Questions tagged [oauth-2.0]

5

votes
1

answer
816

Views

Using OAuth2 Implicit Flow(IdentityServer4), do users have to re-input password every expiration of access token?

I need to implement Authorization/Authentication for an Angular2 Client Side WebApp to talk to a Resource Server(WebApi). I am investigating IdentiyServer4 and choosing a Grant Type / Flow. HERE Resource Owner Password Credentials Grant(What we use now.) 'This is so called “non-interactive” auth...
ttugates
5

votes
1

answer
2.8k

Views

REST API oauth2 type authentication using AWS Cognito

I have a rest api in nodejs. my mobile app will consume my rest api. Can i implement oauth2 type authentication using aws cognito for my mobile app? I need resource owner password grant if i implement oauth2.
Lutfor
5

votes
1

answer
3.1k

Views

Keycloak endpoints for user registration, password reset, forgot password etc

I'm creating a mobile application that uses a server to store data into. I am also creating web application that will function as a restful database service for my mobile application. I plan to use Keycloak for my user management and authentication (Oauth2) of my mobile. I understand that Keycloak h...
ank
5

votes
1

answer
516

Views

OAuth2 Error during facebook authentication in Rails

In development mode, during the authentication callback phase from localhost/auth/facebook, I am faced with the following error OAuth2::Error : {'access_token':'XXX','token_type':'bearer','expires_in':123} This is the location of the error This is the stack trace oauth2 (0.9.4) lib/oauth2/client.rb:...
chickensmitten
5

votes
1

answer
464

Views

SampleSyncAdapter storing password plain text?

I am trying to get my head around Android AccountManager and OAuth. What i would like to do is not let the phone have access to the password. (That is what Google suggests: 'Be Smart About Security!') So i checkout the Google sample application SampleSyncAdapter and start reading through the code. t...
LordSauron
5

votes
2

answer
2.7k

Views

How to get new access token in OpenID Connect/OAuth2 Implicit Flow

I am currently using OpenID Connect/Oauth2 Implicit Flow in a mobile app. I am bringing up a Web View for the user to login and obtaining the access token and expiry. However, when the access token expires, do I need to ask the user to log in again? Or is there a way to get a new access token silent...
tura08
5

votes
1

answer
494

Views

App authentication and authorization with JWT

I was going through Oauth2 docs and thought it was kind of permissive security wise, so i tried to implement JWT tokens with a special scheme like in the picture for a mobile app communicating with a web API. Notes : i didnt like Oauth2 refresh tokens idea as they might get stolen and allow paralle...
Asma Hakim
5

votes
0

answer
166

Views

Using OAuth with Web API overkill if not using external identity provider?

I've been looking at OAuth as an authentication mechanism using some RESTful web services created using Web API. It appears to be using OAuth 2.0. I understand that one of OAuths primarily goals was to allow for authentication against another identity provider (Facebook, Google, etc.) without having...
ChrisC
5

votes
1

answer
1.6k

Views

Enter website by logging in Google Account using Python [closed]

I am making a website that makes graphs of the number of people present in groups (from www.codecamy.com). To achieve this I came with a plan. I will have a server which will poll the CodeCademy groups page (http://www.codecademy.com/groups) every 30 seconds and retrieve the needed information fro...
Flame_Phoenix
5

votes
2

answer
4.7k

Views

Where is doc of available scopes of Google OAuth 2.0 API?

I am looking for a list of all possible scope values for use with the Google OAuth 2.0 enabled API's, such as: https://www.googleapis.com/auth/urlshortener https://www.googleapis.com/auth/tasks I got lost in the Google API docs and can't find a page containing such information. Where can I find it?...
gilzero
5

votes
2

answer
615

Views

Does GoogleAccountCredential provide refresh token?

I am planning to write an Android App to fetch files from Google Drive. If the storage is huge, definitely it will take hours to download the files. In such case, I would need refresh token to complete the process. As far as I know, GoogleAccountCredential doesn't provide any methods to get the refr...
Manoj
5

votes
2

answer
3.2k

Views

how to secure apache cxf webservice(jax-ws) using oAuth 2.0

I have deployed webservice in Tomcat using Apache CXF. How would I proceed in securing that web service using OAuth 2.0? I have gone through the below URL but without finding any suitable solution. A working example or tutorials on how to implement oAuth 2.0 for simple web service? Original tuto...
user739115
5

votes
1

answer
3.4k

Views

ASP.NET MVC Microsoft Live Account Authentication on Localhost

I have created a blank, new ASP.NET MVC site. I have set up an application endpoint at https://account.live.com/developers/ as follows: API Settings: http://i.imgur.com/bIoV3x9.png App Settings and Code-Behind: http://i.imgur.com/P3KFyhV.png I have tried launching my site, connecting to https://loc...
Alexandru
5

votes
1

answer
5.9k

Views

Use Bearer Token Authentication for API and OpenId authentication for MVC on the same application project

