Questions tagged [oauth-2.0]

1

votes
1

answer
414

Views

OAuth 2 Endpoint: Additional Fields?

Is is acceptable to include additional fields in an OAuth token endpoint response? For example, I am returning UserId, Username and CompanyId below: { 'access_token': 'pHd4Wz1EF...', 'token_type': 'bearer', 'expires_in': 86399, 'UserId': '7e7fbc39-8abd-41e1-b165-9d18b635b7a7', 'Username': '[email protected]
Dave New
1

votes
1

answer
1k

Views

Google OAuth2 with Server to Server authentication returns “invalid_grant”

I am trying to follow the steps outlined here https://developers.google.com/accounts/docs/OAuth2ServiceAccount#overview in order to acquire the access token for use with the Google Calendar API with OAuth2. After attempting to put together and sign the jwt, I always end up with a 400 'Bad request' r...
Flavio K
1

votes
1

answer
860

Views

HelloJS + Cordova: Trouble with redirect_uri

I'm having some trouble using HelloJS with the Google+ API. It has been running nicely using a local development server, but when I try using it wrapped in a Cordova application, I'm getting an error. Within the Google Development Console I've created a client id for web applications. The settings...
Poyan
1

votes
1

answer
6k

Views

Cannot authorize with LinkedIn

I'm trying to get the first name, surname and email from a user on my website with LinkedIn. This is what I've done: In my LinkedIn App I've set the Default Scope (OAuth User Agreement) to: r_basicprofile r_contactinfo w_share r_emailaddress I've correctly added my domain to Javascript API Domains....
nielsv
1

votes
2

answer
144

Views

REST - HTTPS is secure - why go for OAuth?

My app uses REST calls to fetch data from the server. To make the server calls secure, I googled and found out that OAuth is the best way to secure REST web services. But also it says that OAuth should be used with HTTPS. If we are using HTTPS (which is a secure was to transmit data), why do we requ...
SRCM
1

votes
1

answer
88

Views

Trouble forming post to get Azure token using Guzzle6 (Error: AADSTS90014)

We're moving from Guzzle3 to Guzzle6. I wrote a process to authenticate and access the Azure Management API that worked fine in Guzzle3. However, I'm unable to figure out how to get it to work in Guzzle6. The purpose is to get the access token which is then use in subsequent requests to the Azure Ma...
Adam
1

votes
1

answer
509

Views

How to link an Alexa user with 3rd party app using basic authentication instead of OAuth 2.0

I am creating a custom Alexa Skill that gets information from an application using their APIs. In order to use the application, you must have an account. The application authenticates users using basic authentication, i.e., the user logs in using their username and password, and the authorization se...
Drew
1

votes
1

answer
63

Views

Is it correct to request access token upon EVERY API call in my web app controllers?

I have a web API on the backend, and a web app and phone app on the front end. I am using Auth0 for OAuth/OpenId authentication on all three. Both web API and web app are written in ASP .Net Core 1.1 MVC. Every time I call the web API from the web app, I request an access token from Auth0. So, in ev...
1

votes
1

answer
319

Views

IdentityServer3 : client_id, secret, username, password passed in URL vs body parameters

I am looking at how Identity Server 3 works. In a pluralsight example, I see this for oAuth2 Does this imply I can add the parameters in the URL? Whilst I can get the parameters in body to work, I cannot get the parameters in the URL to work: Is there a setting to switch between body parameters and...
Peter PitLock
1

votes
1

answer
135

Views

oauth2.0 in external browser

I've recently came across twitter4j which uses external browser to authenticate user with twitter. I'd like to achieve constistency - is it possible for oauth2(facebook) to apply similar approach: an external web browser instead of webview and how ? Thanks.
midnight
1

votes
3

answer
1.7k

Views

How to access Google Drive docs from a server with no browser

I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop. The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local...
Andre
1

votes
1

answer
83

Views

Google OAuth, get only email and no plus related data

When my application authenticates users using their google account, I use scope as 'email', but for some reason, google still tells them that my app can see 'who you are on google'. Is there a way to avoid that?
0fnt
1

votes
1

answer
607

Views

UserService, OAuth, and AJAX in App Engine

I'm running a webapp that checks if a user is logged in with UserService, then shows them their homepage if they are, or redirects them to a login screen if not. Once on the page, I would like to be able to update specific portions using AJAX when they click certain elements. Now, I have already wri...
willlma
1

votes
1

answer
130

Views

How to restrict a client to install a web application for only one domain

I have a product(Web Application), 5-10 clients are asking same application to install in their own domain. i don't have any problem to install, but some clients(who is having technical knowledge) are installing in 2, 3 domains without paying for me. How can i restrict them for only one domain. I me...
user123456789
1

votes
1

answer
479

Views

Is it allowed per the oAuth2 specs to have multiple valid tokens per Resource Owner at the same time?

