Questions tagged [oauth-2.0]

1

votes
1

answer
301

Views

Why does Authorization Request not require client secret in OAuth2 Authorization Code Grant Flow?

In OAuth2.0 Authorization Code Grant as stated in RFC 6749, the token request requires client secret according to sec4.1.3; however, the authorization request is not according to sec4.1.1. Does anyone know why? It seems using client secret for both authorization and token request makes the process m...
ken5scal
1

votes
2

answer
2.2k

Views

getting #error=unsupported_response_type&error_description=AADSTS70005: with token request

I am trying to implement a OAuth2 implicit grant flow in an IOS app. In this case it requires a token request instead of a code request because you can't share the client secret in a native app safely. so a request like this yields a login form: https://login.windows.net//oauth2/authorize?api-vers...
Philip Nelson
1

votes
1

answer
151

Views

Why does Postman require user login for Google oauth?

I'll try to connect to the content api for shopping via API. I'de tried some different oAuth ways (e.g. 'three-step-method' with access key and baerer-token) but for a spezific integration I need the 'credentials-oAuth'. Currently I tried as following: https://accounts.google.com/o/oauth2/v2/auth? c...
D. Boden-Pollack
1

votes
1

answer
0

Views

Spring security - implement oauth2 sso

I want to implement central authentication system with spring security and oauth2 sso. In other words, I have a spring boot application that is responsible for authorization and one simple client. My client has rest API. First I get token from the authorization server, then send a request to client...
hamed
1

votes
1

answer
0

Views

Oauth - What Kind of Permissions should be given in default login token?

I'm working on an authentication system for a web application I am making. I want to allow other apps to connect to the data stored in mine (using an OAuth system). I've been reading about how OAuth works here: https://www.oauth.com/oauth2-servers/background/ Most of it makes sense, however I do hav...
Caleb H.
1

votes
1

answer
97

Views

Using the IBM SBT database credential store with Oauth2

Has anyone used the database credential store com.ibm.sbt.security.credential.store.DBCredentialStore to store tokens for an OAuth2 endpoint. I am running a simple app on WebSphere 7 with a db2 database for the token storage. I have the managed bean for the store correctly configured in managed-bean...
user3470471
1

votes
1

answer
708

Views

Python client to access CalDAV via OAuth2 on Nextcloud

The canonical examples for using CalDAV always use username/password authentication. However Nextcloud supports OAuth2, therefore I would like to use CalDAV via oauth. I already have done the same with the Google calendar API, but just adapting the oauth2client sample provided by Google: client_secr...
Adrian W
1

votes
1

answer
0

Views

ROPC - Getting “invalid_grant” error with description as “AADSTS50126: Invalid username or password”

POST /{{AAD}}/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Postman-Token: 611fa720-e1f4-5bbc-e0f7-b7620bab24af client_id={{client_id}} [email protected] &password={{password}} &grant_type=password &scop...
Ray
1

votes
1

answer
0

Views

Azure AD: id_token as bearer token

I have an application registered in Azure AD. If I am using the same Application ID at the level of Web API and at the level of client (SPA application), why do both Azure AD auth libraries (ADAL JS for Azure AD v1 and MSAL.js for Azure AD v2) use ID token as bearer token when calling Web API, ins...
erdinger
1

votes
1

answer
0

Views

Token Authentication In Django Restframework Using Django-rest-auth

I'm using vue.js for the front end of my application which is made on Django-restframework. I am using django-rest-auth for social authentication via Google. On the front end, I am using the vue-google-oauth2 library. The two work fine. I send an auth code from the front end and the backend responds...
Hamza
1

votes
1

answer
862

Views

Are there any open source OAuth 2 providers/servers for internal use

I really want to host my own private OAuth 2 server/provider for internal use. I would perfer an open source solution. I can't seem to find any. Either I am trying to do something dumb or I am not looking in the right place...
Karl Strings
1

votes
1

answer
498

Views

Refreshing Keycloak offline token

I am currently trying to get an offline token working with Keycloak. My problem here is, that I cannot refresh a token I once reveived.. When I initially call the token endpoint, I get a proper response with a working access token: { 'access_token': '', 'expires_in': 900, 'refresh_expires_in': 0, 'r...
Jojo
1

votes
1

answer
0

Views

How to implement OAuth single Sign In/Sign Out with Chrome Custom Tabs

I am attempting to implement OAuth single sign in/ sign out in my current Android application. I am using Chrome Custom Tabs implementation 'com.android.support:customtabs:28.0.0' Sign in works fine, Chrome Custom tabs store the users cookies and all sign in flow work is as expected. New Sign In: Cl...
Hector
1

votes
1

answer
1.2k

Views

Google Plus can't post a moment

After Google authorization I try to post a moment without any confirmations: GTMOAuth2Authentication *auth; auth = [GTMOAuth2ViewControllerTouch authForGoogleFromKeychainForName:TMH_SOCIAL_GOOGLE_KEYCHAIN clientID:TMH_SOCIAL_GOOGLE_CLIENTID clientSecret:TMH_SOCIAL_GOOGLE_SECRET]; if ([auth canAuthor...
RuslTG
1

votes
2

answer
81

Views

DocuSign OAuth in demo mode

I am implementing DocuSign's OAuth flow by following their OAuth2 doc. With demo developer account is it normal that only users specified in the Admin Dashboard are able to complete the OAuth flow? I'm assuming so but no reference is made on the docs.
user3933324
1

votes
1

answer
680

Views

Expire-date in refresh-token (oauth2, exact)

