Questions tagged [oauth-2.0]

1

votes
2

answer
46

Views

IdentityServer4 and ASP.NETCore 1.x

I am currently looking at IdentityServer4 as an option for our web services. However, due to corporate compiler level policy, I am only able to use VisualStudio 15.0 which does not support .Net Core 2 (and ASP.NET core 2 therefore). So I am stuck with ASP.Net Core 1.x for the moment. Changing the co...
elmadj
1

votes
1

answer
282

Views

Security concerns for using FBSDKLoginManager for IOS

According to Facebook docs, Facebook login for IOS provide 'FBSDKLoginManager' - which directly call into the API to perform login or additional authorizations with your own UI. https://developers.facebook.com/docs/facebook-login/ios#login-apicalls If an application uses its own login UI, it can pot...
LYC
1

votes
1

answer
286

Views

Authentication for Google Directory using API key

I'm attempting to write a script that will add G Suite accounts, but I want to do it without redirecting to Google to authorize each time the form is submitted. Is there a way to authorize within a script? I attempted authorizing using an API key but was getting a 401 Error - Login Required Using oA...
Andrew
1

votes
2

answer
0

Views

Java: Oauth 2.0 How can I use Google API RefreshTokens to avoid requesting access every time my app launches?

There is a lot of sample code for the google API showing how to Get an authorization token and use it, but I cannot find any sample code that shows you how to use the Oauth 2.0 GoogleAccessProtectedResource.refreshToken() method in the java client to get a new authorization token in in Java. Google...
nwaltham
1

votes
1

answer
359

Views

Springboot Angular security - 403 forbidden on REST calls

We have a Springboot 2.0.x and Angular 6 multi module application, using OpenID Connect 1.0 implementation of OAuth2 standard as security. Initial security works, authenticates and authorizes, and lands on the Home page. But for some reason, our POST and DELETE REST calls are getting 403 Forbidden s...
NyxRL
1

votes
1

answer
708

Views

Python client to access CalDAV via OAuth2 on Nextcloud

The canonical examples for using CalDAV always use username/password authentication. However Nextcloud supports OAuth2, therefore I would like to use CalDAV via oauth. I already have done the same with the Google calendar API, but just adapting the oauth2client sample provided by Google: client_secr...
Adrian W
1

votes
1

answer
862

Views

Are there any open source OAuth 2 providers/servers for internal use

I really want to host my own private OAuth 2 server/provider for internal use. I would perfer an open source solution. I can't seem to find any. Either I am trying to do something dumb or I am not looking in the right place...
Karl Strings
1

votes
1

answer
0

Views

How to implement OAuth single Sign In/Sign Out with Chrome Custom Tabs

I am attempting to implement OAuth single sign in/ sign out in my current Android application. I am using Chrome Custom Tabs implementation 'com.android.support:customtabs:28.0.0' Sign in works fine, Chrome Custom tabs store the users cookies and all sign in flow work is as expected. New Sign In: Cl...
Hector
1

votes
1

answer
1.2k

Views

Google Plus can't post a moment

After Google authorization I try to post a moment without any confirmations: GTMOAuth2Authentication *auth; auth = [GTMOAuth2ViewControllerTouch authForGoogleFromKeychainForName:TMH_SOCIAL_GOOGLE_KEYCHAIN clientID:TMH_SOCIAL_GOOGLE_CLIENTID clientSecret:TMH_SOCIAL_GOOGLE_SECRET]; if ([auth canAuthor...
RuslTG
1

votes
1

answer
498

Views

Refreshing Keycloak offline token

I am currently trying to get an offline token working with Keycloak. My problem here is, that I cannot refresh a token I once reveived.. When I initially call the token endpoint, I get a proper response with a working access token: { 'access_token': '', 'expires_in': 900, 'refresh_expires_in': 0, 'r...
Jojo
1

votes
1

answer
97

Views

Using the IBM SBT database credential store with Oauth2

Has anyone used the database credential store com.ibm.sbt.security.credential.store.DBCredentialStore to store tokens for an OAuth2 endpoint. I am running a simple app on WebSphere 7 with a db2 database for the token storage. I have the managed bean for the store correctly configured in managed-bean...
user3470471
1

votes
1

answer
0

Views

Token Authentication In Django Restframework Using Django-rest-auth

I'm using vue.js for the front end of my application which is made on Django-restframework. I am using django-rest-auth for social authentication via Google. On the front end, I am using the vue-google-oauth2 library. The two work fine. I send an auth code from the front end and the backend responds...
Hamza
1

votes
1

answer
0

Views

ROPC - Getting “invalid_grant” error with description as “AADSTS50126: Invalid username or password”

