Questions tagged [oauth-2.0]

531

votes
8

answer
223.3k

Views

On a high level, how does OAuth 2 work?

As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User's information from Site-B. Site-A registers on Site-B, and obtains a Secret and an ID. When User tells Site-A to access Site-B, User is sent to Site-B where he tells Site-B that he would indeed lik...
William Jones
524

votes
10

answer
168.2k

Views

How is OAuth 2 different from OAuth 1?

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it?
sullivan
308

votes
29

answer
389.6k

Views

Google OAuth 2 authorization - Error: redirect_uri_mismatch

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google. Unfortunately, I got the error message: Error: redirect_uri_mismatch The redirect URI in the request: http://127.0.0.1:3000/a...
user984621
233

votes
3

answer
72.1k

Views

OAuth 2.0: Benefits and use cases — why?

Could anyone explain what's good about OAuth2 and why we should implement it? I ask because I'm a bit confused about it — here's my current thoughts: OAuth1 (more precisely HMAC) requests seem logical, easy to understand, easy to develop and really, really secure. OAuth2, instead, brings authoriza...
tonyhb
223

votes
11

answer
66.6k

Views

What is the purpose of the implicit grant authorization type in OAuth 2?

I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens has been developed. Compared to the Authorization Co...
Dan Taflin
194

votes
4

answer
91.2k

Views

Why do access tokens expire?

I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a 'refresh token' and a short lived 'access token'. Now every time the access token expires, I can POST my refresh token to Google and they will give me a new access token. My question is what...
levi
188

votes
3

answer
40.5k

Views

Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?

With the 'Implicit' flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access. With the 'Authorization Code' flow however, the client (usually a web server) does only get an authorization code after the Resource Owner (i.e. the user) gave acces...
Aron Woost
156

votes
4

answer
148.7k

Views

What's a redirect URI? how does it apply to iOS app for OAuth2.0?

Beginner programmer here, please pardon ignorance & explanations will be really nice :) I've tried to read the tutorials for a certain OAuth 2.0 service, but I don't understand this redirect URI... in my particular context, let's say I'm trying to build an iPhone app that uses OAuth 2.0 for some ser...
David T.
142

votes
25

answer
259.1k

Views

How to obtain Signing certificate fingerprint (SHA1) for OAuth 2.0 on Android?

I'm trying to register my android app following the steps in https://developers.google.com/console/help/#installed_applications which leads me to follow http://developer.android.com/tools/publishing/app-signing.html. However, I'm not sure how to get the signing certificate fingerprint (SHA1). I f...
Alex
138

votes
8

answer
41.6k

Views

What is the difference between the 2 workflows? When to use Authorization Code flow?

OAuth 2.0 has multiple workflows. I have a few questions regarding the two. Authorization code flow - User logs in from client app, authorization server returns an authorization code to the app. The app then exchanges the authorization code for access token. Implicit grant flow - User logs in from c...
divyanshm
126

votes
4

answer
73.7k

Views

Google access token expiration time

When I obtain an access_token from the Google API, it comes with an expires_in value. According to the documentation, this value indicates 'The remaining lifetime of the access token'. What are the units of this value?
Frank LaRosa
124

votes
3

answer
170.7k

Views

What are Bearer Tokens and token_type in OAuth 2?

I'm trying to implement the Resource Owner & Password Credentials flow from the OAuth 2 spec. I'm having trouble understanding the token_type value that gets sent back with a valid response. In the spec all the examples show 'token_type':'example' but says it should be token_type REQUIRED. The type...
Micah
121

votes
8

answer
43.9k

Views

Refreshing OAuth token using Retrofit without modifying all calls

We are using Retrofit in our Android app, to communicate with an OAuth2 secured server. Everything works great, we use the RequestInterceptor to include the access token with each call. However there will be times, when the access token will expire, and the token needs to be refreshed. When the toke...
Daniel Zolnai
118

votes
5

answer
116.5k

Views

How to validate an OAuth 2.0 access token for a resource server?