So I'm using the exact-online XML-api to retrieve some user-related data. This works fine so far, but since it is using oauth 2.0, I am being redirected after 600 sec and the login-prompt appears again. This function refreshes the access-token: /** * @param string $refreshToken * @return array {acc...
DasSaffe
1

votes
2

answer
377

Views

OAuth2 Access token deletion from database

I am trying to implement OAuth2 for a REST API which will support mobile, desktop and web apps. I have read Chapter 6. Refreshing an Access Token of Hardt, D., Ed., 'The OAuth 2.0 Authorization Framework', RFC 6749, DOI 10.17487/RFC6749, October 2012 According to RFC, access tokens and refresh toke...
mahbub.kuet
1

votes
1

answer
248

Views

When using Implicit Flow with a SPA, where do we actually create the account in our Database?

I'm trying to understand how OAuth2.0 Implicit Flow (with OIDC) works with a pretty simple SPA/Mobile client (aka Client) and my REST Api (aka. Resource Server) & creating new accounts. I more or less understand how the Client can request a token from an Auth Service (Auth0/Stormpath/IdentityServer/...
Pure.Krome
1

votes
1

answer
77

Views

Getting refresh_token as null on re-authenticating Gmail API for sending email using Oauth

I am using Scribe for oauth to get access_token and refresh_token for the auth_code. It worked well for the first authentication. When I disabled the credentials in my application, the tokens are still existing with the Gmail connected apps for my application. When I re-enable the oauth, I am getti...
ravi.t
1

votes
1

answer
69

Views

OAuth 2.0 Services variations

I am trying to implement an authentcation module which I can reuse for different services. I have gone through some popular OAuth 2.0 implemented services. I did find some differences in some of the authentication calls, Like, Microsoft Dyanmics adds an extra query parameter, resource=ABC, to the au...
Anish Somani
1

votes
1

answer
1.2k

Views

Zuul proxy and Spring OAuth redirection issue

I'm trying to get a JWT token from third-party SSO server. It requires an additional parameter in the first authorization request, for example https://[third-party-sso-server]/oauth2/authorize?client_id=[my-client-id]&redirect_uri=http://localhost:8080/login&response_type=code&additional_param=[v...
Pavel
1

votes
2

answer
580

Views

Swift Vapor unsupported_grant_type invalid signature / OAuth access token

I am running Xcode 8.1 with Vapor and SWIFT 3. I am posting a request to to google server to get an auth token, so I can call FireBaseDB API, but I get error: unsupported_grant_type/Invalid grant_type. On developers.google.com it says that I have to encode in a URL the following: https://www.goog...
bibscy
1

votes
1

answer
336

Views

google drive api access code life

How long is the access code valid for when a google drive api based app has been approved? Can I save this code in my app and re-use it to avoid needing a human to authorize it repeatedly?
ツ ツ ツ
1

votes
1

answer
3.6k

Views

Handling JSON response with Javascript

There are tons of questions related to mine, but after spending several hours poring over different answers and experimenting on my own, I still can't solve my problem! I'm using the OAuth 2.0 protocol to gain access to Box's API. So far I've been able to retrieve an authorization code, and right n...
user2066880
1

votes
1

answer
395

Views

How to implement Implicit Grant in Go using oauth2

go version go1.7.4 linux/amd64 I am trying get amazon alexa login using oauth2 package main import ( 'context' 'encoding/json' 'fmt' 'html/template' 'io/ioutil' 'log' 'net/http' 'net/url' 'golang.org/x/oauth2' 'gopkg.in/oauth2.v3/errors' 'gopkg.in/oauth2.v3/manage' 'gopkg.in/oauth2.v3/models' 'gopkg...
Vijay Kumar
1

votes
2

answer
315

Views

Graph SDK OAUTH ADAL client credentials for reuse? later

So we have an application that allows you to create a xml file that runs the app again at a later stage (which may or may not have a user in attendance). Files are stored on the user cloud drive platform of choice. So the process is Workflow 1 Authenticate to cloud with User 1 details/input Select f...
Barry
1

votes
2

answer
58

Views

Persistent Authentication even when logged off?

