I am having an issue with Auth0 and the callback. If I enable 'Customize Login Page' for Auth0's hosted page I get a callback url that looks something like this:
http://localhost:3000/callback?code=xxxxx&state=xxxx.xxxx
But if I disable the 'Customize Login Page,' I get a callback url that looks something like this:
http://localhost:3000/callback#access_token=xxxxx&expires_in=xxxx&token_type=Bearer&state=xxxxxx&id_token=xxxxxxx.xxxxxxxxxxxxxxx
I couldn't find anything in documentation for this behavior. I would prefer it to behave it as the latter. Can anyone point me in the right direction?
I found the solution. When the Login Page is customized, the, responseType is set to 'code' by default. It needs to be set to
responseType: 'token id_token'
I was testing with a Google account. I'm not sure whether it behaves differently with other account types.
Related
I try to use Invidious API with authenticated route. For this, i've generated new token with this URL : https://invidio.us/authorize_token?scopes=GET:preferences.
The response is like this : {"session":"v1:XXXXX","scopes":["GET:preferences"],"signature":"XXXX"}
But, the token generated (session) don't work. I try with simple GET on preferences route, and i've an error Request must be authenticated :(
Anyone have already use their API and work with auth route ?
Thank you !
I've actually been struggling with this the past week, and I even deployed a self hosted instance because I thought that would fix it... I was wrong of course.
Here's how the Authentication header should look like:
Authentication: {"session":"v1:XXXXX","scopes":["GET:preferences/*"],"signature":"XXXX"}
The full token is the json that is provided.
The scope needs to include a * or a specific identifier for example in the case of playlists as mentioned in the examples here . So your authorize_token request should look like:
https://invidio.us/authorize_token?scopes=GET:preferences*
or
https://invidio.us/authorize_token?scopes=GET:preferences/*.
If you want all scopes that would be :*. Make sure not to forget the colon.
I installed the Google Opauth Strategy and it's working brilliantly. The LinkedIn one acts a little differently; in the directions for this strategy it specifies that no OAuth Redirect URL is needed (on the LinkedIn Developer website). I tried leaving this out, and kept getting this error:
'Invalid redirect_uri. This value must match a URL registered with the API Key.'
This error is also on the demo for the plugin here: http://opauth.org/#demo
So I changed it up a bit and placed my redirect URL there just in case, like my Google one has, and it seemed to have worked! It took me to the LinkedIn login screen, I put in my credentials, and it redirected me back to my application. The trouble is, no data was returned this time.
My defaults in LinkedInStrategy.php looks like this:
public $defaults = array(
'redirect_uri' => 'http://example.com/users/login',
'response_type' => 'code',
'scope' => 'r_fullprofile r_emailaddress r_contactinfo'
);
In my controller I have this:
$_SESSION['log'] = $this->data;
And in my view I have this:
debug($_SESSION['log']);
This is just to see if the data is setting. When I log in with GoogleStrategy.php settings, this line displays all of the data and I use it to log me in. Perfect. But with the LinkedIn strategy, I just get an empty array. Anybody have any ideas?
Edit:
According to the LinkedIn API documentation here, my code returned is the correct code returned upon successful authentication (redirect uri, code, and state in the response URL). So I know everything's correct thus far to connect, just obtaining the data must be different than the $this->data return method stated in the regular Opauth documentation.
I solved it! I changed the redirect_uri back to default:
'redirect_uri' => '{complete_url_to_strategy}oauth2callback',
In the LinkedIn Developer API area, I placed this URL in the OAuth 2.0 Redirect URLs:
http://example.com/auth/linkedin/oauth2callback
So the OAuth Redirect URL DOES need to be set, unlike their instructions here.
2. Create LinkedIn application at https://www.linkedin.com/secure/developer
Enter your domain at JavaScript API Domain
There is no need to enter OAuth Redirect URL
Furthermore, it specifically has to be http://www.example.com/auth/linkedin/oauth2callback. If it is not that URL exactly, it will not work, unless you change some of the config files yourself and the name of functions. My error was that I set a custom page for it to go to, rather than going through its oath2callback function THEN heading to the redirect page.
So I've been following the tutorial at https://github.com/heartsentwined/ember-auth-rails-demo to hook up an ember frontend with a rails backend for authentication purposes. I'm to the point where I can authenticate by submitting a form, and that's great! However now I'm finding I want to do a few things with the current user's information.
