I'm rather new to Web development so bear with me.
I've developed a backend server in C# (non-web app) that exposes some features via a REST API implemented in Web API (OWIN and Katana).
I've developed a Xamarin android app the consumes that API.
Now I want to enable the consumption of the API only for users who have authentication using Google.
I know OAuth is the way to do it and I've been reading a lot about it but I'm still kind of confused about the roles here and who should do what.
What should my server do or implement? what should my client do or implement?
An important feature of OAuth2 to be aware of is the two different authentication flow types:
implicit auth flow
explicit auth flow
I've personally found the Instagram API documentation to explain this pretty well:
https://instagram.com/developer/authentication/
Explicit auth flow is a little more tricky because it involves extra coordination on the part of your custom API. Implicit auth flow is a little easier, because your app will simply look for a URL fragment that comes back from the OAuth provider. That URL fragment contains a token that you can use for subsequent calls to the API that you want to talk to, Google in your case.
But in your case, it sounds like you want to use Google as the identity provider for your custom API, correct? In that case, I think you'll need to use explicit auth flow. Again, check out the Instagram docs. I find them to be particularly good at explaining OAuth2.
EDIT:
And be aware of the Xamarin.Auth component, which is designed for easing OAuth scenarios. You can find it in the Xamarin Component Store or on Github.
Related
Basically, I have a homework assignment which involves me creating a MVC app in Asp.Net (the standard version, not Core). I need to provide authentication using jwt, but i have to use a separate authentication server, so the token creation and validation are delegated to that server, and if a server like that already exists (perhaps a facebook or twitter authentication server using jwt), i should use it rather than create my own. I am not sure if there is a jwt authentication server which I could use, and I don't know what is the best way to handle jwt tokens, for example if i have a form that submits stuff to a controller action, how to place a jwt token in the request. Any help on this would be much appreciated!
As this is a homework assignment I'm going to try and provide a jumping off point rather than provide code samples or anything.
A JWT can be issued from another authority and used within your own application provided your application is set up to use that authority. For example, in house we use AWS Cognito to store our users, and in each of our web applications we specify that our JWT tokens are being issued by that Cognito user pool.
I've had a quick look around online for any issuers that may provide this service for free, and found the following blog post for Auth0 which boasts being able to support up to 7000 users for free (there may be hidden costs, I haven't looked into it fully)
The tutorial in the blog post seems to follow a .Net standard rather than a core implementation. Hopefully you find this useful and good luck with your assignment!
I want to guard OData service with custom authentication associated to a user table in database. I have been obssessed with this problem and searched solutions for a long time in vain. I mean, yes, there are quite a lot articles on the web but they are just quite trivial, for example implementing IPrincipal or IHttpContext with basic authentication on. Notably, many of them can data back to 2010 where OData is not as mature as today. So I'm wondering if there is any rapid solution to database-based custom authentication.
Any guidance would be greatly appreciated!
OData and authentication (and even authorization for that matter) are unrelated for the most part by design. That doesn't mean that OData stacks can't provide good support for authentication and authorization, just that the OData protocol itself doesn't comment on it. Protocol aside, both Web API and WCF Data Services are working on getting better support here. Speaking as a member of the .NET community (and not as a Microsoft employee), I think it's reasonable to expect that as those stacks implement authorization APIs they will probably be looking to claims-based authorization. Again, I want to state explicitly that I'm not trying to hide or divulge any plans here - I'm merely speculating about where authentication and authorization are going.
In a nutshell, if I were in your shoes I'd find the easiest intersection I could between OAuth2 and claims-based authentication and make that work for now. Working out your claims and authentication now means that you only would need to consider integrating the actual authorization code later.
I have an application running on a server that periodically extracts data from Google Analytics. It doesn't issue many queries so I don't think any limit would be a problem.
I have a prototype running, however I had to provide a login a password for the authentication (in code).
I see that I can generate API keys and other kind of authentication bits and pieces in the Google APIs Console, however I am not sure how to use them and whether they can be used in place of the login/password.
It just doesn't seem right to use a user login/password to authenticate a server application.
Is there another way?
(I am using the C# client library)
You should be using OAuth 2.0. See:
http://code.google.com/p/google-gdata/source/browse/trunk/clients/cs/samples/oauth2_sample/oauth2demo.cs
for a sample OAuth workflow.
The best way to do this is with Google Service Accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
However, I don't know off the top of my head the best library for c#, but there does appear to be support for it in the Google library. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2#Service_Accounts
Here's a answer specifically about the PHP client.
Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?
I would like to use oAuth as a system to allow developers access to my API but not require them to pass through the login information.
There does not seem to be any good how-to's or blogs on this topic. Everything I have found is based on consuming an oAuth system such as Facebook or twitter. Wondering if anyone has any links to good instructions or libraries that could get me started. If there are no examples out there perhaps someone could consider writing one, the community really needs it.
Using OAuth to login is actually a side-effect, not the main goal of the protocol. The best place to start with providing an OAuth-protected API is the protocol specification and since this is a new service, you should take a look at OAuth 2.0 1. It is pretty much done and ready for deployment.
To implement OAuth 2.0 you will need to make a few important decisions about which features you are going to support and your scaling needs. There are also a lot of security considerations to go through. I would suggest you start with supporting the authorization code and implicit grant types.
I would look into DotNetOpenAuth. It should work for your needs, but I've only used it for the OpenID stuff.
I have been doing a bit of searching around on oauth2 and think it may be a good fit for some WCF rest services I am building out that will be consumed by some WPF apps and MVC web apps. The idea would be that the user is initially asked to login with their username / password and receives an access token which gives them access to the aforementioned resource(s).
Searching around here on SO I have not found much information on oauth2 except for a few consumer related questions to facebook etc.
I'm wondering if anybody can provide some tips on implementing oauth2 (or knows of any good resources). I am interested in both the provider (authenticating and issuing access tokens) as well as the client/consumer end.
.NET OAuth2 Libraries
The only OAuth2 library I found is from dotnetopenauth which also seems to be heavily into openid. At this stage I'd rather a library that is a little lighter and just emcompasses oauth2
Are there any other oauth2 libraries available yet?
There's OAuth .NET