When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?
Ack
112

votes
4

answer
128.9k

Views

How to implement oauth2 server in ASP.NET MVC 5 and WEB API 2

First I'll sketch my project: For my intern ship I need to add functionality to an existing system. A 3rd party client must be able to access data from AX web services once he is authorised by the user via oauth2. I understand that I need to make a 'proxy web service' whereto the client can make his...
Robin
107

votes
8

answer
72.8k

Views

Where can I find a list of scopes for Google's OAuth 2.0 API? [closed]

The example I'm working with specifies the scope in the OAuth request as: scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile which decodes into two URIs: https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/a...
Dylan Beattie
96

votes
4

answer
180.5k

Views

Error :Request header field Content-Type is not allowed by Access-Control-Allow-Headers

I created an mvc4 web api project using vS2012. I used following tutorial to solve the Cross-Origin Resource Sharing, 'http://blogs.msdn.com/b/carlosfigueira/archive/2012/07/02/cors-support-in-asp-net-web-api-rc-version.aspx'. It is working successfully, and i post data from client side to server s...
Kishore
95

votes
6

answer
100.4k

Views

Is there any JSON Web Token (JWT) example in C#?

I feel like I'm taking crazy pills here. Usually there's always a million library and samples floating around the web for any given task. I'm trying to implement authentication with a Google 'Service Account' by use of JSON Web Tokens (JWT) as described here. However there is only client libraries i...
Levitikon
82

votes
4

answer
116.2k

Views

Using an authorization header with Fetch in React Native

I'm trying to use fetch in React Native to grab information from the Product Hunt API. I've obtained the proper Access Token and have saved it to State, but don't seem to be able to pass it along within the Authorization header for a GET request. Here's what I have so far: var Products = React.creat...
Richard Kho
82

votes
3

answer
20.9k

Views

client secret in OAuth 2.0

To use google drive api, I have to play with the authentication using OAuth2.0. And I got a few question about this. Client id and client secret are used to identify what my app is. But they must be hardcoded if it is a client application. So, everyone can decompile my app and extract them from sou...
Bear
77

votes
2

answer
12.7k

Views

OAuth v2 communication between authentication and resource server

I'm having some troubles understanding how OAUTH-v2 works. The OAuth version 2 spec reads: Accessing Protected Resources The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure it has not expired an...
nisc
77

votes
4

answer
41.7k

Views

Restrict Login Email with Google OAuth2.0 to Specific Domain Name

I can't seem to find any documentation on how to restrict the login to my web application (which uses OAuth2.0 and Google APIs) to only accept authentication requests from users with an email on a specific domain name or set of domain names. I would like to whitelist as opposed to blacklist. Does an...
paradox870
77

votes
15

answer
109.4k

Views

How to refresh token with Google API client?

I've been playing around with the Google Analytics API (V3) and have run into som errors. Firstly, everything is set up correct and worked with my testing account. But when I want to grab data from another profile ID (Same Google Accont/GA Account) I get an 403 Error. The strange thing is that data...
seorch.me
74

votes
9

answer
83.3k

Views

Is there an OAuth 2.0 Provider implementation in Java? (not oauth client) [closed]

So basically I want to protect my APIs with OAuth 2.0 and implement an OAuth Provider to enable acquiry of accessTokens etc. Can it be done with JOAuth out of the box? Has anybody already implemented something like this with an Open Source library (Java)?
JustGoscha
74

votes
2

answer
128.3k

Views

OAuth 2.0 Authorization Header

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 & 2.0, and I have some confusion on Authorization Header (1.0 and 2.0), OAuth 1.0 protocol parameters can be transmitted using the HTTP 'Authorization' header, but I can't find this de...
JKhuang
73

votes
8

answer
70.5k

Views

How to Logout of an Application Where I Used OAuth2 To Login With Google?

