I tried to authorize todoist with OAuth,
I created an app and got the client Id & Client secret, but I am missing some things.
first, what is the redirect URL in my case?
second, what should I do then?
Related
I'm having a bit trouble understanding this predicament a REST API supporting React Native (Mobile App) with OAuth2 authentication.
I've managed to setup the OAuth2 flow and can login via OAuth2 provider. This communication is still just between the Mobile App and the 3rd party OAuth2 provider. How can I use those tokens I've obtained (and actually trust the request) to create an account in my REST API so that the server can actually generate a JWT token that will be used for future requests?
Can't seem to find an answer to this question. Would love some help with this one
Ok, I've managed to figure this one out.
To achieve what I want the Client (in this case mobile app) does the authentication flow and will receive an access_token and a refresh_token along with an id_token. The last one (id_token) contains the info about the user which the app should send to my REST API. Once the server receives it it will make an HTTP request to Google (my OAuth2 Provider) to verify that this token is in fact a valid one and issued by them.
After that I just create an account and issue my own token in response to the Mobile's App request.
It's explained here in Google Docs
Most likely all the major identity providers would follow along this path. Or, at least I'm hoping they do.
I'm adding a login page for my mobile app, so that it integrates with Bluemix Single Sign On. I'm at the step to configure the Node.js app following the Bluemix Doc at Configuring a Node.js app. The example here about callback is for a web app. In the mobile app context, I don't have a redirect URL. So this code for example:
app.get('/auth/sso/callback',function(req,res,next) {...}
On the mobile client side, do I do a GET to /login?
I already have a login implemented using Mobile Client Access service. Is it something I can build up upon? For example,
app.post('/apps/:tenantId/:realmName/handleChallengeAnswer', function(req, res {...}
Can I call the Single Sign On API in here?
Thanks a lot for your help!
Jen
Is your mobile application based on nodejs? If so and you use a webview on your mobile application you could leave to the webview component to manage your authentication flow like working with a browser.
You instead have to manage authentication if your application is integrating with Rest APIs, in this case you could use SSO but your application has to manage cookies like a browser.
Bluemix Single Sign On so far has only been tested on web applications. I have no knowledge on whether Single Sign On would work smoothly on mobile applications.
Also, the Bluemix Single Sign On follows the OIDC protocol. So the redirect URL is a mandatory parameter when using the service, unfortunately.
Regarding building upon your login implementation, to my knowledge, it is not possible to include your implemented login in place of what is provided with the Single Sign On service. But you can choose to add the login implementation in addition to the login needed when using Single Sign On.
Hope that addresses your questions.
I have attempted to use SDK to do cross site authentications: get code and then on the server side obtain a token for that code, but I am not sure that is implemented/working yet using Google+ sign in. Can anyone confirm that this is the case?
Since I could not get that to work I attempted to do the same using Web server applications method. But still have some problems questions that need clarification.
I have 2 entries for client ids:
Client ID for web application
Client ID for iOS application
I assumed that I would request a code on iOS, usine Client ID for iOS and than pass it to the server which in turn will request token. But I think that would not work because code is issued for a different client.
Do I request code and then token for web application on iOS and then pass that token to my server?
What is the correct way of doing this?
The only way I was able to get this to work as of today is through the use of webview, using web application id and redirect mechanism to authenticate my server. And handle authentication on the server sending response back to the client app on ios again through web view response mechanism. Will have to live with this for now, more work but not sure there is anyway around it at this time.
This is now supported by Google Plus Button functionality. Instructions are at Google+ Platform for iOS
I am using PhoneGap to create a mobile app with HTML, CSS, and JS.
I need to implement some sort of authentication to connect to my API - and I am thinking that OAuth 1 or OAuth 2 should do the trick nicely.
However, with OAuth 1, I would need to store the consumer secret in my JS which would expose it to anybody with a brain.
With OAuth 2, I can get around exposing a secret by not using one altogether, and simply providing a redirect URL that was pre-registered with the API provider. This guarantees that the user is only ever sent back to the correct URL (they can't be hijacked).
However, with PhoneGap, I can't really provide a redirect url, because the PhoneGap url would be something like file://www/index.html...
How is it possible to use Oauth 1 or OAuth 2 with a mobile HTML5 app?
Libby has a good tutorial on how to do OAuth 1 with PhoneGap at:
http://www.mobiledevelopersolutions.com/home/start/twominutetutorials/tmt5p1
as for your consumer secret you could store it in the native code then use a Plugin to retrieve it from the native side from JavaScript. There is already one available for iOS called Keychain.
For people new to this topic, the Intel Developer Zone also has a tutorial on using OAuth2 with PhoneGap/Cordova. To avoid the use of the client secret within the application you would use the OAuth2 Implicit Flow. From the link above
Here are the steps involved in doing a Oauth2 Implicit Grant flow in a
Cordova* HTML5 app:
Open Oauth2 authorization page in Cordova InAppBrowser
Get the access_token from the redirected URL hash fragment using the loadstart event listener
So I'm having trouble understanding something...
If you do Oauth for Web Apps, you register your site with a callback URL and get a unique consumer secret key. But once you've obtained an Oauth for Web Apps token, you don't have to generate Oauth calls to the google server from your registered domain. I regularly use my key and token from scripts running via an apache server at localhost on my laptop and Google never says "you're not sending this request from the registered domain." It just sends me the data.
Now, as I understand it, if you do Oauth for Installed Apps, you use "anonymous" instead of a secret key you got from Google.
I've been thinking of just using the OAuth for Web Apps auth method, then passing that token to an installed app that has my secret code embedded in its innards. The worry is that the code could be discovered by bad people. But what's more secure... making them work for the secret code or letting them default to anonymous?
What really goes bad if the "secret" is discovered when the alternative is using "anonymous" as the secret?
The main difference between OAuth for Web Apps and OAuth for Installed Apps (e.g. "anonymous"/"anonymous" as your consumer key/secret), is the approval page.
For installed apps, there is no way for Google to verify the identity of the
application so a yellow warning box is shown to the user saying so.
For web apps, there's an actual URL (of the app) that can be verified.
Hence, no ugly warning box is presented to the user.
The only thing you need to identify yourself when doing an OAuth call is the signature which is a HMAC-SHA1 string signed with your consumer secret. There's no relation with any domain whatsoever.
The only thing you need to keep reasonably safe is the consumer secret. I don't quite get what you mean by "anonymous" though...