I have a Rails App that accesses Xero using new OAuth2 authentication, where we use a sub-domain to isolate different organisations. eg https://domain.example.com
To date we have to create a new Xero App for each domain, as we have to specify the callback url for the app, which in the case above would be https://domain.example.com/auth/xero_oauth/callback
Is it possible to register a single App with Xero with a callback URL of https://example.com/auth/xero_oauth/callback and to then override the URL, adding the sub-domain, for the Connection phase.
I'm fairly certain I could do this with the previous OAuth1 version.
I also have this requirement, but its not the first time I've bumped up against this issue with OAuth applications.
I work around it by adding the subdomain to the state parameter that's passed in to the initial authorization step, and passed back to the redirect URI:
$state = json_encode(['uuid' => $uuid, 'subdomain' => $subdomain]);
Then in my redirect URI I extract the subdomain from the state, and perform another redirect to that subdomain along with the UUID (to perform CSRF check).
The downside with this approach is the state is only passed back on success; if the OAuth flow encounters an error, your redirect URI won't be able to determine the correct subdomain.
EDIT: Turns out Xero does return the state regardless of success or failure :)
thats an interesting use case. Pretty sure we don't allow wildcard subdomains in the callback urls, and the limit is 3 per app. But I will check next week! Have you created a ticket with api#xero.com? Also if you open an issue on the Ruby SDK I can try and sort this for you soon.
Thinking through this out loud.. might be possible to step in front of the callback url.. though probably would cause issue with the Xero client generation as it needs to match the OAuth2.0 settings in /myapps.. Could you redirect back to your root domain just for auth, then kick them to their subdomain post success?
Related
I am trying to implement the login process in my app using Cognito Hosted UI.
I want if user is not logged in and try to access a page
www.example.com/a
To be redirected on the hosted UI page, and after login I want to redirect the user on his initial request www.example.com
How can I achieve this?
maybe I misunderstood your question, but this is not something you should be able to do directly from cognito, the initial "catch-all" redirection should happen on your site's code.
Once you redirect it to your Cognito hosted UI, which should be a URL similar to this one:
https://{your cognito domain}/oauth2/authorize?client_id={your client id}&response_type=code&scope=aws.cognito.signin.user.admin+email+openid+profile&redirect_uri={your site's url}
Once the auth process is finished it will redirect the user back to you site.I need to point out that first you need to add your site's url in the list of allowed Callback URLs in your app client.
I wish I could be of more help, but how to handle auth on your app is very dependant on the technology you're using, if it helps you this thread discusses how to do this with nuxt and #nuxtjs/auth-next, this will probably give you some more insight into how to approach your problem
I am attempting to build a webapp using Vue for the frontend and Flask for the backend that reads in the users Gmail emails.
Desired functionality:
User clicks a button to "Link Gmail Account" on the frontend
User is authenticated with gmail Oauth2 and confirms. Once confirmed, they redirect back to the page they were on
Once the user confirms, the backend queries gmail to get all of the users emails and returns the data to the frontend
I have been trying to use https://developers.google.com/gmail/api/quickstart/python as a starting point, but I cannot authenticate the user -- I keep getting a redirect uri mistmatch error with a random port (I am doing this locally so have set the redirect uri to be the localhost port where I access my project).
I think I am doing something fundamentally wrong or not using the Gmail API in the correct way, but have searched all over google and youtube to no avail.
Specific things that I think could be causing an issue:
What is the best overall strategy to implement this? Should I use the Gmail API in Python or Javascript? Right now, the use clicks the "Link Account" button which calls an API in my backend which then runs the code in the Python Quickstart guide.
What kind of google project should I set up? I currently have my credentials configured for a "web application"
What should I put as the redirect uri? I am using localhost but am unsure exactly what to put here (I have tried http://localhost, http://localhost:5000, http://localhost:5000/, http://localhost:5000/emails [this is the url I want them to return to]). No matter what I put, I keep getting a redirect uri mismatch and it says the uri it is looking for is http://localhost:[random port]/
I would appreciate any help on how to approach achieving this. Thank you!
Depending on what you are going to use Gmail API for, you must select the device or category. In your case, as it is a website it should be set to "Web Application".
Also, you should be using the following redirect URI: http://localhost/emails/. You should not include the port number and you should be using trailing slashes (adding the last / at the end). Note that the redirect URI you set up in your backend must be an exact match of the one you have set up in your Credentials Page. Also please note that it might take some minutes to update this URI.
Moreover, this is a guide on how to create a Sign In button that will authorise your users that I believe will be useful for you.
