I am looking for an API in bitbucket/Jira which can list all the issues which are assigned to logged in user (based on auth token)
Related
I'm working on a REST API and a web application that will work off said REST API. The REST API implements a stateful token-based authentication pattern. Ultimately, allowing users to exchange their user credentials for a time-limited authentication token that identifies who they are.
So for example, a request such as:
POST: http://localhost:4000/api/v1/tokens/authentication
REQUEST BODY: {"email": "my_email_address", password": "my_password"}
would yield a response like:
"authentication_token": {
"token": "GAHZQS3IEIE6ELF7IHC6GK7M5Y",
"expiry": "2022-07-19T02:49:09.4194657+01:00"
}
If the user credentials that the user entered were incorrect, the user would not receive the authentication token.
The user needs to include the token in any further requests so that the REST API can identify the user. Some API endpoints are restricted to just logged-in users/users with certain permissions. And the token allows the REST API to know what sort of user it's dealing with. The token corresponds to a user id.
There will be a separate server from the REST API server serving the web application pages. But the pages will be populated with data from the REST API via the javascript fetch API.
I am happy with the REST API authentication. But I also need to restrict access to the web application pages based on if the user has logged in or not.
I want to leverage the existing REST API authentication but have never done something like this before so would very much appreciate any input you have.
Currently, I'm thinking of doing something like what's listed below. Do ye see any problems with it?
User accesses login page, enters credentials, and clicks 'login' button.
On clicking the 'login' button a request to the REST API is made:
POST: http://localhost:4000/api/v1/tokens/authentication
REQUEST BODY: {"email": "my_email_address", password": "my_password"}
If the credentials are correct, a token is returned, such as:
"authentication_token": {
"token": "GAHZQS3IEIE6ELF7IHC6GK7M5Y",
"expiry": "2022-07-19T02:49:09.4194657+01:00"
}
This token is added to a cookie for later use. i.e for when making another request to the REST API via the fetch API.
I'm thinking of adding another REST API endpoint that will simply validate a token i.e state whether or not the passed token is still valid and that the user is still logged in.
The webpage server can then call this endpoint to ensure the token is valid before showing a user a page that is restricted to just logged-in users.
Or maybe, instead of a validate token API endpoint, I should have a 'get user by token' endpoint. That will return user data if the token is valid. That way the webpage server could also get to know the type of user account that is associated with that user and could then also restrict pages based on the user type. It might also come in use for populating pages since nearly all pages will contain some user info e.g a profile image.
I'm trying to set up Google OAuth2.0 from this guide and I have everything set up and running. I can get the authorization code, the access_token, and the refresh_token to show up in my console.log's. My question is which one of these tokens can I use to properly identify and log in a user to my backend?
In a normal scenario, a user would enter a username & password and that would uniquely identify them. However in the Google OAuth2.0 case, it seems the authorization code, the access_token, and the refresh_token all cannot be used to properly identify and log someone in. Is this understanding correct?
I read a similar post but it doesn't seem to provide a very recent answer that also securely identifies the logged in user.
If I cannot use any of the above mentioned tokens to securely identify and log in a user, is it even possible? How come I see other websites and apps use "sign in with Google" and "sign in with Facebook"?
Another solution I read in a different StackOverflow post said to just get the account ID and use that as an identifier. Isn't that insecure? Can't someone guess the account ID? Also this would be assuming these account IDs are private.
My question is which one of these tokens can I use to properly identify and log in a user to my backend?
the id token from open id connect.
explanation
You are confusing authorization and authentication.
Oauth2 a user to grant and authorize your application access to their data the access token gives you access to their data for a limited time (1 hour). If the user is off line you can use the refresh token to request a new access token. None of theses will tell you that a user is behind the calls.
open id connect allows you to authenticate a user logging in will return an id token
Id token verification
After you receive the ID token by HTTPS POST, you must verify the integrity of the token. Verify the integrity of the ID token
We have an Instagram client id and client secret, and already have gone through the documentation of generating access tokens which requires redirect url.
Note that we also have disabled the implicit OAuth flow.
