How do apps like instagram, twitter etc. Know a user is logged on and when next the user starts the app, the user doesn't have to input their credentials all over. Is it by writing and reading from a file, if yes, doesn't it mean a user can find the file that the app reads from, alter it's content and change who's logged on to someone else without authentication
Save their token in LocalStorage for web front-end, for other platform
you can save in somewhere that can storage.
Token-Based api. (access with token with any resource)
Related
In an AppEngine app, if the user tries to login with a wrong Google account (we check if he's in the database), we'd like to provide a URL so he can log in with another Google account. Without being loged out with the first one (if he has gMail open for example).
At the moment, the app requires the authentication, and if you pick the wrong account, you can never go back to the "login" page.
We use the Appengine Users API in python.
Thanks for helping
I want to redirect a user from my Django application to another web application. Only permitted users can be allowed access to visit the other web application, this permission is set in the Django User model. I want that other web application to verify whether the visited user has permission by querying the Django application using API endpoint.
But the other web application no longer has the request.user parameter or other way to authenticate the user based on Django User model (don't wan't him to login again). Is there any way like setting a cross-domain session cookie or something, i can achieve it?
I did that recently.
You don't even need the second app to retrieve the users, you can create those users on the fly!
On the first app, have them click a url that will do a very special GET request to the other app.
The GET request will encode a few variables with hmac. Name, emails, or any other values you need using a particular SECRET_KEY that both server will share.
In the second app, you can decode that request with the same SECRET_KEY and log in your user.
See : https://docs.python.org/3/library/hmac.html
I'm working on a Django application with users through Django's auth, on the other side there is an Oauth2.0 server that already has all users and their permissions registered. My goal now is to integrate the Django app with the Oauth2.0 server so we won't have to administrate the users ourselves. This would make it so the when the users want to log into our app they are redirected to the Oauth2.0 login site and then redirected to the home of our app once they login successfully.
I think I understand how Oauth2.0 works but I have a couple of questions I couldn't find anywhere else.
Is the scenario I'm describing possible? As in the users would no longer have to be registered in our app and a 3rd party Auth server would provide access to our app or not.
Once I get the access token after the user login where is it safe to keep the access token? I was thinking I could save to AT as a session variable so as to keep the end user's session linked to his account which is external to our Django app.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
I would suggest using a third-party application, like django-allauth. You can simply disable creating local accounts, and enable a single custom social provider that interacts with your OAuth2.0 authorization server.
As noted here, the process of creating your own custom OAuth provider isn't documented, but shouldn't be too difficult.
Once I get the access token after the user login where is it safe to keep the access token?
Allauth will store the access token in the database. If you want to put it in the session too, you can, but there's no point unless you want the client to make requests to the resource server directly.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
That's fine. If your authorization server has no way to invalidate issued access tokens, though, you can just assume that the access token is good up until the expiration date.
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
Just use the access token normally. If the resource server indicates that it's invalid, prompt the user to log in again. You will get a new access token for that user that reflects their current permissions.
I'm using GAE with python. I'm working on an application that opens specific files from drive.
When you try to open a file from drive with your application, you are redirected to a url like this one :
http://my-app.appspot.com/state=%7B%22ids%22:%5B%220B1AXKdjZqM9FZDNIZEhMZEh0YzA%22%5D,%22action%22:%22open%22,%22userId%22:%22102709420614967238115%22%7D
In my program, I need to check if the application is authorized by the user; and to do so, I need it to be redirected to the oauth2 util it's authorized and then come back to the previous url.. or at least I need to efficiently save the information:
state=%7B%22ids%22:%5B%220B1AXKdjZqM9FZDNIZEhMZEh0YzA%22%5D,%22action%22:%22open%22,%22userId%22:%22102709420614967238115%22%7D
How can I redirect the user without loosing the information from the initial request ?
You can use state parameter
state
Any string Provides any state that might be useful to your application
upon receipt of the response. The Google Authorization Server
roundtrips this parameter, so your application receives the same value
it sent. Possible uses include redirecting the user to the correct
resource in your site, nonces, and cross-site-request-forgery
mitigations.
I am building a single page web application (angularjs + python) where a user first needs to login with a username and password. After the user gets authenticated, a new custom header with a token is created and sent everytime this application makes calls to the python api.
One thing I noticed though, is that if I refresh the page (with F5 or Ctrl+F5) then the browser loses this custom header, so it is not sent anymore to the api.
Is there a way to keep the custom headers even after a refresh of the page?
Store the token in sessionStorage or localStorage. In your application startup (config or run) look for this information and set your header.
Perhaps if your user selects "remember me" when they log-in; save the token in local storage otherwise keep it in session storage.