I'm trying to write a web application that works like this: The user sends an email to the email address of my application My application posts the body of the email as a public gist of the user. Now, I wonder how I should authenticate with Github. I don't want the user to have to give me his Githu...
Derek Chiang
1

votes
1

answer
20

Views

OAuth 2: authorization_code Grant - Is client_secret param neccesary?

With regards to OAuth 2.0, my previous understanding is that client_secret should be used for authorization_code grant, which is supposed to be 'more secure' (client_secret was required for some tutorial out here 1 2) However I saw a library when using authorization_code, didn't brother to check cl...
Ng Sek Long
1

votes
2

answer
46

Views

IdentityServer4 and ASP.NETCore 1.x

I am currently looking at IdentityServer4 as an option for our web services. However, due to corporate compiler level policy, I am only able to use VisualStudio 15.0 which does not support .Net Core 2 (and ASP.NET core 2 therefore). So I am stuck with ASP.Net Core 1.x for the moment. Changing the co...
elmadj
1

votes
1

answer
282

Views

Security concerns for using FBSDKLoginManager for IOS

According to Facebook docs, Facebook login for IOS provide 'FBSDKLoginManager' - which directly call into the API to perform login or additional authorizations with your own UI. https://developers.facebook.com/docs/facebook-login/ios#login-apicalls If an application uses its own login UI, it can pot...
LYC
1

votes
2

answer
0

Views

Java: Oauth 2.0 How can I use Google API RefreshTokens to avoid requesting access every time my app launches?

There is a lot of sample code for the google API showing how to Get an authorization token and use it, but I cannot find any sample code that shows you how to use the Oauth 2.0 GoogleAccessProtectedResource.refreshToken() method in the java client to get a new authorization token in in Java. Google...
nwaltham
1

votes
1

answer
286

Views

Authentication for Google Directory using API key

I'm attempting to write a script that will add G Suite accounts, but I want to do it without redirecting to Google to authorize each time the form is submitted. Is there a way to authorize within a script? I attempted authorizing using an API key but was getting a 401 Error - Login Required Using oA...
Andrew
1

votes
1

answer
359

Views

Springboot Angular security - 403 forbidden on REST calls

We have a Springboot 2.0.x and Angular 6 multi module application, using OpenID Connect 1.0 implementation of OAuth2 standard as security. Initial security works, authenticates and authorizes, and lands on the Home page. But for some reason, our POST and DELETE REST calls are getting 403 Forbidden s...
NyxRL
1

votes
1

answer
304

Views

When to randomize auth code/state in oauth2?

According to the docs at https://www.godoc.org/golang.org/x/oauth2#Config.AuthCodeURL ...State is a token to protect the user from CSRF attacks. You must always provide a non-zero string... and at http://tools.ietf.org/html/rfc6749#section-10.12 ...any request sent to the redirection URI endpoint t...
davidkomer
1

votes
1

answer
89

Views

Can't link Twitter with Satellizer.js

The Facebook, Google and Yahoo login for satellizer.js was pretty straight forward. All I had to do was create apps with their respective API's, configure them with my homepage's URL. Then I added the app-ids to the app.js file: $authProvider.facebook({ clientId: 'xxxxxxxxxxxxxxxxx' }); and lastly I...
martin
1

votes
1

answer
409

Views

How to get access token using oauth2 for Github api using python

I am building an app to access Github api in python using django. I am new to this building this kind of app for the first time. I specified an link to get the access of a user's account like this Now I can access the user's account. Now the problem is, I want to use oauth2 so that it doesn't ask f...
Tasneem Haider
1

votes
1

answer
969

Views

Twitter OAuth throws 'Desktop applications only support the oauth_callback value oob' on iOS app

So I'm currently trying to get authorization for twitter working by making use of the OAuthSwift plugin I've tried to get it working with both OAuth1 and OAuth2 both unsuccessfully and with different errors/problems. So for OAuth2 I get this response Whoa there! There is no request token for this pa...
NoSixties
1

votes
1

answer
1.2k

Views

Slack Oauth/Authorize API Call

I'm new to OAuth (and the Slack API) and have a question regarding Step 1 of Slack's OAuth Flow. It says 'Your web or mobile app should redirect users to the following url: https://slack.com/oauth/authorize'. At first I thought I should do an XHR request but then came to understand that that is not...
dannyk
1

votes
1

answer
489

Views

Where do I set the project name used on screen for multiple accounts login?

I've got a GAE app which uses users.create_login_url() to redirect users toward oauth2 login. Using it puts up a screen like this. Question is: How to change 'My Project' to something else?
John Mee
1

votes
1

answer
1.4k

Views

Can an OAuth 2.0 access token be used to authenticate a user in another context?

I want to know if it is permissible to pass a user's OAuth 2.0 access token between applications and use it as a method of logging them in. I have an iPhone application that uses the password grant to authenticate a user, and then uses their access token for future requests. The iPhone application i...
Dwight