Now we already have generated the access token using URL below (for authenticated user, it returns the access token appended in the response URL)
https://api.instagram.com/oauth/authorize/?client_id={client_Id}&redirect_uri={redirect_url}&response_type=token&scope=public_content
Can this token be stored in the database / configuration files and re-used for any new Instagram API requests? e.g.
https://api.instagram.com/v1/users/{user_id}/media/recent/?access_token={reusable_access_token}
Based on the official documentation, we understand that the access token can become invalid at any point of time, we would like to know if there are any specific scenarios which leads to invalidation of the access token?
What would be the best way to generate token once and use it for each API request? We definitely do not want users to enter credentials manually to generate tokens.
Unfortunately at that point it's not possible:/ Instagram doesn't provide refreshing access token in the background.
User needs to login with their credentials, so you can obtain new access token. Some kind of workaround (not nice, but it's working) is to watch for error type OAuthAccessTokenException and notify the user via e-mail about such fact. He will have to login once more, so you can get fresh and working access token.
Also, please keep in mind that access tokens has a pretty long life span. It doesn't expire after a day or two, unless Instagram API has some issues (like just now OAuth - unable to exchange code to access token for some users).
Otherwise it works really well.
However it would be super nice if Instagram could add to their API renewal option in the background for access tokens for users that autorised your app, but their token expired:)
I am trying to figure out how to link a skill with a custom user account. Here is what the documentation says:
Account linking flow for implicit grant (for use with custom skills):
In the Alexa app, the user enables the skill.
The app displays your
login page right within the app, using the Authorization URL you
provide when registering your skill on the developer portal. When
the companion app calls this URL, it includes state, client_id,
response_type, and scope as query string parameters.
The state is used by the Alexa service during the account linking process. Your page needs to keep track of this value, as you must pass it back later.
The state is used by the Alexa service during the account
The client_id is a value defined by you when you set up account linking for the skill in the developer portal.
The response_type is always token for the implicit grant flow.
The scope is an optional list of access scopes indicating the level of access requested. You define the set of scopes to support when enabling account linking for your skill.
The redirect_uri is the URL to which your service redirects the user once the user is authenticated.
The user logs in using their normal credentials for your site.
Your service authenticates the user and then generates an access token that uniquely identifies the user in your system.
Your service redirects the user to the specified redirect_uri and passes along the state, access_token, and token_type in the URL fragment.
The Alexa service validates the returned information and then saves the access_token for the Alexa user.
The user’s Alexa account is now linked to the account in your service, and the skill is ready to be used.
Here is what I get form Amazon:
{
"client_id":"my-client-id",
"response_type":"token",
"state":"some_long_string",
"redirect_uri":"https:\/\/subdomain.amazon.com\/spa\/skill\/account-linking-status.html?vendorId=W5TGH673R
}
Based on what I read above I am redirecting back to:
https://subdomain.amazon.com/spa/skill/account-linking-status.html?vendorId=W5TGH673R&state=same_long_string&access_token=something-I-made-up&token_type=Bearer
Unfortunately this doesn't seem to work. Basically I get: Unable to link your skill
Any ideas?
I ran into a similar issue, and I had to use a hash instead of an ampersand before the token. My redirect url is:
https://subdomain.amazon.com/spa/skill/account-linking-status.html?vendorId=W5TGH673R#access_token=something-I-made-up&state=same_long_string&token_type=Bearer
I am trying to build something which uses the Google Calendar API. I have been able to authenticate the user using Google's OAuth 2.0 for Login (OpenID Connect). After completing all the steps, I get a "access_token" and a id_token.
Using the access_token, I am able to fetch a user's list of calendar events. However, the access_token expires after 3600 seconds (1 hour).
How do I get a new access_token for the user after the end of the 3600 seconds interval?
P.S. I have been reading up on this and most articles I find advise me to get a "refresh_token" which can be used to issue another access_token once it expires. But my app does not need to fetch the user's calendar events when the user is not logged in, hence offline access is not required. I only need to access the user's data when he actually logs in to my app.
If the access token has expired, you'll need to redirect them through the OpenID Connect flow again. Since they have already approved access they won't be prompted again, and your app will get a fresh set of credentials.