I am trying to use both OpenId and Bearer token authentication on my application through Identity Server. The problem currently is that once I have authenticated the user, I still need to get a bearer token to be able to call any action methods for my Asp.Net MVC application. Here is my startup file...
Locust5304
5

votes
3

answer
913

Views

Devise Google Oauth works perfectly but doesn't sign-in on user creation, requires additional log on

I have Devise running on my Rails 3.2 application. Google Oauth is used to sign in. New Users attempt to sign in with Google and are redirected to the sign-in page without being signed in. I check the DB and the User's accounts are created with the correct credentials (everything is correct except I...
godzilla3000
5

votes
1

answer
6.1k

Views

Using Google API with spring-security-oauth2.0

I've searched here a bit but could not find an answer to my issue. I implement oAuth client with spring-sec-oAuth 2.0 (1.0.0.RC2a). After properly setting the beans.xml, I happily get a valid token and all looks good. Then, I want to use Calendar APIs - I'm not sure how do I make the call to get the...
OhadR
5

votes
1

answer
798

Views

Google OAuth 2.0 incremental authorization not working

I have a server-side application that needs access to a combination of Google APIs, for some users of our app we only need access to one API/set of scopes (say Google Drive), for other users to another API/scope (say G+), and for some we need access to both (users can link to the other part of the a...
David
5

votes
2

answer
893

Views

How / where to store refresh token on Android?

I'm writing an app that uses OAuth. I know I can store the auth token using accountManager.setAuthToken, but where do I store the refresh token? I suppose I could use accountManager.setUserData or shared preferences, but they both seem hackish. Suggestions?
DiePartei
5

votes
1

answer
1.2k

Views

Spring Oauth2 client credentials flow example

I am trying to implement service to service security into spring boot services using spring oauth2. I want a service to access a secured resource of another service without any user action involved. There are a lot of examples for authorization code grant type, but not very much about the client cre...
Tom Saenger
5

votes
2

answer
583

Views

Reddit oAuth 2 for Android “userless” app with Retrofit

I'm trying to implement the Reddit oAuth2 (every app that utilizes Reddit content has to have this implemented) in Android based 'userless' application and I'm following the guidelines. I registered an app and get the respective client_id. I'm following this for API guidelines and this for Retrofit...
ViksaaSkool
5

votes
3

answer
4.7k

Views

Accessing Google Contacts Api via OAuth 2.0 and private key aka Service Account

I am currently implementing access to Google Contacts via OAuth 2.0 and a so called Service Account. The service account is generated for an ordinary user like '[email protected]'. The code to generate the OAuth 2.0 credentials is: public static GoogleCredential getCredentials() throws GeneralSecuri...
Ra_
5

votes
2

answer
735

Views

Google Oauth flow in Meteor

Within a Meteor app, can anyone guide me to how to allow users to simply Oauth Google? There's the accounts-google package, but I don't want users to be able to login with it, just oauth and store credentials. The docs mention 'If you just want to authenticate to an Oauth service like Twitter, Faceb...
99miles
5

votes
2

answer
523

Views

How to avoid showing consent screen in our own native apps when external authentication?

Background We have developed a web application featuring a rest-api using oauth2/oidc and support for third party apps We have developed our own native apps for android and ios. Currently they retrieve a long lived token from user credential flow (no consent screen needed). We are currently extendin...
David Ernstsson
5

votes
2

answer
3k

Views

GAE doesn't import gflags

I'm trying to get oauth to work on Google App Engine (GAE), but I'm unable to import the OAuth2Decorator, because it tries to import gflags and fails. In command line I've ran help('modules') and gflags is listed, and I've ran import os + import gflags + print os.path.dirname(gflags.__file__) and re...
Graham Walters
5

votes
1

answer
1.6k

Views

Google OAuth - Keeping the Client ID Secret

When using OAuth in the Google Cloud Endpoints JavaScript client, how do you preserve the secrecy of the client ID? How to implement 0Auth in the Google Cloud Endpoints JavaScript client is detailed here. In the code snippet below the client ID is passed as a parameter to the OAuth method. gapi.auth...
Marc M.
5

votes
1

answer
2k

Views

Oauth2; How to solve the issue with expired AccessToken during multiple async api calls , made concurrently?

