Questions tagged [oauth-2.0]

1

votes
1

answer
13

Views

Why there are primary and secondary certificates for JWT verification in light-4j

When enabling light-4j security, there are two files that need to be in the config folder for JWT verification. primary.crt and secondary.crt. I am wondering why there are two certificates for JWT verification.
Steve Hu
1

votes
1

answer
460

Views

Spring Security - UserDetailsService for oAuth2 implementation?

So, using a basic authentication, I can see the value in simply using an implementation of the UserDetailsService which basically just loads a user and confirms they are authenticated. However, I would now like to use oAuth2 and am not sure if my thinking is completely wrong on this subject. Wouldn'...
TyRyDurden
1

votes
1

answer
278

Views

Do you have to use IdentityServer 3's login views

I'm architecting a SSO service to support multiple internal and client facing applications. I'm reviewing ThinkTecture's IdentityServer 3 approach using OpenId Connect and oAUTH2. I think this is the direction we need to go. However, I'm hung up on the examples I'm seeing where the user is presen...
Tom Schreck
1

votes
1

answer
115

Views

WebAPI OWIN authentication with LinkedIn Ionic

I currently have authentication working (WebAPI OWIN) with grant_type=password&username=&password for my simple username/password combo and it returns me a Bearer token which is good. Now I’m trying to implement it with social login but can’t get my head around it. I'm using ionic cloud to authe...
DrZeuso
1

votes
1

answer
202

Views

ASP.NET Core: Being an external authentication source for other applications

In ASP.NET Core, it's easy enough to use external authentication services for allowing users to sign into a web application (MS, Facebook, and Google accounts are supported out of the box). However, how can I go about setting my application up to actually be an external authentication provider for o...
Ryan
1

votes
1

answer
135

Views

Can't we use SAML for securing microservices?

Currently, Oauth2 is becoming the de facto for the security module for the microservices ecosystem. Why can't we replace Oauth with SAML (or any other SSOs for that matter) and JWT with SAML Assertions (or equivalent data of the SSOs)? Is it the simplicity of Oauth2 that makes us chose it or is ther...
Kannan Ramamoorthy
1

votes
1

answer
455

Views

MailChimp API call with OAuth 2 token

I am unable to call Mailchimps API 3.0 endpoints such as /lists using OAuth 2 tokens. I already have the token and have the endpoint from the /metadata call however, when I attempt to access /lists using the below //Get lists $client = new \GuzzleHttp\Client(['base_uri' => $datacenter]); $headers =...
Alex Merz
1

votes
1

answer
65

Views

Firebase | Retrieve hd parameter from Google oAuth

I've seen this post on how to set the hd parameter. I simply want to check that parameter on a Firebase's user().onCreate() function. However, the hd parameter does not seem to be a part of the user object or token parameters. From what I understand Google oAuth should include the hd parameter if th...
Sean Russell
1

votes
1

answer
999

Views

Using the authorization code grant without using cookies?

I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal: OAuth2 OpenID Connect SPA / Mobile Client JWT Solution that has banking level security quality as the above component are concerned. So t...
Ole
1

votes
1

answer
163

Views

Security concerns about using Facebook implicit token for server side resource server OAuth2 authentication

I have poured over the OAuth2 docs and seen how the Facebook Javascript SDK uses Implicit Grant. I am building a ReactJs application, which communicates with a PHP-Symfony API. What I want to do is offer the 'Login with Facebook' option on the frontend. What I need on my PHP server is the Facebook u...
Jayd
1

votes
1

answer
83

Views

Authentication on Post DRF

I got an error on my DRF. when I try to authenticate using a post method. the token is the correct for the admin user. when I use a safe method it is sucessfull, but with the post method no, it doesn't authenticate my view class SpecialistListView(ListCreateAPIView): authentication_classes = (OA...
Darwin
1

votes
1

answer
392

Views

OWIN Security - OAuth2 Refresh Token - How to include Refresh Token's expiration

After following this guide, I have a functional authorization server. My app receives the following response: { 'access_token': 'wNl5VT4UuMwMpFOkoMTUscO7XgS96ktzeE_FoAcKpugLD4VrZGZ0HgGvgfgbY1axOPsdxQ5bzB2hA5jKtWNZdq21OvKU4LLnRXXhSHbOWLnbVSAVfkrX1n_Vv_TgWncOheK3WJ7OkELoLUkwYYQCzX712BVmblLkSjsjpvX94Vy...
Paul - Soura Tech LLC
1

votes
1

answer
148

Views

Oauth2 assertion grant: Why no refresh token?

