I'm looking to build a CLI application (most likely in C#) for Linux, Windows and Mac. The App will all access some of my API's, arleady deployed in the cloud. These API's are protected using Firebase Auth. At the moment Auth is done via my website and I support Social Sign in such as GitHub, Google etc.
Now when it comes to adding auth into a CLI app I'm completely stumped. I've been Googling this and can't find anything that walks through what you need to use. Do I need to package the Admin SKD? How to do I protect my Firebase keys (do the need to be in the CLI app)?
Can anyone point me in the right direction here please?
Many thanks in advance
For email and password authentication, you can use Firebase Auth REST API to create/login a user with provided credentials. For OAuth providers such as Google and Github, you can follow OAuth 2.0 Device Authorization Flow described in RFC 8628 and then call Firebase's 'sign in with OAuth credential' to create the user in Firebase Authentication. Here's the general flow for Google Auth:
Request device and user code from the OAuth provider (e.g. Google)
Open the returned link in a browser and ask user to enter the code shown (user may have to open the browser in any other device if current one cannot open a browser e.g. in VMs)
Keep polling for access token till you get the token or any of the errors listed in RFC 8628 section 3.5.
Create/SignIn the user with Firebase using sign in with OAuth credentials REST API using the accessToken returned in previous step.
The last API will return Firebase Authentication's idToken and refreshToken that you can use to further authentication users in your backend.
Checkout OAuth 2.0 for limited input device apps for more information.
Do I need to package the Admin SDK?
No, the Admin SDK must be used only on server side as it has privileged access to your Firebase resources like bypassing security rules.
How to do I protect my Firebase keys (do the need to be in the CLI app)?
The keys are meant to be public (like an identifier for your project). See Is it safe to expose Firebase apiKey to the public? for more information.
Related
When using Azure CLI - and other tools like Azure Functions extension for VS Code - the user logs into Azure using the localhost callback technique and the whole Azure world opens up.
The Azure CLI flow is:
az --login
login in a browser (including 2 factor auth)
Do amazing things
with any Azure resource that your account has access too
across multiple subscriptions and resource groups.
Is there a package that allows to do this in a console app (C#)?
I think you're looking for Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
I am writing a web app in C# for .NET Core which also should have integrated two-factor authentication and external logins.
I succeeded at integrating multifactor authentication using TOTP (TimedBased One Time Password). This means that every time I log in, I should fill in a code from my smartphone. Because I'm developing, I log in 100 times a day. So, I am getting tired of unlocking my phone, opening the authenticator app and filling in the verification code.
In our company, we make use of Azure Active Directory with two-factor authentication, but in Azure AD, we use two-factor push auth. If we try to log in, you get a push notification at your phone and then you could deny or grant access. That doesn't need filling a code.
I found documentation for the app Authy from Twilio to use Authy for push notification, but in the company I work, we are Microsoft-minded and everyone in the office uses the Microsoft Authenticator app, so my software should use this app also.
I found documentation for Authy, however, I didn't find this for the Microsoft App, while we use this also in Azure.
To enable two-factor authentication, you should scan the qrcode from the PC. The code of my app is
otpauth://totp/[Appname]:admin#admin.nl?secret=[Secret key]&issuer=[AppName/Companyname]&digits=6
The QR code of Azure AD, to let login RDS with 2fa has the following URL:
phonefactor://activate_account?code=[code]&url=[url]
I found that PhoneFactor is an application to enable MFA, using push notifications, but I can't find how to implement this in my own web app.
Is this possible? And where should I look to?
I am trying to enable cross app SSO into our Xamarin apps so that if a user has installed and signed in to one of the apps, he is automatically logged in to other apps of my organization. The following document claims to achieve the requirement
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-sso-android. We are following the non broker assisted login flow.
I have carefully fulfilled the three conditions stated below-
The apps are using the same android:sharedUserId in the manifest file.
The native client used for them is the same. Only the redirect url is different for the apps.
