Questions tagged [oauth-2.0]

11

votes
3

answer
298

Views

Which is more secure: External browser or ChromeTab for authorization?

I am developing cordova based hybrid mobile apps targeted for android and iOS smartphones. Update: Embedded webview approach is no longer supported by Google Usecase: The application authenticate user and then would be accessing Google Calendar API's, and finally display user events on the app. Note...
RDX
11

votes
1

answer
8.2k

Views

Single sign off using OAuth 2

We just have been discussing the login and logout behaviour when using OAuth 2. Let's say we have two webapps A and B using one OAuth provider O (built using the spring-security-oauth2 stack). When you want to login to A you get redirected to O, enter your credentials, get a session there on O, redi...
James
11

votes
3

answer
20.6k

Views

Google API : How to authenticate without redirection?

We want to use Google Doc API to generate Document (In our own business account) when our end users do some actions on our site. The problem is that we've tried to implement the OAuth 2.0 protocol, as suggested in the v3.0 protocol documentation. The apiClient::authentication method do a redirection...
FMaz008
11

votes
1

answer
6.6k

Views

golang Facebook authentication using golang.org/x/oauth2

I am trying to write a simple program using the galang.org/x/oauth2 package. But I can't seem to exchange code for an access token. The following error is a bit misleading as it says the authorisation code has been used but I see a new code every time I invoke the login dialog. I am new to galang an...
padlar
11

votes
3

answer
2.5k

Views

Is it possible to get an Id token with Chrome App Indentity Api?

I can't get a user's id_token (https://developers.google.com/accounts/docs/CrossClientAuth) from the Chrome identity api (https://developer.chrome.com/apps/identity). I can get an access_token using the chrome identity sample when the oauth section in the manifest is: 'oauth2': { 'client_id': '.app...
chris
11

votes
4

answer
13.5k

Views

OAuth 2.0 Server for PHP

I have been struggling to find an active open-source PHP project that supports OAuth 2.0 as a server. There are tons of client examples that connect to Facebook, Twitter, etc. but as more and more people want to expose their own services through an API I'm a bit surprised the open source community h...
ken
11

votes
2

answer
6.7k

Views

What does resourceId mean in OAuth 2.0 with Spring Security

OAuth2ProtectedResourceFilter in org.springframework.security.oauth2.provider.filter: Collection resourceIds = auth.getClientAuthentication().getResourceIds(); if (resourceIds!=null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) { throw new InvalidTokenException('Invalid token does...
user1110977
11

votes
1

answer
1.7k

Views

How to setup OAuth 2.0 server using loopback

I want to setup an OAuth 2.0 Server using Loopback using a package called loopback-component-oauth2 The documentation is here : https://docs.strongloop.com/display/public/LB/OAuth+2.0#OAuth2.0-UsingtheOAuth2component But it is very unclear, what models should i create and what rest endpoint should b...
user3655266
11

votes
1

answer
9.1k

Views

Google Spreadsheets API with OAuth2.0 using Javascript

I'm trying to access a private Google Spreadsheet using Javascript. I have sucessfully authorized with OAuth2.0 and can see a listing of all my Google Drive docs. What I can't seem to do is get into a specific spreadsheet. Code is as follows with the relevant spreadsheet code in the function 'retr...
Josh
11

votes
5

answer
31.8k

Views

Getting Error: redirect_uri_mismatch The redirect URI in the request: http://localhost:8080/oauth2callback did not match a registered redirect URI

I'm getting this error while trying to run my application... The redirect URI in the request: http://localhost:8080/oauth2callback did not match a registered redirect URI In google API console i have registered my redirect urls Redirect URIs: http://localhost:8080/ And in the client_secrets.json a...
iJade
11

votes
1

answer
5.7k

Views

Use OAuth Refresh Token to Obtain New Access Token - Google API

My app is simple, it connects to the Google+ API to authenticate the user, and if successful, it retrieves the user's email and then performs a series of operations on a given database based on the email retrieved. My main issue is that every hour, my access token expires, and I seem not to know ho...
daniel_c05
11

votes
2

answer
15.6k

Views

Spring Security OAuth2 check_token endpoint

I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServices which requires /check_token endpoint. I could see that /oauth/check_token endpoint is enabled by default when @EnableAuthorizationServer is used. However the...
sowdri
11

votes
2

answer
5.5k

Views

Is there a working OAuth library for Python 3?