According to the oAuth2 specs, Is it allowed to have multiple valid tokens per Resource Owner at the same time? For security considerations it seems appropriate (less exposed area for replay attacks) that only 1 active token per Resource Owner (i.e: User) is available. This would mean that when a ne...
Geert-Jan
1

votes
1

answer
260

Views

“A refresh_token is not available (RuntimeError)” when authenticating with Facebook or Google+

Using omniauth-oauth2 alongside omniauth-facebook and omniauth-google-oauth2 for social authentication with Devise, we saw this obscure error cropping up in our Cucumber suite. We couldn't figure out what was going wrong. Google led us on some goose hunts. Any ideas? @selenium Scenario: I can login...
Chris Cashwell
1

votes
1

answer
634

Views

Google Auth don't show popup if logged in

In scenario 1 the user is not logged into our app and is not logged into google in their browser. This shows them a pop up and tells them to log in to google and then tells them to authorize our app. However, in my scenario, the user is already logged in and already has authorized my app. I log them...
joncodo
1

votes
1

answer
0

Views

Spring OAuth2 server cannot refresh token with Resource owner credentials (password) grant flow

I have configured an OAuth2 authorisation server with spring security oauth, using jwt tokens: @Configuration @EnableAuthorizationServer public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { ... @Override public void configure(final ClientDetailsServiceConfigure...
Archie
1

votes
1

answer
127

Views

Authorization server behind kubernetes ingress?

I want to deploy a few Spring Boot microservices on Kubernetes cluster. One of them is authorization server serving OAuth 2.0 tokens. With current deployment (no k8s) only two services are visible to the outer world: api-gateway (Zuul) and authorization-server (Spring OAuth). The rest is hidden behi...
k13i
1

votes
1

answer
287

Views

securesocial.core.Identity missing from SecureSocial library?

I am looking to use OAuth2 in my Play application, and I've been having trouble looking for an entry point in coding for it. SecureSocial seems like a good library to use, but there seems to be a disconnect between SecureSocial's Getting Started guide and the classes that are actually available in t...
Tuy
1

votes
1

answer
1.7k

Views

GMail OAuth authentication. Am I retreving the OAuth token correctly?

Im trying to create a mockup for an application that accesses the Mail of users after OAuth authentication. I intend to retrieve the mail using the following code snippet Based off the example here :http://code.google.com/p/google-mail-oauth2-tools/source/browse/trunk/java/com/google/code/samples/o...
seeker
1

votes
1

answer
2k

Views

Google OAuth2 Service Accounts authorization

I'm trying to perform Google Drive API calls using 'Service Accounts' authorization. I'm calling the API, but files.list returns me empty set, meanwhile the drive is not empty. I guess I should specify prn field as well in order to perform call on behalf of the concrete user (I don't really get who...
axe
1

votes
1

answer
306

Views

What's the length of the access_token string?

I store the access token received from Soundcloud in a database and would therefore like to know what the maximum length of the string is. There's a similiar question here concerning Facebook. Does the same (1) apply to Soundcloud? And is the length guaranteed to stay the same in the future or coul...
Deve
1

votes
1

answer
0

Views

implement phone authentication

I am trying to implement phone authentication in my asp.net core backend Apis, something like whatsapp. the flow is: user opens the mobile app if he isnt current user he can write his phone number backend should send verification code to his mobile and store the verificationObject to inMemroyCache...
M.Nour Berro
1

votes
1

answer
69

Views

OAuth2: Prevent abuse of access tokens by legitimate resource server

Considering a multi-service setup, where a single authorization server (AS) manage the access to multiple resource server (RS), in this example RS1 and RS2. If we have one access token for both RS and we sending an access token to RS1 than RS1 would be able to make calls with this access token to RS...
Timo
1

votes
1

answer
23

Views

Does the retrieved OAuth2.0 authorization code for Azure AD web applications expire?

In order to access resources in Azure AD web applications we retrieve an authorization code using the following workflow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code Now my questions is, does this retrieved code also have a specific lifetime (like tokens h...
Ruben Aster
1

votes
1

answer
321

Views

How to make OAuth2 work for Azure Active Directory with multi-factor authentication on .net?