I'm looking into Oauth2 to allow developers to authorize users of their app to use my service. I've found a few sources that say that my Authorization Server should return an access token when a user sends an assertion (JWT in my case) but that it should not return a refresh token. I'm wondering wha...
Mustack
1

votes
1

answer
66

Views

How do I secure an account that is created via OAuth Spotify

I would like users to register an account on my site via OAuth Spotify. I have the following scheme: User authenticates via Spotify Spotify ID and Mail are returned An account will be created on the website (saved to the database) The user can log in with his Spotify to access that account The probl...
Jason
1

votes
2

answer
200

Views

What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?

Based on the answer to my previous question Ok, OAuth 2.0 is an authorization protocol but when you use ROPC (Resource Owner Password Credential) Grant Type, the way I understand it, you mean to authenticate and authorize isn't it? Is OpenID still applicable in ROPC? still a little bit confuse with...
1

votes
1

answer
314

Views

Post/share automatically to linkedin company page from server

I'm trying to post to my company page directly from my server, but I have a hard time understanding how the authentication works. All examples + the documentation seem to require you to have a callback where the 'visitor' is promted with a form to confirm the access. But in my case, my app is suppos...
Victor
1

votes
1

answer
539

Views

Grails OAuth2 signin Password Credentials Grant returns invalid_client

I am working on a basic grails app protected by OAuth2 authentication -- code here. It is nothing more than what spring-security and spring-security-oauth plugins have for a getting started app. In my bootstrap I have (as per getting started): Role roleUser = new Role(authority: 'ROLE_USER').save(...
adeady
1

votes
1

answer
1.6k

Views

How to get GitHub pull requests for an organization repo via the v3 API?

I can't seem to get the pull requests for my organization's private repository using the API. I've gotten myself an OAuth2 access token which works fine. For example, this call works and returns valid JSON (apaidnerd would be my username and blog would be a public repo): https://api.github.com/repos...
a paid nerd
1

votes
1

answer
284

Views

Can some one help me with working code for Restassured post request with Authorization Header

I'm new to Restassured Webservice automation. I'm able to get OAuth2 token and save it to a string. But when I pass this string in Authorization header, I'm getting 403 error. Working code to store token in a string: `String response = given() .params('grant_type', 'XXX', 'scope', 'XXX') .auth() ....
Renu
1

votes
1

answer
458

Views

What is the different between Dwolla API Key, Client_id & Client_Secret?

How to work with Dwolla API which required Client_id & Client_Secret https://www.dwolla.com/oauth/rest/users/{account_identifier}?client_id={client_id}&client_secret={client_secret} I already register Application. And Got Key and Secret But when I call above described API Endpoint via Fiddler. Got...
1

votes
1

answer
776

Views

Vimeo API invalid token when making request

I am trying to make a request to the Vimeo api v3 using this request URL: https://api.vimeo.com/videos?query=elvis&client_id=XXXXXXXXXXXXXXXXX&token=XXXXXXXXXXXXXXXXXXXX The token I am sending is copy and pasted from the web interface. I generated it there. I'm trying it from the browser and receivi...
wuliwong
1

votes
1

answer
503

Views

Is the scope of an oauth2 access token bound to the token or the user?

I'm having a hard time asking the question so let me explain to you our half baked OAuth 2.0 solution: Currently, we only use a trusted grant, rather we ask for a username and password. If those creds are authenticated successfully, we issue an access token and a refresh token. However, there is no...
Sinaesthetic
1

votes
1

answer
265

Views

Storing API key on mobile device

I've read many, if not all, answers to previously asked questions about the same topic, but questions themselves are not exactly about my case. I have an OAuth 2.0 server running. It has an endpoint that provides access tokens to users. Programs and websites requesting the access token may or may no...
Xeos
1

votes
1

answer
573

Views

How to validate Google identity server side

I have an app that is using pure client side Google API for authentication and possibly listing contacts in circles. However I am associating certain data submitted to the server with identities. What exactly should I be doing to validate that the identity submitted to my server (I have a REST api)...
BlueMonkMN
1

votes
1

answer
591

Views

ASP MVC 5 OAuth External Login and SSL

Is it a must to use SSL in order to use OAuth login on ASP MVC5? as suggested in this post? http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
JeeShen Lee
1

votes
1

answer
701

Views

How to expose API to developers securely?

Hi I want to expose API of my web application to the developers so that they can build application on top of my API. I want to develop it same as twitter does that means I want to build Consumer key,Consumer secret,Request token URL,Authorize URL,Access token URL,Callback URL,Access token,Access tok...
mandar.gokhale
1

votes
2

answer
698

Views

ADFS 4.0: Received invalid Client credentials

Any ideas why this can happen? Our IT had ADFS updated from version 3 to version 4. After the update our ASP.NET Core application gets following error: Error Code: 'Unhandled remote failure. (OAuth token endpoint failure: Status: BadRequest; Body: {\'error\':\'invalid_client\',\'error_description...
Im4Ever
1

votes
1

answer
87

Views

How does user authentication work in the Google Sheets API with Python?

