I am designing a web site to use OpenId and Google is one of the main providers I have selected. What I would like to do is use Google's Calendar & Contacts (possibly docs) as a backing store for each individual user. In other words, if the user on my site wants to have access to a Contacts List, Calendar, etc they must register their Google account. Then they can add/edit/delete to their heart's content as it is their info. (And yes, I have a specific idea in mind for where I am going, just need to figure out how to tie OpenID to GData.)
Has anyone written a tie in between OpenID/OAuth and using the Google APIs?
After a lot of digging in to this problem I have 2 ways of solving this.
Use OpenID and on the user's profile, have them enter their google credentials (works but not a great solution)
Use OAuth. This requires registering your domain with google and getting a key to use with OAuth. Once you set that up it is easy to access a end user's data stores on google.
Look at google's OAuth 1.0 for Web Applications.
Also look at OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing for a good overview of OpenID vs OAuth.
Have you looked at DotNetOpenAuth? It will allow you to connect to any open authentication provider that supports OpenID and Google is one of the providers listed on the OpenID page.
Has anyone written a tie in between
OpenID/OAuth and using the Google
APIs?
I'm not sure what you mean by that... if you're asking if there is a library that allows you to user your google account as an OpenID, then yes: DotNetOpenAuth. There are some catches tho, see Andrew Arnott's answer to this question.
Related
This is my first question on the Stackoverflow. I have already read the https://stackoverflow.com/help/how-to-ask section and I have read and read and read over the internet to find the connection between OAuth2 and MFA. Which made me more confused. When I take them separately I understand the basic concept.
Background. I am developing a windows application and using mailkit to implement the email there. When I research how to implement MFA on that, most of the answers are talking about OAuth2. That's why I really need to find an answer for this questions.
I have read
https://learn.microsoft.com/en-us/answers/questions/513048/microsoft-office-365-outlook-sending-emails-using.html and https://github.com/jstedfast/MailKit/blob/master/ExchangeOAuth2.md and many more articles to achieve my goal. They all are talking about OAuth2 not MFA.
I am sorry if my questions doesn't make much sense. Please help me to understand this.
Thank you.
OAuth 2.0 and MFA are not related to one another directly.
OAuth 2.0 is an authorization protocol which provides a client application with the delegated access. Way of delegation is defined by grant type and based on the use case you can choose one or another. It does not tell you directly how to authenticate the end user.
For example, using classic authorization code flow you can point the user to login page and optionally consent screen (allow / deny access to the app). An example of URL would be:
https://authorization-server.com/auth?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx
Then it's up to authorization server how to authenticate the end user. It can be a login / password screen followed by any type of MFA.
MFA, on the other hand, stands for multi-factor authentication, meaning that there can be 2 of more factors of authentication (such as login and password pair followed by one time code, SMS or anything else).
Based on my understanding of the OAuth2 with Exchange that you've shared, you just need to register an application on Microsoft platform in order to access Microsoft APIs for email sending. That's indeed an OAuth 2.0, but I don't see anything related to MFA there.
I have a question,
Is it possible to use Google user accounts for authentication in WinFormsAPP?
I need to write an application in C# Winforms that reads user-specific data from a database.
Is there an easy way to authenticate using Google?
I might be able to store a list of valid Google users in my database, or maybe I can even define a list of valid application users in Google?
Is there perhaps already a sample project for this case somewhere? I actually can't believe that I am the first developer with such a requirement...
I am grateful for any help or suggestion!
Have a look at:
Integrating "Sign In With Google" Functionality To An Application
Login using Google OAuth 2.0 with C#
I have two ASP.NET websites, call them Older.com (using ancient ASP.NET WebPages) and Newer.com (which is a combination of WebPages and MVC), with separate login systems. I would like to allow the user of Older.com to be able to link their accounts to an existing Newer.com account, or create an account with Newer.com, and I think I want to do it using OAuth.
As I understand it, OAuth is generally used to allow users to login to a site using an existing account with the likes of Facebook, Google, Microsoft, etc.. However, I might not want to use Google/FB/MSoft accounts to create an OAuth token, but instead use an Older.com password to generate token that also grants them Newer.com access.
Basically, would it make sense to do this using OAuth? Do I have to use a link to an established provider Goog/FB/MSoft to use OAuth? And, are there security issues I should be concerned about when using OAuth?
Any advice, help, experience, or references are appreciated!
edit:
The reason for this is that resources that used to be hosted on Older.com are being moved to Newer.com, because Older.com needs to be rebuilt and the Newer.com is designed around storing and linking related resources. You could think of Newer.com as a place where you can keep an article, but you can also keep all the things related to that article (images, primary sources, derived works), whereas Older.com would just store a copy of the articles with no associated information.
wtyneb,
So there are a couple of ways to approach the problem you've encountered. There are many popular solutions to this problem, but two of them are: OAuth and OpenID. OAuth essentially allows access tokens to be issued to third-party clients by an authorization server. On the other hand, OpenID eliminates the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities. In other words, users can log into multiple unrelated websites without having to register with their information over and over again.
The main difference between OAuth and OpenID is that OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).
OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.