Right now, I can successfully sign in and when signed in present a button to sign out. However I'd like to do something like "You are signed in as {{currentUser.username}}. Sign Out"
I saw on ember-auth issue #11 they apparently at one point implemented something like this:
https://github.com/heartsentwined/ember-auth/issues/11
However, after sign in, my authview shows "You are signed in as. Sign Out"
I suspect the user may not be loaded into the application right now. I understand that I could simply query the database for the current user in the controller, however I view this functionality as something application wide that should be available. Is there a best practice here or should I just implement something myself?
Auth Setup
App.Auth = Em.Auth.create
signInEndPoint: '/users/sign_in'
signOutEndPoint: '/users/sign_out'
tokenKey: 'auth_token'
tokenIdKey: 'user_id'
userModel: 'App.User'
Do you have a user model and does ember-auth know about it?
App.Auth = Ember.Auth.create
# stuff...
userModel: 'App.User'
After reading the docs you mentioned above, the correct way to get access to the currentUser object in your templates should be:
"You are signed in as {{App.Auth.currentUser.email}}. Sign Out"
and not only {{currentUser.username}}. I used App.Auth.currentUser.email since I haven't seen any username property on the Auth.currentUser object, but bear with me if there is indeed one then you can use it of course.
Hope it helps.
Introduction:
Hi everyone, i am currently writting a lib to make generic OAuth Requests in C#.
The first part, of getting a Token and a Token secret is working for Twitter and Linkedin already ( RequestTokens ), but as soon as i jump to the Authorization part it does not work for Linkedin,but it does for twitter.
Useful Informations
I am currently using a method to generate AUTHORIZATION_URL for the Request. For Example :
https://api.linkedin.com/uas/oauth/authorize?MyToken
Same for Twitter,using its own url. Both services are getting a correctly generated URL, and the window that pops up when i copy it in the browser is correcly.
After the user hits the button, different things happens depending on the service.
1 - Twitter : The browser redirects me to the Callback Page, and on the url there is a Verifier that i am currently parsing and storing it. Perfect.
2 - LinkedIn : In the sample i have,everything works just as twitter does, but when i use my own lib, there is no redirect for the callback url,instead, i am getting redirected to a url with a oob? tag, and a verifier number is shown in the screen, instead of appearing in the querystring.
Doubt:
What should i do to make sure that the OAuth method i will be using is the Normal one,instead of the Out Of Band method. I am making sure that the CALLBACK URL that i set in the lib, is being used for the Signature on the First Request (REQUEST_TOKEN STEP). Also, twitter works when i do this.
Any idea of whats happening ? Let me know if there is any useful information i can add to make sure that my question will be as complete as possible.
Thanks in advance
I solved it.
I forgot to add the Callback parameter to the Signature in the BaseGenerator,instead, it was commented.
Thanks anyways for everyone
I'm trying to add a "share via twitter" link to our website. I'm aware of the standard http://twitter.com/home?status=TWEET method, and it works good enough for my purposes when the user is logged in to twitter already.
If, however, the user is not logged in, twitter displays the login form first (which is only reasonable). After the login, the home screen is displayed without the tweet content.
Am I missing something obvious, or is this a know flaw in this method? If so, what is the easiest way (apart from using services like TweetMeme, which I noticed asks for login in advance) to make the share button work as expected?
If the user is not signed in when accessing http://twitter.com/home?status=TWEET it seems that the status is indeed forgotten. This would be a Twitter website issue and not something you're doing wrong.
Update: Use this URL instead: http://twitter.com/intent/tweet?text=TWEET
TweetMeme, on the other hand, uses its own Twitter "application" via the OAuth authentication, requiring users to log in before retweeting using TweetMeme, and is smart enough to include the tweet message in the OAuth callback URL so that it's not forgotten.
So really, you can:
Use TweetMeme, where the user would have to log in, but at least have the tweet be remembered once that's done;
Create your own Twitter application that uses the same tweeting functionality as TweetMeme; or
Use Twitter.com's less-than-desirable status updater and hope the user is logged in, or hope that they're smart enough to click the back button a couple times and click on your link again if needed.
Just use the following url and parameters
http://twitter.com/share?text=YOUR-TEXT&url=YOUR-URL
Then it works.