POST /{{AAD}}/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Postman-Token: 611fa720-e1f4-5bbc-e0f7-b7620bab24af client_id={{client_id}} [email protected] &password={{password}} &grant_type=password &scop...
Ray
1

votes
1

answer
0

Views

Azure AD: id_token as bearer token

I have an application registered in Azure AD. If I am using the same Application ID at the level of Web API and at the level of client (SPA application), why do both Azure AD auth libraries (ADAL JS for Azure AD v1 and MSAL.js for Azure AD v2) use ID token as bearer token when calling Web API, ins...
erdinger
1

votes
1

answer
117

Views

google-python-api-client refresh token is null

I am trying to use refresh tokens with the google-python-api-client to avoid having to have the user authenticate the app every time. I have the following code that builds the fitness service by having the user authenticate every time from apiclient.discovery import build from oauth2client import to...
1

votes
1

answer
1.7k

Views

OAuth2, Using POST and Yet… Method Not Allowed?

Basically I'm trying to create a website that requires interfacing with the Discord API to retrieve user information to work. To do this, I am using a library called Simple OAuth (https://github.com/lelylan/simple-oauth2) and cannot get my authorization code to return a token using it. I've looked t...
Jndachenhaus
1

votes
1

answer
207

Views

With Oauth2 Google Extension for Geoserver, GeoServer home page does not redirect to Google Login page

I have installed the OAuth2 Extensions for Geoserver successfully and I was able to create the Authentication Filter and added Google_Oauth2 to the filter chains web rest gwc default I have also created the truststore and added it to the JAVA_OPTS Path as as ../cacerts.cks All the steps I have foll...
Steve Omondi
1

votes
1

answer
168

Views

OAuth approach in nativescript to jhipster spring social

Short: How to configure jhipster/spring social to land on custom page containing status / jwt token instead of app homepage after OAuth handshake? Long: I am building an app that has a web and mobile version that talk to a jhipster back end. I need to implement OAuth authentication in my mobile a...
Bill Pfeiffer
1

votes
1

answer
69

Views

OAuth 2.0 Services variations

I am trying to implement an authentcation module which I can reuse for different services. I have gone through some popular OAuth 2.0 implemented services. I did find some differences in some of the authentication calls, Like, Microsoft Dyanmics adds an extra query parameter, resource=ABC, to the au...
Anish Somani
1

votes
1

answer
1.2k

Views

Zuul proxy and Spring OAuth redirection issue

I'm trying to get a JWT token from third-party SSO server. It requires an additional parameter in the first authorization request, for example https://[third-party-sso-server]/oauth2/authorize?client_id=[my-client-id]&redirect_uri=http://localhost:8080/login&response_type=code&additional_param=[v...
Pavel
1

votes
2

answer
81

Views

DocuSign OAuth in demo mode

I am implementing DocuSign's OAuth flow by following their OAuth2 doc. With demo developer account is it normal that only users specified in the Admin Dashboard are able to complete the OAuth flow? I'm assuming so but no reference is made on the docs.
user3933324
1

votes
1

answer
77

Views

Getting refresh_token as null on re-authenticating Gmail API for sending email using Oauth

I am using Scribe for oauth to get access_token and refresh_token for the auth_code. It worked well for the first authentication. When I disabled the credentials in my application, the tokens are still existing with the Gmail connected apps for my application. When I re-enable the oauth, I am getti...
ravi.t
1

votes
2

answer
580

Views

Swift Vapor unsupported_grant_type invalid signature / OAuth access token

I am running Xcode 8.1 with Vapor and SWIFT 3. I am posting a request to to google server to get an auth token, so I can call FireBaseDB API, but I get error: unsupported_grant_type/Invalid grant_type. On developers.google.com it says that I have to encode in a URL the following: https://www.goog...
bibscy
1

votes
2

answer
377

Views

OAuth2 Access token deletion from database

I am trying to implement OAuth2 for a REST API which will support mobile, desktop and web apps. I have read Chapter 6. Refreshing an Access Token of Hardt, D., Ed., 'The OAuth 2.0 Authorization Framework', RFC 6749, DOI 10.17487/RFC6749, October 2012 According to RFC, access tokens and refresh toke...
mahbub.kuet
1

votes
1

answer
952

Views

Angular2 to IdentityServer4 to Azure B2C

I have a Single Page Application that will use the implicit grant type. I want to use Azure B2C. However, Azure B2C doesn't support the implicit grant type. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations) Is it possible to facilitate this communication...
KPHutt
1

votes
1

answer
81

Views

Should I send the Secret with the Refresh Token in OAuth 2.0

I'm working to implement a OAuth 2.0 server, and while reading the RFC6749 specification I realized that section 6 on Page 47 regarding 'Refreshing an Access Token'. Explains that we need to just use the Refresh Token that we have to get a new Token. But for example, in addition to the Refresh Toke...
David Gatti
1

votes
1

answer
248

Views

When using Implicit Flow with a SPA, where do we actually create the account in our Database?

