I have a social network that written in Microsoft tech stack and when users register on that I create an ejabberd user using rest API until now everything works perfectly.
But for chat clients authentication with ejabberd, I don't want to send Ejabberd username and password to clients. I want to send a token to clients to authenticate.
Questions:
Did I chose right approach to integration?
If yes, how can I clients authentication token from ejabberd?
If no, in scenarios like this what is the right approach?
I would use ejabberd HTTP auth contribution module, so that you can decide how you want to check your password or token directly on the back-end.
You can get that contribution on Github: https://github.com/processone/ejabberd-contrib/tree/master/ejabberd_auth_http
Related
does anybody know if it is possible to create an email client app which retrieves mails from a O365 account via MS Graph without registering the app in Azure AD?
I think there must be, because how could email apps like the in-built email on the iphone connect to O365 accounts without this? There, I enter my email adress, password and one time (each 90 days) my token which I received via phone (and what I think is cached somewhere?)
Any hints or tips are highly appreciated.
Thanks in advance.
The client can send some request header showing they are authorized, but if the app (for eg: email app) sends the same request header, it will be rejected unless it's registered.
Thank you Md Farid for the comment, In most cases, Microsoft Graph API also need required permission along with token.
The below document involves manually registering an app with the Azure AD, using OAuth 2.0 On-Behalf-Of flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
I am currently trying to develop an application in C# using the SlackConnector library. SlackConnector
The application would receive and send messages to slack channels and DM. (I am successfully able to send and receive messages from my slack using the test token generator.) TEST TOKEN GENERATOR
The thing I dont understand is how is it possible for the user who will use the app to give full authorization to access their Slack account and so from there on they can send and receive messages likewise.
Is OAuth 2.0 something that I need to use ? I created a slack app and followed steps to get access token from users but the access tokens for some reason do not establish a connection, like the test tokens do ? I suppose with that token you can post messages on behalf of user only not receive messages have only limited access, not sure !!
Is there a way to programmatically get a signed-in users generated test-token? or a way that the user can give my desktop application full access to the slack account without having to generate a test token manually?
Even if I were to go to production with only me as a user what access token would I use the same Test Token ? Isn't it only for testing where is the actual token ?
To answer a few of your questions here:
Yes, you'll need to use OAuth 2.0 and a Slack app to offer your integration for installation on other Slack teams.
Yes, test tokens are just meant for developing against one team. They represent the full capabilities of whichever account created it, within the context of the team it was created on.
To connect to the RTM API and to read and write DMs, you'll need to make a few decisions about which OAuth scopes you'll want to request, and whether you're wanting to operate from the perspective of your application as a kind of "bot user" within a channel, or from the perspective of the user using your app. Generally, apps operate from their own perspective.
The most common way an app like this is built is by asking for the bot OAuth scope, which grants a package of permissions. The tricky part is that the bot permissions aren't granted to the top-level token at the end of the OAuth flow -- they're granted to the bot_user_token you'll find under the bot part of the response hash. Using that token will let you connect to the RTM API and interact via direct messages with team members. (See the bot user docs for info about "Tokens and scopes".
If your intent is to operate directly on behalf of a user (posting and responding to messages as if you were the user authorizing your app), then you need to ask for very distinct OAuth scopes that will be applied to the top-level user token in the final OAuth response.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial
I am developing web services using the servicestack.net library.
In my scenario, the web services will be called from a WPF application. I need the ability to authenticate that only an approved client app is calling my service.
Is this as simple as hardcoding a "username" and "password" in the client application? This certainly does not seem like the proper approach. Is there a better way?
EDIT
In addition, on the client end, Users themselves will be able to login with a username/password and initiate requests to the service(not sure if this effects anything, so I thought I would mention it),
For more background information about Authentication in ServiceStack see this question.
Normally you would authenticate users not clients which you seem to be doing in addition. But if you're trying to lock down services so their only accessible via a specific set of clients you should look into employing some PKI into your client and server.
Basically something along the lines of: the client sends an additional token at login with an encrypted version of the user:password together with a private key embedded in the app. The server has the client public key and so would do un extra validation step on Login to unencrypt the user:pass token and compare it with the validated user credentials.
If a PKI solution is too heavy, an alternate strategy without using encryption could be for clients to ship with a secret Guid which when they login which will send an MD5 hash version of the Guid and the current time, as well as the unhashed version of the time. If the time is within a specified threshold and the MD5 hash is valid then their using an authenticated client.
I am developing a project where I need to send tweets from my web applications. These tweets must be send via my account instead of user's account. The OAuth library forces us to show log-in screen which is not required in this case. I am looking for a way to log-in to twitter via my username and password (we are not asking user to submit username and password) and tweet a user activity or something...
the OOB/Pincode method is not feasible as well as it requires human interaction by entering pin code...
It could achieve if twitter have support for old authentication method (I believe Twitter no more support old auth method) .... Does anyone have idea how can I achieve this by OAuth or anything else?
I believe you need to use Twitter XAuth for this. It will allow you to generate a non-expiring access token for your application using a username/password. Once you have this you can dispose the username/password and use the token to authenticate further requests to the API.
If you want to send the tweets from the same account as the one your application is registered with, I believe you can also just use the access token provided in your app settings page. The documentation is here. You can skip down to the part where you have the OAuth token and need to sign the request.
I've provided an example of how to authenticate against Twitter using oAuth and the application access token here.