=email&redirect_uri=APP_URL
2, When the user arrive back to your site, come with $_GET['code']
http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER
3, You have to decode this code via Facebook get request, and get the access_token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
3, After you have the access_token just run a /me?access_token GET request as often you need, to check the user is still there.
4, You can store the Facebook ID.
I think this is the fastest way. As far as I know the javascript sdk uses pop-up, what is blocked in most browsers.
This flow is detailed enough here: http://developers.facebook.com/docs/authentication/