Questions tagged [oauth-2.0]

14

votes
5

answer
10k

Views

How can I pre-authorize a client app for my user on my oauth provider that uses doorkeeper?

I've written an oauth provider that is meant to work with several of my company's web applications. I am using the doorkeeper gem, which has worked well so far. Typical behavior is for a user to go to the client application, get redirected to the provider to sign in, confirm that the client applicat...
phaedryx
14

votes
4

answer
4.7k

Views

Is OAuth good choice for RESTful API in this SaaS scenario?

Is OAuth sensible to use when the user account info (user id's, passwords, roles, etc) is going to be maintained in our own back-end and when there will not be any sharing of resources with other sites? Or is sharing the whole point of using OAuth? Background: I'm working on developing an enterpris...
Justin
14

votes
1

answer
13.8k

Views

How can I validate my custom Oauth2 access token in server-side

public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider { public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { bool isvalidUser = AuthenticateUser(context.UserName, context.Password);// validate my user&password if (!...
b_in_U
14

votes
2

answer
9.6k

Views

How to test an API endpoint with Django-rest-framework using Django-oauth-toolkit for authentication

I have a Django-rest-framework viewset/router to define an API endpoint. The viewset is defined as such: class DocumentViewSet(viewsets.ModelViewSet): permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope] model = Document And the router is defined as router = DefaultRouter() ro...
Jim
14

votes
2

answer
7.2k

Views

How do I use the Google API Explorer to test my own App Engine Endpoints using OAuth?

I have an Endpoints API deployed on App Engine. I have no problem using the Google API Explorer to make requests to API methods that do NOT require being logged in. The URL I'm using for that is: https://developers.google.com/apis-explorer/?base=https://[MY_APP_ID].appspot.com/_ah/api Where I am stu...
Eliot
14

votes
3

answer
17k

Views

passport google oauth on localhost

I am quite new at using passport for authentication over node, hence the lot of code snippets my server is configured as : var router = require('./app/config/routes'); var googleStrategy = require('./app/config/passport'); var session = require('express-session'); var passport = require('passport');...
14

votes
1

answer
10.6k

Views

OWIN Bearer Token Authentication

I have some questions related to Bearer Token. In Owin you can protect a ticket Protect(ticket) like this: ClaimsIdentity identity = new ClaimsIdentity(Startup.OAuthServerOptions.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.Name, user.UserName)); Dictionary properties = new Dictionary...
David Dury
14

votes
1

answer
3.9k

Views

Adding more then one client to the Spring OAuth2 Auth Server

I have Spring OAuth Authorization server and I want to add support for more then one client(id). I configured clients like this: clients .inMemory().withClient(client).secret(clientSecret) .resourceIds(resourceId) .authorizedGrantTypes('client_credentials', 'password', 'refresh_token', 'implicit', '...
dplesa
14

votes
1

answer
7.4k

Views

OAuth 2.0 integrated with REST WCF Service application

I need help with integrating an Authentication layer OAuth2.0 with a REST Service using VS 2012 WCF Service application template in C#. This WCF needs to issue tokens for the authorization and authentication of the service before allowing the Client(Consumer) to access any of its resources. Three le...
Reha
14

votes
1

answer
408

Views

Regarding OAuth 2.0: Are 3rd Party Cookies Enabled a dependency?

When blocking 3rd Party cookies using Google Chrome (latest), build 27 Win7/PC, I've seen that almost all OAuth logins from other sites don't work, with the exception of signing in with G+. I've already signed in with Google though, so that cookie exists. Is this behavior that is actually a depend...
brianjhong
14

votes
1

answer
20k

Views

Why do refresh tokens expire after 14 days

Each refresh token is valid for 14 days. Why do the refresh tokens expire?
suman
14

votes
3

answer
18.6k

Views

How to get offline token and refresh token and auto-refresh access to Google API

I'm developing an app that accesses Google APIs (starting with Calendar API) using OAuth2 and the google client libraries for that (is on Appengine and GWT BTW). I have implemented my OAuth2Call back servlet, extending the Google AbstractAppEngineAuthorizationCodeCallbackServlet. I have it working,...
Andrew Mackenzie
14

votes
3

answer
2.1k

Views

Consuming own API for web app - Authentication process with OAuth2

Overview I am currently in the process of creating an API for an image sharing app that will run on the web and sometime in the future, on mobile. I understood the logical parts of API building, but I'm still struggling to meet my own requirements for the authentication part. So, my API must be acce...
Dugi
14

votes
3

answer
13.6k

Views

gapi.auth.signOut(); not working I'm lost

Below is the code I am using to login with google. I have an element on login.php with id authorize-button. When clicked it logs in just fine. I have a logout link in my header file. When I click the logout it calls gapi.auth.signOut(); then it destroys session and redirects back to login.php T...
jcopeland
14

votes
3

answer
2k

Views

Can't get the network credentials to work

So I've been working with DotNetOpenAuth for a while, Today I needed to add support for provider that forces me to send the secret key with Basic authentication (I've been using an old version and only Post parameters) I've tried using ClientCredentialApplicator.NetworkCredential, it didn't work. Th...
Madd0g
14

votes
10

answer
46.7k

Views

Oauth2 Instagram API “redirect URI does not match registered redirect URI”

