We have been using DocuSign's "/restapi/v2/login_information" api for authentication but now we have to replace it with another authentication API which is currently available in v2.1.
Please suggest the new API that can replace login_information.
You will need to change form legacy authentication to the modern OAuth.
You can follow https://developers.docusign.com/esign-rest-api/guides/authentication and start thinking about using wither Auth Code Grant or JWT.
You can find code examples with the code here:
https://github.com/docusign/code-examples-csharp
This repo has code for both types of Authentication methods.
Related
I'm trying to understand how to implement OpenId Connect Authorization Code Flow (which is the most secure) when using newest Google Identity JS Library.
I was able to succeed with legacy Google Sign-In JS library (as per Google Sign-In for server side apps), by using auth2.grantOfflineAccess() which was ultimately providing the required authorization code as per OIDC specs.
Now with latest Google Identity library, I cannot find how to support the equivalent OIDC Authorization Code Flow. According to Migrating from Google Sign-In the grantOfflineAccess() JS method has been removed, but don't see how ID Token can replace the orignal authorization code for corresponding OIDC Authorization Code Flow. I hope I might be missing something.
You were not missing anything, but rightly noticed the authorization code flow was as of yet unavailable. After this question was asked, Google Identity Services (GIS) JavaScript SDK support to request an authorization code from Google was released.
To implement the OIDC auth code flow, follow the GIS auth code guide to fulfill steps 1, 2, and 3 of the OIDC guide, this performs the authorization code request from the user-agent and server response. Start at step 4 in the OIDC guide to exchange the verified code for tokens.
Using popup mode during the auth code request is recommended, in part to help minimize risk of future issues due to user-agent security changes, such as link-decoration.
I have a VueJS app created using vue-cli 3.0 and I want to add OAuth based github authentication to it. Many of the tutorials I found online uses ExpressJs and/or passportjs to do OAuth flow.
If my app doesn't need Server-Side Rendering, Do I still need ExpressJs to do OAuth ..? If so, how can I can add Express to VueJs app created using vue-cli.
If Express is not needed, can anyone point me to documentation on how to add OAuth to Simple VueJs app.
Greatly appreciate you help.
Thanks,
Raja.
From the GitHub API page
Note: GitHub's OAuth implementation supports the standard authorization code grant type. You should implement the web
application flow described below to obtain an authorization code and
then exchange it for a token. (The implicit grant type is not
supported.)
To do what you want to do you need a OAuth implementation that supports implicit grant type. But GitHub doesn't support this so you need a "backend" like for example Express.
Ok I do some reaserch and I try once more explain what I am looking for.
So my question is can I make OAuth provider server using Lambda and API gateway? I didn't found any solution like this, and I don't even know how to start so any ideas are valuable.And then I want to use API custom authentication to validade my bearer token.
I try to be specific as I can:
I have my application where I store my log users. I want to OAuth 2.0 authorization code grant flow using only Lambda and API Gateway (something like Google oAuth but my app want to be an authentication provider). I found couple solutions like this: https://www.authlete.com/documents/article/custom_authorizer/index but I want to use my own authorization server implementation, and I don't want to specific in Lambda auth impl. api_key and secret_key. So there are my questions:
1. Can I make my own authorization server using only Lambda and API
gateway? (I know there is a implementation in Spring but for now I
want serwerless solution)
2. If I can I will be pleased for any tips because I really stuck.
There is a possibility that in my reasoning are mistakes.
In API Gateway you can create custom authorizers to be invoked before the API method is executed. Normally you can create a Lambda function to receive the authentication details and return a Policyt Document authorizing or denying the API method execution.
You can create a Lambda to make the OAuth provider authentication and generate the Policy Document, based on authentication flow. You can get more information here.
I've been trying to integrate OAuth2 authentication in my drf application. Given I don't yet need a front-end for my app, I was using the browsable API. DRF and the OAuth2 provider package are supposed to work together without much configuration, as explained in the tutorial.
I should mention that all the steps from the tutorial are working (so I can access the app from the command line) but when I try to do it from the browsable API, I don't see any request for an access token or anything like that.
I think that DRF does not actually provide the flow for the front-end part of authentication by OAuth2, but I was just wondering if someone managed to make it work (because for now I am using SessionAuthentication).
Thanks.
OAuth2, unlike basic authentication and cookie-based authentication, does not easily work within the browser. When authenticating requests, it relies on the Authorization header being present (with the OAuth type) and there is no way using a browser to easily fill that in.
Session authentication relies on cookies, which most browsers easily support, and is recommended for interacting with APIs that are on the same domain as the front end.
Basic authentication also relies on the Authorization header, but uses the Basic type which is supported by most browsers.
I need to create "tokens" for users to send when they make calls to my API. My question is, what should I do to go about generating these tokens?
I should mention that I'm currently using modules such as everyauth and passport for authentication middleware, incase they include anything to help with this.
The typical way to issue tokens is using OAuth 2.0. OAuth2orize is a sibling project of Passport that provides a toolkit for implementing OAuth 2.0 authorization servers.
Although, based on your comment "They would be per session and they would not be given to third parties", I'm not sure what your use case is. How do you define a "session" outside of a browser context. And if this is in-browser, your best off using the built-in session support provided by Express.