I am a fairly new developer. I have no OAuth2 experience and every time I try to read explanations of it I can't seem to figure out what it means in a practical sense. Here's what I'm trying to accomplish. I'm writing an app in Python which I want to be able to read an arbitrary Google sheet and man...
Aaron Beaudoin
1

votes
3

answer
312

Views

MSAL for android without using chrome

I want to integrate one drive(personal and business) and for this i am using msal. I found that it requires chrome. I want in my application without using chrome(like popup or in app UI). I am using this library for authentication(msal) https://github.com/AzureAD/microsoft-authentication-library-for...
Manmohan
1

votes
1

answer
372

Views

How one can use other oauth2 providers like FB, Google in an existing jwt authentication system

I am new to spring boot and trying to implement oauth2 client with facebook as oauth2 provider. I already have a traditional JWT token authentication in place which is configured with in @EnableWebSecurity with default authentication manager and custome JWT token generator. is it really required to...
Ashish Awasthi
1

votes
1

answer
249

Views

Laravel Passport Authenticate User To Access API Data

I am trying to implement Resource Owner Password Credentials Grant in my laravel 5.6 / passport application. I have set all the basic configurations. I want the user to be able to pass only their username and password and have the authentication server pass in the grant type, client_secret, and clie...
1

votes
0

answer
0

Views

Microsoft Graph API keeps returning 401 Unauthorized

Please do not report as duplicate because all other topics have not solved my issue, thanks. I'm using Microsoft Graph api to list and create calendar events, however I can't seem to make the findMeetingTimes endpoint work. This is my authorization URL: https://login.microsoftonline.com/consumers/oa...
Tim Hef
1

votes
1

answer
375

Views

jHipster: How works new user module with Keycloak for a simple user in production?

I install new version of jHipster with OAuth and Keycloak. I did not know Keycloak end it seemed very cool. I have a standalone instalation (not jHipster Docker) with mysql and works fine (i import data from jhipster-users-0.json and jhipster-realm.json) and i see all data in database tables. My que...
1

votes
1

answer
83

Views

Why does WSO2 require a tenant username / password when introspecting tokens using OAuth2?

I have been working with OAuth2 for the past few days and I believe I have it mostly figured out and have my code working fairly well. I find it odd that WSO2 doesn't allow you to authorize OAuth2 token introspection using client_id / client_secret. Is there a reason why this isn't allowed? My und...
jcfbvfjfn
1

votes
1

answer
64

Views

Unable to reach to the redirecting URL while using passport-google-oauth20

I just started to learn OAuth. I am using passport-google-oauth20 with node.js. Below is the code from the passport-setup.js file of my project. const passport = require('passport'); const GoogleStrategy = require('passport-google-oauth20'); const keys = require('./keys') passport.use( new GoogleStr...
Phantom Coder
1

votes
2

answer
70

Views

oauth2 - how was user identified before OIDC?

Im a bit confused about oauth2 and OIDC. So supposedly with OIDC we now get the id_token which uniquely identifies the user in the same oauth2 flow. But my understanding is - oauth 2 came out earlier than OIDC and OIDC support is not universal even at this point. So how do current APIs that use o...
Dannyboy
1

votes
1

answer
169

Views

Laravel : Client_Credentials don't work

In my Laravel website, I have to make a cron jobs who will retrieve some data, then update my database. From the docs of Laravel I thought to the machine-to-machine authentication from Laravel Passport. So I jumped into this, installation and so on. https://laravel.com/docs/5.6/passport#client-cr...
Neewd
1

votes
1

answer
103

Views

SonarQube BitBucket Auth plugin allows any BitBucket user to login

Was able to get the BitBucket Authentication Plugin, sonar-auth-bitbucket, working with my SonarQube Version 6.7 (build 33306) server and was so very happy until I noticed that apparently it will allow any BitBucket user to login as login as long as they have a BitBucket account. Which sort of defe...
isaac weathers
1

votes
1

answer
59

Views

Spring fo Android : request authorization headers (not basic)

I have an app that uses Spring for Android on the Client side and Spring Boot on the Server side. We would like to add client authorization to some requests. We already use Firebase and OAuth2 and after reading on the subject, I feel like the best way to go would be to use the Authentification heade...
Olivier L. Applin
1

votes
1

answer
156

Views

How to enforce multi factor authentication in external azure active directories

I have AAD with custom enteprise sign on page and multi factor authentication enabled. When logging to any of the application registered in this AAD, MFA is enfornced. Now, I want to enforce MFA even when somebody adds accounts from this AAD as guests to some external AAD. However, when I create new...
Liero