I have been building a mobile-web-app in HTML5/JQuery and as part of this app I need to require users to log in to Moodle on the app.
Unfortunately I have no idea how to do this.
I'm not sure if I can create a log in form on my App that will check User details with moodle, or if I need to redirect to moodle and get a response from there.
There are a lot of vague, confusing questions about this, so I'm going to be as clear as I can about what the app should do.
user opens App A
App A asks the user to use their moodle details to log in
Moodle tells App if log in was successful
App A either displays an error, or allows user access to the app.
If somebody could help me out here I would really appreciate it.
You can use moodle auth plugins for enabling SSO.
If you are hosting moodle on the same domain, cookies can be shared between App A and moodle and you can use the shared cookies while validating in moodle auth plugin.
And if domains are different, you would need to pass cookie (e.g. sess_uuid) in query parameter and grep it in your auth plugin and use it to validate against App A database (may be using REST call) and if cookies is valid, you can lookup for the user (identified by details provided in cookie validation call) in moodle. If user exists in moodle, you just need to set the global variable $user in the plugin and if user is not present in moodle, depending on you requirement, you can either create new user or do not set user in the plugin which would eventually cause login error.
Related
I've a requirement to integrate Auth0 in our project (Reactjs/Hapijs/MySQL). I checked the documentation and they have many examples and that is great, however, I can't find any related to how exactly do I use my existing user database.
In my application I have users and those users can have one or more projects. With the authorization that we currently use, a user logs in, I check what projects does he own and send it to the React application.
I am missing a document that explains me how to use Auth0 and still be able to check in my database what projects user owns.
My idea on how that should work (I might be wrong):
User sends username and password to our server
Our server makes request to Auth0 (with provided credentials)
Auth0 replies back to our server with some token
We look in users table in our database and try to verify the existence of that user
If it is a match then we simply look (as we already do) for user projects.
Is this how it is supposed to work?
There are a few options available for scenarios where you want to integrate Auth0 with applications that already have existing user databases. You can either:
continue to use your existing store
progressively migrate your users from your custom store to the Auth0 store
You don't mention it explicitly, but judging from your expected flow it seems you would be wanting to implement the first option. There is specific documentation that you can follow that explain how you can setup your custom database connection, see Authenticate Users with Username and Password using a Custom Database. It mentions MySQL, but others database servers are supported and there are many templates that will allow you to quickly setup things.
When you complete this the final flow will be the following:
Using either Auth0 authentication libraries (Lock) or your custom UI you'll ask the user for their credentials
Either Lock or your custom UI submits the credentials to Auth0 authentication API
Auth0 authentication API validates the credentials by calling scripts that execute against your custom database (these scripts were provided by you when you configured the database connection)
If the credentials are valid the Authentication API will return a token to the calling application that will have user information and proves the users is who he say he is.
The scripts you need to provide are the following, but only one is mandatory:
Login script (executed each time a user attempts to login) (mandatory)
Create user script
Verify email script
Change password script
Delete user script
The optional scripts are only required when you want to provide the associated functionality through Auth0 libraries, if only need the login to work then you can skip them. The login script, in the case of a valid user, is also where you return the profile information of the user, for example, you could in theory include their owned projects in the user profile.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
I am building a webapp with Nodejs and installing phpBB on an Apache server that will be on a the same domain (ie: node = myapp.com, forum = forum.myapp.com).
I want the node app to authenticate with phpbb. I am not the most familiar with sessions, can anyone point me in the right direction on how I would use the session that is returned from phpbb to verify authentication for the node app?
So the workflow would be like node/myapp.com -> login form on myapp.com -> authenticate phpbb/forum.myapp.com = both myapp.com and forum.myapp.com are logged into phpbb.
You can log a user in effectively by creating a session record for them in the phpbb_session table and then adding the appropriate cookies under the domain phpBB3 will go looking for them in.
Those two steps is all it takes to actually "log-in" a user to phpBB3. Note: this circumvents all password protection.
If you want to actually authenticate the user/password against the data in the phpBB3 database then you'll have to go look at the authentication module, if I recall correctly they use a uniquely-salted SHA2-based algorithm of their own.
I'm building a widget that can be placed on a various sites, and will have users be able to log in via facebook connect to accounts on the widget's parent site. I was going to use the Facebook JS SDK to do this, but the widget will likely be placed on sites that already have the FB JS SDK initialized on them with a different app ID, and if I were to run code this way it could lead to a namespace problem.
The only current solution I have come up with is to do the server-side type authorization, and have a redirect-url that leads back to the current page in which the widget is hosted and use the state paremeter to alert backbone router that the user has logged in.
The first problem I thought of is that on the facebook docs site it says
For security, the redirect_uri must have the same base domain as that specified in the App Domain property of your app's settings, or be a URL of the form https://apps.facebook.com/YOUR_APP_NAMESPACE.
How do I bring people back to the original page that the widget it hosted on after login? Is there a better approach to this problem?
you can use Server side authentication and redirect_uri to your site that will redirect to the various site
redirect_uri = https://www.mydomain.com/?r=https%3A%2F%2Fwww.somesite.me
On you server you will look of the query param r and redirect the request to r value.
You can also do your own authentication for users (when they first sign in) and store there facebook access_token on you DB, once your widget is running (under https) and you identified the user on your authentication you can send the widget client the user's access_token and work with it.
You can even create your own Simple FB-like ajax library, for most things it will be a simple get/post/put calls with access_token as a url parameter
Hopes it helps
I am working on creating an iphone application which logins to we website and retrieves a table, and displays the content within the app. To view the table a Login is required. It seems the site is using Form-Baseds Authentication. WebSite's Login Screen
So How do I pass the login ID and pass from xcode to the to the site and retain the information so the user only needs to login once.
to remember the login credentials, the easiest way is to put them into a NSDictionary and write that to the application bundle, then read it later, when needed. Remember to give the users a chance to change their login credentials later on and at least think about encrypting the data.
As to the form-based login, the way to go would be to create a NSURLRequest to the login forms URL, if it is GET-based, simply do it like url.somewhere/form?user=foo&pass=bar, if it is POST-based, alter the created request and include the information needed in the POST-field.