All of them are signed using the same keystore.
But still the functionality is not yet achieved. When i installed and logged in to one app, the second app is still prompting for credentials when i try to acquire the access token using the below line
authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri), new PlatformParameters((Activity)Forms.Context));
Kindly help me know if there is something that i can do to achieve that.
Due to restrictions in Xamarin.Forms, SSO without a broker (Microsoft Authenticator or Company portal) does not work with current version of ADAL.
We have a work item to update the documentation.
This is a Xamarin.Forms issue. In order for SSO to work across apps without broker, you need to enable the "Ignore Security" flag, which is not recommended. This requires the app name to be hardcoded and "ignore security".
For example: Application.Context.CreatePackageContext(“com.companyname.ReproApp1”, PackageContextFlags.IgnoreSecurity).GetSharedPreferences(..)…
For the time being, it's recommended to use broker for SSO. You can use Authenticator for both iOS and Android.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial
I am totally lost finding the right API to create a sign up process like Foursquare. I am attaching a document of what I am trying to do. I have already tried OAuth, JavascriptSDK, Facebook.NET API from Codeplex and FacebookToolkit.NET from Microsoft. Nothing looks what I actually need. I think some one experienced can lean me towards where I should go straight.
https://docs.google.com/fileview?id=0B6mlBkccI34zNDNmMGMyNTYtMDY2NS00NmEwLTlkMjQtZjA5NmVmZDMzYzlj&hl=en&authkey=CNPH9LEL
Note: I am trying to achieve this via ASP.NET with C#.
Facebook Graph Api is the best.The url is http://developers.facebook.com/docs/api
The Graph API uses OAuth 2.0 for authorization. Check out the authentication guide for the details of Facebook's OAuth 2.0 implementation.
OAuth 2.0 is a simpler version of OAuth that leverages SSL for API communication instead of relying on complex URL signature schemes and token exchanges. At a high level, using OAuth 2.0 entails getting an access token for a Facebook user via a redirect to Facebook. After you obtain the access token for a user, you can perform authorized requests on behalf of that user by including the access token in your Graph API requests:
https://graph.facebook.com/220439?access_token=...
Check out the PHP example code or the Python example code on GitHub to see a complete example of obtaining an access token for the current user. The steps to obtain an access token are:
Register your application to get an app ID and secret. Your Facebook app ID is your client_id and your Facebook application secret is your client_secret.
Redirect the user to https://graph.facebook.com/oauth/authorize with your client_id and the redirect_uri. The redirect_uri parameter needs to begin with your app's URL. For instance, if your URL is http://www.example.com then your redirect URI could be http://www.example.com/oauth_redirect.
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect
After the user authorizes your application, we redirect the user back to the redirect URI you specified with a verification string in the argument code, which can be exchanged for an oauth access token. Exchange it for an access token by fetching https://graph.facebook.com/oauth/access_token. Pass the exact same redirect_uri as in the previous step:
https://graph.facebook.com/oauth/access_token?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect&
client_secret=...&
code=...
Use the access token returned by the request above to make requests on behalf of the user:
https://graph.facebook.com/me?access_token=...
You are looking for the Facebook Connect API.
More info for the single login process can be found here
You could also leverage OpenID
Your document notes the Yelp signup process, which is very low friction and allows the user's information to be available to the website without having to go through Facebook's authentication process.
Yelp, Microsoft Docs, and Pandora are using a feature of Facebook called Instant Personalization. Instant Personalization is not available to developers as of yet and is only available to those three partners.
That being said, you likely would need to use the Facebook Login Button to allow the user to grant you access to their information (including their friends list).
As far as the process of getting a list of friends, use the graph call "me/friends"
I manage FaceSharp, a .NET open source project to help people get started with Facebook Development and will be adding functionality similar to what you are looking to do in the future, perhaps some of that code will help you in your efforts. It's under the MIT license, so take whatever you want.