In my application, I implemented Google signout using jsapi. I used the url https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxxxxx to connect to Google and then https://www.googleapis.com/plus/v1/people/xxxxxx to get user data from google profile. Now I need to signout the user from Goog...
Vinesh Eg
72

votes
1

answer
18.1k

Views

How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type

We are building a rest service and we want to use OAauth 2 for authorization. The current draft (v2-16 from May 19th) describes four grant types. They are mechanisms or flows for obtaining authorization (an access token). Authorization Code Implicit Grant Resource Owner Credentials Client Credenti...
71

votes
4

answer
92.5k

Views

OWIN Security - How to Implement OAuth2 Refresh Tokens

I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of. In the OAuthAuthorizationServerOptions I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days OAuthOptions = new OAuthAuthorizationSe...
SimonGates
71

votes
20

answer
65.2k

Views

PG undefinedtable error relation users does not exist

I see this question up before, but only for rspec. I am not create test yet because its too advance for me but one day soon i will! :P I am getting this error when i try to sign up/ log in with my app. I'm not sure where to look to fix it. I use devise to create my user and also omniauth2 to sign i...
Naomi K
71

votes
1

answer
22.4k

Views

Registering Web API 2 external logins from multiple API clients with OWIN Identity

I would like the following architecture (I've made up the product name for this example): Web API 2 application running on one server http://api.prettypictures.com MVC 5 client app running on another server http://www.webpics.com I would like www.webpics.com client app to use the Pretty Pictures API...
joshcomley
71

votes
3

answer
11.1k

Views

HTTPError 403 (Forbidden) with Django and python-social-auth connecting to Google with OAuth2

Using python-social-auth, I get a 403: Forbiden error message after accepting access from google EDIT: I've recently (2017) had the same error but under a new message: 401 Client Error: Unauthorized for url: https://accounts.google.com/o/oauth2/token
damio
63

votes
7

answer
23.9k

Views

What is intent of ID Token expiry time in OpenID Connect?

In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to request a new access token. The ID token also has an expiry time. My question is what is the intent of this? Any ID token expiry time...
Appetere
62

votes
4

answer
41.7k

Views

Facebook OAuth: custom callback_uri parameters

I'd like to have a dynamic redirect URL for my Facebook OAuth2 integration. For example, if my redirect URL is this in my Facebook app: http://www.mysite.com/oauth_callback?foo=bar I'd like the redirect URL for a specific request be something like this, so that on the server, I have some context ab...
Jacob
62

votes
4

answer
5.6k

Views

Authorization Credentials Stripped — django, elastic beanstalk, oauth

I implemented a REST api in django with django-rest-framework and used oauth2 for authentication. I tested with: curl -X POST -d 'client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD' http://localhost:8000/oauth2/access_token/ an...
sahutchi
61

votes
3

answer
39.2k

Views

where is devise implementation of “authenticate_user!” method?

Where is devise implementation of authenticate_user! method? I have been looking for it and have not found it so far.
Greg
61

votes
2

answer
27.7k

Views

Using bearer tokens and cookie authentication together

I have a single page app - more or less based on the MVC5 SPA template - using bearer tokens for authentication. The site also has a couple of conventional MVC pages which need to be secured, but using cookie authentication. In Startup.Auth I can enable both types of authorisation: app.UseCookieAuth...
Appetere
60

votes
4

answer
35.6k

Views

Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?

I'm trying to make a server application to routinely pull Google Analytics data from my own GA account. Note, it is a personal, server-side application accessing my own data, i.e. there is no end-user accessing this application. As such, I registered my application in the Google API Console as a Se...
moon prism power
59

votes
7

answer
50.6k

Views

How to extend access token validity since offline_access deprecation

Since the offline_access Permission is deprecated in Facebook's Authentication flow, we have problem geting the so called long lived access tokens without that permission. In Facebook's document about the deprecation it says, that server side OAuth generated access tokens will be long lived, but the...
Rok Dominko
59

votes
5

answer
39.3k

Views

What's the right OAuth 2.0 flow for a mobile app

I am trying to implement delegated authorization in a Web API for mobile apps using OAuth 2.0. According to specification, the implicit grant flow does not support refresh tokens, which means once an access token is granted for an specific period of time, the user must grant permissions to the app a...
Pablo Cibraro
59

votes
6

answer
16k

Views

Authenticating with OAuth2 for an app *and* a website

I'm developing a website that is primarily accessed via an app, and I want to use OAuth2 for user registration and authentication. Since it is an Android app I will start using Google's OAuth2 stuff, since it provides a decent UI on Android. Google states that 'You can choose to use Google's authent...
Timmmm