We are using OAuth 2.0 auth code grant on Azure Active Directory to authenticate the users in our web application. This has worked without problems, but now the AD maintenance wants to deploy a multi-factor authentication. Our current OAuth implementation is not in line with that. Here is our code:...
masa
1

votes
1

answer
22

Views

OAuth: Client revoking access of several access tokens

Suppose I am a client application and I request resource owners to share their resources using Authorization servers(and resource servers) like Facebook and Google. Lets assume that some of my access tokens were compromised. In that case, Can I request Facebook or Google to revoke all those tokens?...
Ihsan Izwer
1

votes
1

answer
0

Views

Getting started with Spring Boot and OAuth2 maven dependencies

I am trying to develop a simple application with Spring Boot 2 and OAuth2. I am following the tutorial at http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/ but I am facing problem with what maven dependencies to include in my project. My pom.xml is as under 4.0.0 org.spring...
Anirban
1

votes
1

answer
0

Views

Tight coupling in application and server due to Auth

I have to design a native mobile app which uses Access token with expiry time as 2 min. The application maintains a timer and it asks for new access token in every 2 min in background. I feel this design introduces a tight coupling between the server and the app of maintaining 2 mins time. In an ide...
SHN
1

votes
2

answer
140

Views

Implement Oauth between own server and iPhone app

I want to secure my http calls between the mobile app and my own server. What is the best approach to do this ? I was seeing oAuth2.0 but not able to understand it completely. How we can use tokenised authentication in our app ? Could someone help me out in this by explaining with example for both s...
Rahul Vyas
1

votes
2

answer
1.7k

Views

Can I use oauth 2.0 with flex?

I want my flex mobile app to connect to the Google services, specifically the new Google Drive, to upload and download files. Is this possible using AS3 and Flash Builder? I believe oauth 2.0 is required for authenication. Can this be done with Action Script? I've looked around and only found oauth...
user1073892
1

votes
1

answer
32

Views

Create an OAuth compatible SSO: troubles with client_id mixups

I want to create Google-like single sign on application to allow members of one of our application reach all other apps without the need of signing-in again. But I can't find the right way to do it, I think I'm missing something with the grant_type=authorization_code method, and especially this part...
Alain Tiemblo
1

votes
1

answer
44

Views

Native app OAuth2 authorization

we want to create a native mobile app using OAuth2. How to protect from stealing clientID (this information can be obtained by anybody)? Someone can create his own app and act as our app by using our clientID?
Jakub Saleniuk
1

votes
1

answer
79

Views

redirect_url mismatch error when exchanging code for token

I'm trying to implement exchanging a code for a token in my WebApi application with Fitbit. I keep getting the exception, Message = 'Redirect_uri mismatch: http://localhost:49294/api/... Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process.' Reque...
Antarr Byrd
1

votes
3

answer
2.3k

Views

Authorize Filter in Web Api 2.0 With OauthBearerTokens Not Working

I have a Single Page Application (Angular Js + AspNet Web API) using OAuthBearerToken style authentication My Code Is as follows [assembly: OwinStartupAttribute(typeof(App.Web.Startup))] namespace App.Web { public partial class Startup { public void Configuration(IAppBuilder app) { var config = new...
Seth IK
1

votes
2

answer
1.3k

Views

LinkedIn, 401, Unable to verify access token

I used this guide to built a showcase - sign in with LinkedIn into a specific site. Everything worked perfectly until I demonstarted it in front of a wide audience and it broke down :-( It was a great FAIL and I want to know why. Here is what I do: 1.On the sign in page the user may click a Sign in...
Lachezar Balev
1

votes
1

answer
1.5k

Views

Spring Security OAuth2 JWT anonymous token

What I Did First I accept that I am lacking in spring security knowledge. I am trying secure rest services for one of our product. I am using spring security OAuth2 JWT. I want to allow anonymous as well as registered users to access my resources. Suppose I have one service 'http://localhost:8282...
Ani
1

votes
1

answer
582

Views

Custom Icon & name in yii2 oAuth client widjet

I am trying to create yii2 oAuth server I need custom icon & name for my client in view This is the code where we set view
Yasar Arafath
1

votes
1

answer
428

Views

How to enable my own custom OAuth external authorization with asp.net

I am having a project in which i need to implement authorization using OAuth. I am developing different apps with their different data. Web app 1: This is a SPA web app that will connect with a webAPI built for it that will expose related bussiness data to this web app. Web app 2: This is an MVC as...
T M