In my Pinterest app I have set the Redirect URI to https://my.site.com/pinterest/callback. When doing the redirection after authentication back to my site I append a sessionid so the query becomes https://my.site.com/pinterest/callback?sessionid=<string>. This doesn't seem to work as I get
The provided redirect_uri https://my.site.com/pinterest/callback?sessionId=YA6udv2FrdjjV8juij3U5oIBBP6RoEQWWUFNzSHKaHGGf3jRq10uJ2A0-R-eYB8LLwiBTbESEdGzMY0fhYI8d7gOe3kOoPuPS6c-mowaaJBDv0J8D2I does not match any of the registered redirect URIs."
In other apis like the Instagram one this is possible. Can anyone help with this? Thanks a bunch!
I have been stucking with this for two days. Basically, Pinterest doesn't support custom parameters like other websites do, for Pinterest you need to provide the EXACT callback url and it has to use https not http, and if you need to pass custom parameters they should be in state parameter.
From Pinterest docs
state: A value you define. This can be used to make sure that the redirect back to your site or app wasn’t spoofed.
See Authentication section at https://developers.pinterest.com/docs/api/overview/
I want to use an Apache proxy server (mod_proxy) to intercept all requests and responses to a web server. However I want to change requests and responses before redirecting them. Simply rewriting URLs is easy and documented, but the changes I want to make are more sophisticated, namely they need to inspect the request for user credentials as well as conditionally make redirects.
Is this possible in Apache's mod_rewrite, possibly in combination with other modules?
While the main goal is to implement this in Apache, I would also be happy with an alternative solution which doesn't necessarily use Apache.
Here is a more precise explanation of what I want to achieve, to give a little more context:
Check each incoming request for user credentials. If credentials are present, they are replaced by the user information which the web server can use to identify the user (Ideally in the Authorization header)
For example, let's assume a request contains a cookie which authenticates the request as beeing sent from the user "John", this cookie is removed, and the Authorization header is changed to Authorization Authenticated_by_proxy {"id":12345,"name":"John"}
Check each answer to see if it's an Error 403. If this is the case and the user is not logged in, redirect the user to a login page instead of forwarding the error
From Google Developer Console page, it explains the meaning of "Google Redirect URI" is :
Determines where the response is sent. The value of this parameter
must exactly match one of the values registered in the APIs Console
(including the http or https schemes, case, and trailing '/').
Not sure, whether this explanation is same as my think or not:
On my app (web application), it allow user to sign-in via Google (Assume, I registered a Google project with ClientID/secrete configured on my web-app, and on Google COnsole page the redirectURI is "http://bbc.co.uk" ).
After I login to Google successfully by my Google account, my Web-app login page will be redirected to "http://bbc.co.uk" as on Google RedirectURI ?
That last sentence is a bit ambiguous. A better description is:
After I login to my Google Account successfully with my Google
credentials, Google will redirect my browser back to
Redirect URI http://bbc.co.uk that is registered for the web app in the Google > API Console.
Just to be sure: this means that the Redirect URI should be part of your web app. It is not actually Google's Redirect URI but it is the Redirect URI that you've configured in the Google API Console for your web app.
Let me see if i cant explain this in a different way.
What would happen if you didn't have a redirect URI?
If you go to the Developer console and create a Client ID for native application by default the redirect URI
This will redirect the Authentication back to where ever it was request from. In the case of native installed applications this is needed because there is no way to know where the user is that has installed the application.
Lets look at this in action
Request authentication:
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
If you place the above line in a web browser the user will see something like this
Assuming they select ok then they get this displayed back at them.
That is the Authentication code, not to be confused with the access token. This is just the first step. Once your application has the Authentication code it can then exchanged that for a refresh token and a access token. Most client library handle this step internally. You and your users never see this Authentication code.
Back Redirect URI:
In the case if a web application your web application needs to be able to get a hold of that authentication code. Now I probably shouldn't be telling you this but you could just use a native application client in your web application and it will work. Why because the authentication server will just return the Authentication code back to where ever it was that requested it. For security reasons this is probably a bad practice.
So what do you need to place in the redirect uri. It is the file that you have ready to handle this authentication code. Normally its just the same as the login page, but you can have several. Just put each of them on separate lines.
http://localhost/login.php
http://www.daimto.com/login.php
I like to do this because then it works when i am testing locally vs when its up on the server.
I think the wording "Determines where the response is sent" confuses a lot of beginners as it implies that Google will somehow call that URL directly. Then the word "redirect" leads people to confuse the URL with the page of the app that the user will get to once he's authenticated.
http://bbc.co.uk is definitely NOT the redirect URL. A redirect URL would normally look like https://myapp.com/servlet_or_php_that_i_wrote_to_process_tokens.php
Google will "call" servlet_or_php_that_i_wrote_to_process_tokens.php by redirecting the browser to it. Once servlet_or_php_that_i_wrote_to_process_tokens.php as done whatever is needed with the token, it will then issue its own redirect to (say) bbc.co.uk