I am building a ember cli app and I would like to know what is the best approach for user authentication and authorization.
I fiddled around with https://github.com/simplabs/ember-simple-auth
https://github.com/simplabs/ember-simple-auth/tree/master/packages/ember-simple-auth-torii
along with it for social auth like facebook and gmail.
But what happens is client(emberjs) sends request to facebook/gmail app and gets back a token.
But this token is on the client side and my server does not know about the received token.
Question - How do I make the server aware of the token received on the client(ember js) ?
What should be the approach if on my ember app I want to include custom login that communicates with my node backend and gets a token and as well as I want to be able to login via facebook/gmial. ?
I am looking for a unified and seamless login solution that works well with ember cli
See this question: Workflow for Ember-simple-auth, Torii and Facebook Oauth2
You simply define a custom authenticator (you could also override the torii authenticator as opposed to the OAuth 2.0 authenticator as in the answer) that first gets the token from torii and then posts it to your own server in the authenticate method.
Related
I am setting up a login system in auth0 for a React Typescript application. Due to how the application works I am using the PKCE flow for authentication and authorization to get access tokens and refresh tokens. So far I have implemented the flow by adding a node js express server that fetches the access token and refresh token from auth0 once we have the authroization code after logging in through the /authroize endpoint on auth0. However the problem we have now is that we cant implement our custom UI onto the login page since when we hit the /authorize endpoint we are sent to the login page hosted at auth0. We would want to set up our own login form and send over the details to auth0 in order to fetch the authorization code. Is there a way to login through our own login page instead of using the one hosted by auth0, by for example hitting the right endpoint in their api to fetch an authorization code? The only other option I have seen is by changing the HTML under branding in the application dashboard but I have also read that auth0 does not recommend doing this.
I have also previously used the auth0 js SDK and there I was able to use our own custom page for login, however that SDK uses the implicit flow which does not issue refresh tokens and cannot therefore be used. In the other SPA sdk, you cant add your own UI for login since that redirects you to auth0 as well.
Assuming that you still use the Node.js server in addition to the SPA, you can ask the user for username and password, send it the Node.js server. Using the Resource Owner Password flow, the Node.js server can then request the access, refresh and ID tokens.
Please study the security implications carefully, in particular related to this authentication flow.
By implementing custom login UIs, you lose many things: hardened security of Auth0 servers, easy configuration of authentication methods without changing the application, use of ready-made Auth0 SDKs etc. I would carefully consider if it is worth it.
When a user logs in, I store the login variable in redux but when we hit the api request then firstly react.js checks the authentication using redux if loggedin then the node.js checks the authentication and returns the api.
Isn't it unnecessary using authentication on both sides? Why can't I just use authentication on server side only?
Your thoughts please on what should I follow.
I think you need not to authenticate both side. You have to just send token in headers (authentication) of every API and create middleware for authenticate user for API in nodejs.
there are multiple ways to implement authentication in you're front end projects though the most common way to do this is by using JWT (json web tokens) however for using this type of authentication you need to implement OAuth, OpenID connect or similar authentication service on you're backend .
ps: I recommend storing you're login credentials in cookies
My client application is a SPA built with REACT-REDUX and back-end API is nodejs with express framework.
Problem is in my client application people can access information without login
so how to authenticate my client application without actually login to my server API.
I tried to use Auth0 but for Single page web application authentication is done only through login, there is an option for machine to machine but that is not suitable to my case because my client app is static web app no server to save client id.
i have studied few articles to get over from this most of them suggest implicit grant is suitable for my case if its true how to implement implicit grant in my client and server.
I have achieved this using JWT
Provide the client a JWT token on successful login which he will have to use in header every time he needs to use API.
then every other request use a middle-ware to verify this token, if valid let him continue or else send auth failed in response
I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.
I have the following code to make ember-simple-auth work with torii to authenticate my ember js app using facebook: https://github.com/wayne-o/sonatribe/blob/master/src/sonatribe-ui/app/routes/application.js
My NodeJs API (sails / waterlock) has an endpoint which accepts the access token to authenticate the user on the backend.
My flow ATM is to fire off torii through ember-simple-auth which provides me with a token - this can't be used with my backend as it would have already been consumed by torii / simple auth.
To overcome this I am having to use the FB JS library to re-login and grab the access_token which is then sent to my API and the login completes.
This is a complete faff and loging the user in twice in the ember app seems ridiculous and is almost certainly down to my lack of understanding of how this should work.
Can anyone shed some light on how I am supposed to be doing this?