I am working on a Rails application which is in development mode and it can register with omniauth. The host is http://localhost:3000/ I'm using the gems: gem 'omniauth' gem 'omniauth-foursquare' gem 'omniauth-instagram' When I register through omniauth with Foursquare there's no problem at all. A...
Biketire
14

votes
3

answer
17.5k

Views

Spring OAuth (OAuth2): How can I get the client credentials in a Spring MVC controller?

In this snippet: @RequestMapping(method = GET) public List read(Principal principal) { principal.getName(); } principal.getName() gives me the user identification but I need a way to receive the client credentials (client => the app who is using my API). How can I do this?
wandi.darko
14

votes
1

answer
4.7k

Views

Difference between Google “OpenID Connect” and “sign-in with Google”?

I want users to my website to use Google Accounts to authenticate / sign in to my website. The primary use case being users will edit and generate content and we want to log ownership in a secure way. We are not interested in obtaining users Google data, we just want a means to authenticate users....
samthebest
14

votes
2

answer
190

Views

AppEngine Java Google+ Signin missing gplus_id

I'm trying to sign-in to G+ with java on Google AppEngine as explained here In Step 8, the code gets gPlusId as follow String gPlusId = request.queryParams('gplus_id'); and this request should be coming from the ajax call in Step 6, which only sends authResult['code'] in the request, even the authRe...
Ahmed Waheed
14

votes
5

answer
7.7k

Views

How to implement rate limiting based on a client token in Spring?

I am developing a simple REST API using Spring 3 + Spring MVC. Authentication will be done through OAuth 2.0 or basic auth with a client token using Spring Security. This is still under debate. All connections will be forced through an SSL connection. I have been looking for information on how to i...
aj.esler
14

votes
1

answer
8.5k

Views

Identity Server not returning refresh token

I'm trying to set up Thinktecture's Identity Server 3, but I can't seem to get it to return a refresh token when exchanging an authorization code (or when using the ResourceOwner flow, but I'm going to focus on the authorization code as it's more important to me right now). I get back access tokens...
AJ Karnitis
14

votes
4

answer
724

Views

Should an oAuth server give the same accessToken to a same client request?

I am developing an oAuth2 server and I've stumbled upon this question. Lets suppose a scenario where my tokens are set to expire within one hour. On this timeframe, some client goes through the implicit auth fifty times using the same client_id and same redirect_uri. Basically same everything. Shoul...
Vinicius Tavares
14

votes
4

answer
6.1k

Views

Upload videos to my Youtube channel without user authentication using YoutubeApi v3 and ouath2

The goal of my task is to create a console script, which will insert recently uploaded videos on my own site to my own Youtube channel. I want to use server-to-server authentication but YoutubeApi does not support this way of authentication now. So my question is: How could I upload video to youtu...
14

votes
2

answer
12.4k

Views

MVC 5 application - implement OAuth Authorization code flow

Based on this tutorial http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server, I have created an Authorization Server, a Resource Server and a MVC Client. The MVC Client has a Controller which gets some data from the Resource Server. The Resource Server requires authen...
MatthiasRamp
14

votes
2

answer
16.4k

Views

Oauth 2 token for Active Directory accounts

I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with 'Resource Owner Password Credentials' grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (...
systempuntoout
14

votes
3

answer
11k

Views

How to handle OAuth URL callbacks with Intent filters if authentication is done with webview?

