I have a .NET Web Api. I want to consume from webs and Mobile Apps, but I don't want the user to sing in or create an acount. Can I make an authentication from IP or domain name or something similar?
I tried to implement a Basic and Oauth Authentication, but don't want to place the plain text with the user and password in javascript webs cause everyone can see it and I can't find a secure way that don't need to ask the user to loggin.
Do you have any ideas?
Edit:
I know that I can use google or facebook account or my own users database... the problem is that i don't want the user to insert their loggin parameters and i am searching a secure alternative to restrict the use of the app.
I have a simple web service and I want to add social login with Facebook and Google using Loopbackjs.
I've already done parts of this editing the example found at this link: https://github.com/strongloop/loopback-example-passport and following the instructions at this one: https://docs.strongloop.com/display/public/LB/Third-party+login+using+Passport.
My problem now is that I need to retrieve user information after login, so that every following editing request on the User model can be direct to the owning User entity.
e.g. The User X want to access to my application:
X request for "example_site_address/auth/facebook";
X will redirect to "www.facebook.com/dialog/oauth?response_type=code&redirect_uri=example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
After his acceptation, he will redirect to "example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
Then he will again redirect to "example_site_address/success_fb", this link should give to the client the User entity with which he is logged in.
Using Google this problem is solved because I could retrieve AccessToken information from the cookies, find the User who's owning that, and then send back it to the client, so he can store the UserId and every a following request could be like on this User.
Using Facebook I'm not able to do this, because cookies concern login are encrypted.
I'm a really beginner on this kind of application, so it is possible that my strategy is wrong. Could you help me to do this?
LoopBack Example is using a cookie-parser package (see server/server.js). Cookies are signed but you have an access to them via req.signedCookies property.
Is it possible to create a custom login page to use with facebook's PHP/JavaScript SDK? I'm developing a web app and it doesn't seem very user-friendly to redirect the user to the facebook page to login. For example, once you hit login it doesn't even let the user know its loading, just sits there until it logs in.
I was wondering if it's possible to use ajax or cURL to log the user into facebook through a form within my app.
No this is not possible, you have to use Facebook's OAuth protocol.
Have you tried their javascript solution? This does not take the user away from the page, but instead opens a popup which is less of an intrusion on the page.
The facebook api is just for you to obtain access credentials from their system. I do not know and until then I never saw no way to get credentials and log into facebook without the facebook api.
So I'm developing my own API for my website - I'm mimicking the Facebook JS SDK in regards to how my system works. API client displays a button, popup comes up and the user can log in. Login popup issues an event to the opener window and the parent window now knows the user is logged in. That all works.
What I'm having trouble understanding is how they can verify that the refresh requests are valid. If the API client needs to send a request to the server to ask if the user is logged in and it's all in JS, then everything is transparent. The API client says, "Hi, I'm application 4jhkk2l3bnm389, is the user that's logged in on Facebook also authenticated with me? If so, can you send me a new token so I can make API calls?" and Facebook says, "Oh, you're application 4jhkk2l3bnm389? Yeah, the user is logged in and has allowed you to access their information, here's an access token."
But how does Facebook prevent an outside application that isn't the authentic application from saying, "Hey, I'M actually application 4jhkk2l3bnm389, I promise I'm not lying. Can I have an access token?"
I have no idea how they determine the difference. Obviously if it was all done through AJAX calls in modern browsers then you could just provide an Access-Control-Allow-Origin header. But if a malicious client were to use cURL then I don't think I could ever tell the difference. How does Facebook do it? A good explanation is much appreciated! Thanks!
All access tokens belongs to an app/user pair, and in order for Facebook to return such an access token to the app, these has to be verified.
The app, or client_id, is verified against the domain specified in the redirect_uri - if the page tries to use a client_id/redirect_uri pair it does not own, then it will not receive the access token as this will be passed to the valid redirect_uri (the mechanism the JS SDK uses follows the same rule).
The user, or uid, is verified using the cookie Facebook sets when you sign in.
While you can easily spoof the client_id/redirect_uri pair using curl, the same does not apply to the uid, as you would have to be in the possession of the users cookie. And if this is the case, well, then you could simply grant your own application access.
Facebook uses OAuth 2.0 for authentication. You can find details of how Facebook deals with OAuth right here: https://developers.facebook.com/docs/authentication/. There are many different ways OAuth can be used, depending on whether you're on a mobile device, a page on facebook.com itself, or, in your case, just a web page outside of facebook.com. The details of that final flow can be found here: https://developers.facebook.com/docs/authentication/client-side/.
Basically, Facebook knows what applications you have given permission to view your information. When you run one of those applications, they first make sure you are logged in to Facebook, then they request a user access token from Facebook, essentially saying, "Hey Facebook, I don't know this person, nor should I. Can I get access to their information?". And then Facebook looks internally and if it decides this particular application should have access to this user's information, it sends a user token.
That's the simple way of describing it. There are many different ways the authentication flow can happen, depending as I said earlier on what kind of device the request is happening from, whether this is a page on facebook.com, etc., essentially based on your security constraints. Best to read the Facebook authentication docs referred to earlier for the details since it can get quite tricky.
Javascript SDK provides FB.login function to easily login other users. I just wonder whether there exists a way through PHP SDK that realize the same function --- that is click the login button and then allow the user to login and also allow the app to use the user's info?
The reason I ask the question is that someone told me that it's possible to be hacked if implemented by javascript and it's somewhat securer by the use of server-side PHP. Can anybody tell me the exact idea of this?
You can defiantly use the PHP SDK to log users into your application.
There exists within the SDK a method called getLoginUrl() which receives parameters such as what permissions you want to request from your users. Once you have received the url, you can use the php header function to redirect the user to the login screen or use an anchor tag and let the user login by clicking on it.
Using an instance of the Facebook Object in PHP SDK and getUser method is what you need to be sure of the authenticity of your users.
I suggest you to implement JSDK and PHP SDK to get the best login & register experience possible and also take full advantage of the features of both SDKs.
I usually use Javascript SDK to detect session status and login users, and PHP SDK to integrate the Facebook experience with my CMS (Drupal).
In the signed request travels information as your Facebook user ID and other stuff. Remember that the signed request is encrypted in base64 with you secret key, so it's not an easy thing to manipulate.
Tip: You can use the Facebook register plugin to provide an alternative & fast registration using Facebook data. See https://developers.facebook.com/docs/plugins/registration/