What's the most current form of Oauth for Python 3? I'm trying to create a stock screener using my broker's API, which uses Oauth. Most of the info I find is out of date or conflicting. I've seen the following modules referenced: Oauth - Seems to be the original, now outdated. I get an error of ''mo...
Turtles Are Cute
11

votes
1

answer
4.8k

Views

Mocking Oauth providers while testing

I have an app that I'm writing which authenticates against an Oauth 2.0 authorisation server. I'd like to test the parts that are accessible only after you've logged in but the Oauth server is an external dependency that complicates and make brittle my tests. Any suggestions on how I should go abou...
Noufal Ibrahim
11

votes
3

answer
5.8k

Views

Adding OAuth 2.0 authentication to a RESTful API

I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 Authorization...
Malachi
11

votes
1

answer
11.8k

Views

Are Oauth2 client apps required to have SSL connection?

Which parties of Oauth 2.0 are required to have an SSL connection? Auth server: SSL required Resource server: SSL required Client apps: Is it really necessary, as long as it uses SSL for the resource server communication?
beku8
11

votes
3

answer
12k

Views

Is it possible to use OAuth 2.0 without a redirect server?

I'm trying to create a local Java-based client that interacts with the SurveyMonkey API. SurveyMonkey requires a long-lived access token using OAuth 2.0, which I'm not very familiar with. I've been googling this for hours, and I think the answer is no, but I just want to be sure: Is it possible for...
Tovi7
11

votes
7

answer
16.4k

Views

Instagram API: do scopes work with OAuth2 implicit authentication flow?

I'm making requests against the Instagram API from a mobile app. Currently, I'm just directing the user to the Instagram auth url and specifying the response type to be 'access_token'. Specifying this response_type is known as implicit auth. Explicit auth: response_type=code Implicit auth: response_...
NovaJoe
10

votes
2

answer
13.1k

Views

Apache strips down “Authorization” header

I'm having a little issue with my Apache 2.2.15 Server. I'm running a Django app on top of it with mod_wsgi. I activated WSGIPassAuthorization On, which made the Basic auth working well. But I recently implemented OAuth2.0 to secure my API (Implicit Grant), and I think Apache won't let it pass since...
Martin Latrille
10

votes
2

answer
3k

Views

Rest, Spring own OAuth2 server + OAuth2 providers like Facebook, Google, Yahoo

In Spring Boot application I have secured my Spring MVC REST endpoints with Spring Security and Spring OAuth2. I have own Authorization\Resource servers so in order to comunicate with our API, client(AngularJS) needs to obtain acessToken from my API Authorization Server. Everything works fine but f...
alexanoid
10

votes
3

answer
16.6k

Views

Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC

I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like, Auth...
Pravinkumar
10

votes
3

answer
1.8k

Views

Why caching access token is consider bad in oauth2?

I am following this article for revoking user access : http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ Now consider after validating user I have issued an accesstoken with 30 minutes life span as shown in above article and with refresh token as...
10

votes
3

answer
14.2k

Views

Is there any Node.js client library to make OAuth and OAuth2 API calls to Twitter, Facebook, Google, LinkedIn, etc.?

I did a lot of googling and the best I could find was: https://github.com/ciaranj/node-oauth Are there any libraries on top of this, which provide wrappers to make API calls to Twitter, Facebook, Google, LinkedIn, etc. to say post a tweet or DM somebody or get friends list or post a link to Facebook...
pavanlimo
10

votes
2

answer
3.6k

Views

Difference between Client and User-Agent

What is the difference between a Client, User-Agent and Resource Owner in OAuth 2.0 definitions? What are some examples for each term? (browser, user, ...)
A-Sharabiani
10

votes
1

answer
11k

Views

How to store bearer tokens when MVC and Web API are in different projects

Situation: I have a Web API 2 project which acts as an Authorization server (/token endpoint) and a resource server. I am using the template that comes out of box with ASP.Net Web API minus any MVC reference. The Start.Auth is configured as below: public void ConfigureAuth(IAppBuilder app) { // Con...
Amanvir Mundra
10

votes
1

answer
6.7k

Views

Can ASP.Net MVC 4's OAuthWebSecurity open a pop-up

I'm trying to figure out how to use ASP.Net MVC 4's new OAuthWebSecurity functionality. Is it possible when clicking on the facebook or twitter external login button to have the form post to a pop-up instead of refreshing the current page? I've used oauth with Twitter and Facebook before using Jav...
Tom Schreck
9

votes
2

answer
6.3k

Views

Retrieving date of birth with Google OAuth API

Does any one know how to retrive D.O.B through Google OAuth api? I am able to get other information like name, email, gender by setting the scope as https://www.googleapis.com/auth/userinfo.profile. But I am not able to get D.O.B with this scope.
Javal Nanda
9

votes
2

answer
17.2k

Views

How do I implement an OAuth2 Authorization_Code Flow in Web Api using OWIN Middleware?