In your case, if your users to Newer.com aren't using any information from Older.com, then it makes more of a sense to use an OpenID approach. Implementing OAuth would be over-engineering the solution in this case.
You can provide the credentials by either integrating OpenID into both your Older.com and Newer.com websites, or simply build out the same type of infrastructure into your back end. You can do that by simply exposing a REST API (which you might already be having to authenticate) in your Older.com website. What this does is simply verify the login credentials you have in Older.com when people log into your Newer.com, Newest.com, or any other website you might create in the future.
Please let me know if you have any questions!
I have an Azure account and currently a Mobile Service setup with a SQL Database so that my Windows Store app can communicate with the database.
I have developed sites using ASP.NET WebPages authentication. And I need something similar for my Windows Store app.
I have successfully gone through the documentation and tutorials on the Windows Azure website and implemented ACS (Windows Live ID, Google, Yahoo!, and Facebook) - but the thing is - I don't want Google, Yahoo!, Facebook or even Windows Live ID or Microsoft Account) logins - I want my OWN login but it seems that they don't give you this option (correct me if I am wrong).
I need to allow users to signup from within my application (that means, providing their name, DOB, email, phone, address, etc) and shove it all in my database.
Now, after implementing Microsoft Account login with my Azure service, I found out that you can't even get the most basic information about any user who has logged in to your application - not even an email address.
I have spent hours searching online for something that could possibly help but I am running out of keywords - and have not hit a single related result yet.
Does anyone know if this is possible? How would we go about integrating login and signup with a Windows Store app that set/gets this data into/from a Windows Azure service?
Any code, samples, links, tutorials, documentation, etc would be highly appreciated.
You have gone down the road of hooking up external identity authentication, which in my opinion for an external facing web application is a better approach. Benefits are:
Your application is only responsible for Authorization not Authentication. There is a whole lot of work involved in Authentication and a large number of best practices. Best let those who know best take the burden of this. This doesn't mean you shouldn't try and understand it though.
If your site gets hacked you don't have to tell them that their username / email and password combo has been compromised and they will probably have to change there passwords on other sits.
You are also making sure that your users don't have to remember / manage yet another username / email address password combo
If you really want to do the Authentication then that is fine but you will need to do it yourself. Have a look at examples on Asp.Net Membership. This is not the only way and nor is it the best way but there are lots of examples.
Now if you decide you want to use external authentication I can give you some pointers to help with your current implementation.
First thing to note that the Id you get back from Live, Google, Facebook can only be assumed to be unique for that provider. Therefore if you want to keep a profile in your system for that identity and you want to use more than one provider you will need to implement it in such a way that you can keep the id unique in your system and help you associate it with a provider.
Website Authentication with Social Identity Providers and ACS Part 2 – Integrating ACS with the Universal Profile Provider
As you have found out not all of the Authentication providers return the same "claims". A claim is something that user claims to have, such as an email address, name, date of birth, etc. All the ones you can use by default via the ACS return Uid and some return a name and email address. What you have to do is fill in the gaps. When someone registers you will need to pull the relevant claims and then ask them to fill in the missing ones. You may also want to map the different claims in the ACS to a common name that you can use in your app as one provider might use slightly different names.
Federated Identity with Windows Azure Access Control Service
Just because you do not handle Authentication you still need to be responsible for keeping your application secure. Half of the work has been done for you so your code should be a lot lighter but you will still need to make use of roles.
Windows Azure Role Based authentication (ACS)
The really nice thing about this approach is you can implement your application the same why SO have done with there identity model. You can allow users to associate multiple identities against their profile meaning they can login how they want to.
If you choose not to use the built in providers for ACS you will need to implement your own Identity Provider using SAML, OpenId, etc...
You can look into the Windows Identity Foundation (WIF) for implementing WS-Trust or WS-Federation.
There is also ADFS which has the same set of support but uses Active Directory with WIF and Azure has its own version of AD that can be used.
There is also thinktecture identityserver which can jumpstart your venture into IdP land, but I have not used it myself yet.
If you want to go the OpenId route there is DotNetOpenAuth.
If you're looking to add custom identity to your Mobile Services app, check out Josh's post on custom auth: http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
As an organisation, we use Google Apps. We have the paid version (mapped to our domain) etc...
We are developing a web based application to manage orders, and other business functionality.
I want to be able to use federated login with our google apps accounts-
For example, if a user is logged in to their email (gMail) - they should automatically be logged in to our ASP.net application
If they're not logged in - the log in form should auth. against our google apps account.
How can this be done?
Is it possible to be able to "get" the user who is currently logged in using this method etc...?
Sure, use dotNetOpenAuth. It's recommended by OpenId library and it should be easy in use. As far as google provides OpenId interface there should be no problem with using it in your application.
Stackoverflow is successfully using it and I'm logged here always when I'm logged on my google account.
Just doing a quick search through Google's API documentation, it sounds like you need to use Google's implementation of OAuth protocol.
If you have not yet started developing, you could even considering developing for Appengine - using python or Java (though I would prefer Python myself).
Advantage is that it has a much closer integration with Google Apps services and it will be much easier to build further functionality that works with Google apps (docs/mail etc). Besides this, there arent too many hassles for hosting the app.