I'm using Spring Security Oauth2 as a security layer in my application. Everything worked well until concurrently async calls appeared . Can someone tell me how to handle the next case : 1. The client has an accessToken which already has expired. 2. The client makes two concurrent async api ca...
Devin Konny
5

votes
0

answer
1.2k

Views

Creating Custom OpenId Provider for Oauth2 Spring Boot

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across G...
Alex Man
5

votes
1

answer
1.7k

Views

Not getting refresh token in youtube OAuth

I am doing server side oauth following this guide. I successfully completed the oauth but I am not getting refresh_token in Exchange authorization code for refresh and access tokens step: Request: POST /o/oauth2/token HTTP/1.1 HOST: accounts.google.com content-type: application/x-www-form-urlencoded...
Abhishek Gupta
5

votes
1

answer
4.7k

Views

JwtSecurityTokenHandler says signature of JWT valid after changing 1 char

We are trying to validate the ID Token (IDT) presented to a .NET client application by an OpenID Connect Provider (OP). The IDT is what you would expect. Nothing unusual going on there. To verify the signature of the IDT, we can get the exponent and modulus from the OP by calling a public endpoint....
Travis Spencer
5

votes
1

answer
1.2k

Views

Single Sign On With thinktecture IdentityServer v2

I'm running thinktecture IdentityServer v2 with two Relying Parties in my qa environment on Windows Server 2008 R2 Standard. IdentityServer is configured for two RPs, one using Federation the other with oAuth My first relying party (www.sitenumberone.com) is an ASP.Net Framework 4 web site using WIF...
TrevorBrooks
5

votes
0

answer
1k

Views

OAuth2 and Drive API, can't list/retrieve files

I have a web application that needs to list all files from my Google Drive and then fetch them when clicked. I use OAuth for authenticating and it seems to work (the same code works well with Calendar API). I tried different scopes in serviceAccountScopes with no avail. Basically authentication is:...
TKirahvi
5

votes
0

answer
708

Views

MVC 5, OWIN Google and Microsoft refresh_token

I am building a MVC 5 web application that uses cookie authentication as primary authentication method. Our application flow goes like this: First time user signs up with username/password to create an IdentityUser. User signs in with his username/password User associates one or more Google and/or...
jjarv
5

votes
1

answer
2.3k

Views

GoogleAccountCredential reuse auth - Google Drive

I'm using this method to auth to Google Drive: https://developers.google.com/drive/quickstart-android Choosing account is working great. Now I want to store user credentials in prefs. I can save account name and then resore it. I want to reuse credentials for future use. Is it possible to reauth us...
adek
5

votes
1

answer
1k

Views

Yahoo - OAuth2 - SocialAPI : Not returning “Access-Control-Allow-Origin” in initial response [duplicate]

This question already has an answer here: Ways to circumvent the same-origin policy 11 answers I am using Yahoo Social API for Contacts using OAuth2 via Javascript (as given here https://developer.yahoo.com/oauth2/guide/#implicit-grant-flow-for-client-side-apps) However, after successful authentica...
Raheel Hasan
5

votes
2

answer
5.2k

Views

Google API Authentication for server

I've been trying to get Google's Calendar API working in a PHP web application, but I'm having a hard time getting authenticated. What I want to do is to allow users to interact with calendars of a single account known by the server. Each type of scenario covered in the OAuth 2.0 docs talks about '...
andy
5

votes
2

answer
941

Views

Google Developers Console - Oauth consent screen configuration doesn't save the input

I'm trying to connect my application with Google calendar to receive data. I registered a new application in Google Developers Console, activated Google Calender API and tried to configure the Oauth consent screen. There I selected my email address, entered a product name and tried to save it. What...
fooloomanzii
5

votes
1

answer
6.7k

Views

OAuth v2.0 in combination with ASP.NET MVC 4 Web API

I’m trying to build a Web API that uses the oauth 2 standard to authenticate users with my existing application where the Web API communicates with. Therefore I want to setup a oauth 2 server/service that checks the users with my existing applications that has users and roles. Unfortunately I can...
jfamvg
5

votes
1

answer
4.1k

Views

OAuth token validation from HAProxy or Apache mod_proxy

I have a microservice deployed on 3 nodes sitting behind a HAProxy load balancer all inside internal network. The services are protected using OAuth2 APIS authorization server. Now, I want to move the HAProxy to DMZ. And I want to reject requests that do not have auth token in the header and also va...
Ambal
5

votes
2

answer
953

Views

PrepareResponse().AsActionResult() throws unsupported exception DotNetOpenAuth CTP

Currently I'm developing an OAuth2 authorization server using DotNetOpenAuth CTP version. My authorization server is in asp.net MVC3, and it's based on the sample provided by the library. Everything works fine until the app reaches the point where the user authorizes the consumer client. There's an...
Daniel
5

votes
2

answer
2.2k

Views

How to use implicit grant type in OAuth 2.0 for mobile apps?

I have read a tutorial regarding OAuth 2.0 and implicit grant type. I still don't understand how implicit grant type will work for mobile (iOS or Android). For example if we create an SSO App (like Facebook) and make an SDK to give this service. Does the SSO app contacts the Authorization server pra...
Chan