I'm trying to create a simple proof of concept OAuth enabled application but am stuck on the authorization code implementation. Everywhere I read seems like it goes in one way or another, never actually using the authorization code flow. I've been using the following resources for information: https...
Joshua Belden
9

votes
4

answer
1.6k

Views

How can private data be secured with OAuth2 authentication?

I am setting up a website to use Google's OAuth2 interface for user authentication. The website will store private data associated with each user - which I'm planning to encrypt. If I implemented my own authentication method for the website, I could easily derive a key from the user's credentials (w...
adelphus
9

votes
2

answer
572

Views

Google Cloud Endpoints Security (OAuth2) and custom User schema

I'm reading the Google Cloud Endpoints docs related to OAuth2 Security. I assume this kind of security is against Google accounts. Is there any support to have a custom User schema to authenticate against? What I would like is to have client JS application which uses Google Cloud Endpoints but authe...
Marcel Overdijk
9

votes
2

answer
2.6k

Views

What's the right way to separate the Resource Server and the Authorization Server?

Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I'm a bit confused when the documentation states: The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside...
Joe
9

votes
0

answer
850

Views

LinkedIn ios SDK - user authentication, if user chooses not to download the mobile app from app store

I am trying to integrate linked-ios-sdk for user authentication in my app by following steps provided in this link: Authenticating with the Mobile SDK. In the provided sample app they are using this code: [LISDKSessionManager createSessionWithAuth:[NSArray arrayWithObjects:LISDK_BASIC_PROFILE_PERMIS...
Devarshi
9

votes
1

answer
10.4k

Views

How to authenticate a Access token by Owin OAuthBearerAuthentication?

What I want: A token generator use OAuthAuthorizationServer and token consumer use OAuthBearerAuthentication (authenticate the access token). Use OWIN pipeline to manage all stuff, token stuff and web api stuff. What about the code: public void Configuration(IAppBuilder app) { app.UseOAuthAuthorizat...
Albert Gao
9

votes
0

answer
1.8k

Views

Cookies AND Bearer Token in the same application

So, here is my situation. I have a web application where Users register and manage/view the data that is automatically generated every time they have a doctor appointment. At the same time, this User data is exposed to any approved Client (third party app) via an API. Also, these Clients may feed da...
Pepito Fernandez
9

votes
1

answer
1.6k

Views

Authentication with Akka-Http

We're developing an iOS app, where the user needs to authenticate using email+password (or mobile number). Our backend is made of a couple of microservices using Akka-Http. It needs to be fast, scalable, concurrent, and the authentication+authorization should work across our multiple services. I'm t...
Yossi Chen
9

votes
1

answer
635

Views

MVC 5 OAuth with CORS

I read several post talking about some similar problems, but I don't get yet to do this to work. I'm doing ajax to 'Account/ExternalLogin' which generates the ChallengeResult and starts the flow for the authentication with OWIN. This is my Startup class : public partial class Startup { // For more i...
sabotero
9

votes
1

answer
196

Views

Server-side authentication using Google accounts in a Chrome extension

I have a Web application that currently uses OAuth2 to authenticate users using their Google accounts. The flow is quite standard: the user logs in to Google, the web app gets a callback, retrieves the user identity and stores it in the session. Now I need to create an accompanying Chrome extension....
Bartosz Leper
9

votes
0

answer
1.4k

Views

ASP.NET Web API with Google OpenID Connect

Goal: I would like to protect my web service (ASP.NET Web API using OWIN) with OpenID Connect. The Identity Provider is Google. Important: I'm only responsible for the web service. I DO NOT have any Web Application (no UI; this is up to 3rd parties using my web service). Considerations: As my web se...
Dunken
8

votes
1

answer
270

Views

chrome.identity.launchWebAuthFlow logout/switch user

I make users login to my chrome extension through my own OAuth2 API which uses google signin, through chrome.identity.launchWebAuthFlow with interactive set to true, and it works fine, user is prompted to sign in with google account, I get redirect url in my extension's background script, parse acce...
kecman
8

votes
1

answer
3k

Views

OAuth Facebook Authentication with ASP.NET Web API

So I guess this question is sort of two folds What should I store when granted Facebook OAuth rights into my User Domain Entity (facebook userid? or token? or both or something else) Can I just generally secure the ASP.NET Web API with a DelegatingHandler to read for the access token? Currently my c...
Max Alexander