I'm trying to understand how OAuth2.0 Implicit Flow (with OIDC) works with a pretty simple SPA/Mobile client (aka Client) and my REST Api (aka. Resource Server) & creating new accounts. I more or less understand how the Client can request a token from an Auth Service (Auth0/Stormpath/IdentityServer/...
Pure.Krome
1

votes
1

answer
680

Views

Expire-date in refresh-token (oauth2, exact)

So I'm using the exact-online XML-api to retrieve some user-related data. This works fine so far, but since it is using oauth 2.0, I am being redirected after 600 sec and the login-prompt appears again. This function refreshes the access-token: /** * @param string $refreshToken * @return array {acc...
DasSaffe
1

votes
1

answer
420

Views

Bitbucket API with two factor authentication

I want to use Bitbucket's Rest API with Bitbucket's two-factor authentication enabled, so I can administer my account using curl via the terminal. Previously, I made REST API calls without 2FA and now I want to make this transition. With 2FA enabled, you need to use the OAuth 2.0 protocol to make AP...
Mussé Redi
1

votes
1

answer
315

Views

Laravel Oauth2 multiple grants

I'm fairly new to Oauth2 and it seems I'm stuck. To protect our API, we use OAuth2. We have a lot of calls that contain information based on an account, se we use the password grant in OAuth. But, I also have to protect my registration call, so only registered applications with valid client_id and c...
Jan Boden
1

votes
1

answer
489

Views

Where do I set the project name used on screen for multiple accounts login?

I've got a GAE app which uses users.create_login_url() to redirect users toward oauth2 login. Using it puts up a screen like this. Question is: How to change 'My Project' to something else?
John Mee
1

votes
1

answer
1.4k

Views

Can an OAuth 2.0 access token be used to authenticate a user in another context?

I want to know if it is permissible to pass a user's OAuth 2.0 access token between applications and use it as a method of logging them in. I have an iPhone application that uses the password grant to authenticate a user, and then uses their access token for future requests. The iPhone application i...
Dwight
1

votes
1

answer
98

Views

oAuth 2 authorization header syntax

The oAuth 2 specification requires that authorization headers be structured as follows authorization: Bearer token_code What's the point of adding Bearer ? and I think that would mean than when I access it on the server side, I need to extract token_code from the string ? Can I choose to implement t...
T. Rex
1

votes
1

answer
969

Views

Twitter OAuth throws 'Desktop applications only support the oauth_callback value oob' on iOS app

So I'm currently trying to get authorization for twitter working by making use of the OAuthSwift plugin I've tried to get it working with both OAuth1 and OAuth2 both unsuccessfully and with different errors/problems. So for OAuth2 I get this response Whoa there! There is no request token for this pa...
NoSixties
1

votes
1

answer
1.2k

Views

Slack Oauth/Authorize API Call

I'm new to OAuth (and the Slack API) and have a question regarding Step 1 of Slack's OAuth Flow. It says 'Your web or mobile app should redirect users to the following url: https://slack.com/oauth/authorize'. At first I thought I should do an XHR request but then came to understand that that is not...
dannyk
1

votes
1

answer
249

Views

How to include all subdomains into SDK Domains?

I have had a small program using the js api working on 'http://test.de' So my SDK Domains appears as so: Now I want to move the api across a handful of subdomains of test.de So I altered the SDK Domains as so: Which does not work. Throwing this error: It will work if I specifically set up the subdom...
hogarth45
1

votes
1

answer
235

Views

Microsoft Authentication: How to refresh access token using ajax post?

I've been going through the app authorization steps here https://developer.microsoft.com/en-us/graph/docs/authorization/app_authorization, but can't seem to get the request to work. I consistently get errors saying Response to preflight request doesn't pass access control check: No 'Access-Control-...
user3707850
1

votes
1

answer
2.5k

Views

A single sign on authentication in golang

I am trying to build a multi-tenant architecture in golang where there will be different services like Service-A and Service-B each service will run on a different server and I want the user to have a single sign-in solution and get authenticated in all the services offered. Just like what Amazon...
Robins Gupta
1

votes
3

answer
1.4k

Views

Issues using OAuth2 to authorize in gspread using python

I am very new with python so please excuse my ignorance. I am trying to send data to Google spreadsheets and have decided to use gspread. However gspread requires me to use OAuth-2.0 to authorize access to the spreadsheets. I have used the tutorial on their documentation page to do so. However when...
user3120921
1

votes
1

answer
20

Views

OIDC: UserInfo for non-users

...and yes I understand the title itself is flawed! Currently I have a system which uses info from the /userinfo endpoint to decide whether to allow them access to particular resources. E.g. Only allow members with and attribute of company=X are allowed to access company X's resources This works fin...
Andy N