I am developing an app which uses OAuth for authentication but I have a little problem handling OAuth callbacks. THE AUTHENTICATION My app has a webview as the login screen and I am given a url to load the auth form in my webview. Let's say that the url is : https://myoauthhost.com/oauth/auth?respon...
kaffein
13

votes
1

answer
13.5k

Views

validate OAuth 2.0 access token from a Spring RESTful resource server

I want to secure my Spring RESTful backend. One way (the right?) is to use OAuth 2.0 like shown here: http://www.youtube.com/watch?v=8uBcpsIEz2I Within my architecture the resource server and authorization server ARE NOT the same entity. I really just provide some JSON REST services. No UI. If I rea...
domi
13

votes
2

answer
4.5k

Views

Clarification on id_token vs access_token

I'm building a system with OIDC and OAuth 2.0 (using Auth0), and I'm unsure how to properly use the id_token and access_token. Or rather, I'm confused about which roles to assign to the various services in my setup. I have a fully static frontend-application (single-page app, HTML + JS, no backend)...
Christian Johansen
13

votes
3

answer
3k

Views

Google Endpoints API + Chrome Extension returns None for endpoints.get_current_user().user_id()

I am developing Google App Engine application written in Python and using Endpoints API. In conjunction, I am writing a Chrome Extension to interact with the Endpoints API. I've been running into lots of issues with the Endpoints API and authorization. Currently, here is my setup: Endpoints API (Pyt...
benbeadle
13

votes
2

answer
5.5k

Views

Step by step Google SSO (java)?

I am lost in all my open browser tabs for Google single sign on :) I already have an application which I would like to put on Google market place. And mandatory integration is Google SSO. I have built application on Struts2 with Spring. So now I need some instructions how to make this integration....
Trick
13

votes
1

answer
1.4k

Views

Welcome back, you've already connected with this app via Google+ Sign-In as *

I'm working with Google App Engine using python and OAuth2.0 (Google Accounts, not Google+) as log in medium into my application, and it has been fine for the last half year and working good, now there a message that gets displayed every time I run my application that looks like this: Why does this...
Kivylius
13

votes
3

answer
13.8k

Views

How to persist an OAuth2 token (or use a refresh token) in Postman collections?

The goal Be able to run a collection without going through the authorization process of every call individually prior to running the collection. What I've attempted/noticed When using the OAuth2 authorization helper in Postman, I haven't discovered a method to save a returned refresh token, and thus...
Nate Ritter
13

votes
2

answer
5.9k

Views

Restrict login to specific domain using Node Passport with Google Auth

I am implementing Google Auth on an internal service at work. It is a JS client heavy application with a Node backend. I am choosing to use the Node module Passport.js with the passport-google-oauth strategy. I have successfully got it working but one thing is still confusing me. I want to ensure my...
James Morris
13

votes
1

answer
7.3k

Views

Spring OAuth 2: public access to a resource

How do I allow public access in an specific URL in a Spring Security OAuth-2 Rest application. I have all URLs started with /rest/** secured, but would like to make /rest/about public, so I would not require the user to authenticate to access it. I tried using permitAll() but it still requires the t...
Fabricio Lemos
13

votes
4

answer
21.8k

Views

How should I implement OAuth for an application? [closed]

I am creating an application for a client that needs to do the following: Allow users to authenticate using Google, Facebook, Twitter, and LinkedIn. Allow users to add additional providers after signing up. (i.e. if the user authenticated with Google then they should be able to add any or all of the...
Chev
13

votes
6

answer
14.7k

Views

UNREGISTERED_ON_API_CONSOLE while getting OAuth2 token on Android

We're under Android (Jellybean and higher), and we've got an app which need to use OAuth2 with Google for authentication. I simplified the login activity, but it's looking like that: AccountManager mAccountManager; // [...] Account account = new Account('[email protected]', 'com.google'); // same wi...
Xavier Portebois
13

votes
2

answer
11.4k

Views

Does it make sense to store JWT in a database?

I've implemented a basic authentication system with Spring Boot, Spring Security, OAUTH2 and JWT as auth tokens. It works alright but I was thinking if it makes sense to store JWT in a database and check if a token exists every time someone makes an authenticated request using it? I was thinking spe...
laurentius
13

votes
2

answer
3k

Views

All-in-one solution for using OAuth2 with Compojure

I am trying to integrate a compojure application with those OAuth2 providers: LinkedIn, Facebook, Google, and Twitter, using an all in one solution. I am aware of some existing java libraries such as scribe-java or spring-social that can help. But they suck when used from clojure. Is there a more cl...
user258030
13

votes
1

answer
2.2k

Views

OAuth token expiration in MVC6 app

So I have an MVC6 app that includes an identity server (using ThinkTecture's IdentityServer3) and an MVC6 web services application. In the web services application I am using this code in Startup: app.UseOAuthBearerAuthentication(options => { options.Authority = 'http://localhost:6418/identity'; opt...
Gerald
13

votes
3

answer
10.4k

Views

OAuth2.0 Server stack how to use state to prevent CSRF? for draft2.0 v20

I am using PHP library for OAuth2.0 v20 In draft20, there is a mention of the use of state to prevent CSRF So far, my own web app that implements this PHP library allows the following: 3 legged authentication using Authorization Code Request 2 legged authentication using Resource Owner Credentials G...
Kim Stacks