Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
My main problem is getting the token. I can’t go further than this step.
In the Linkedin API's docs there are two ways described to obtain the token.
Witch is the correct one?
1) https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
2) https://developer.linkedin.com/docs/oauth2#configure
I understand that in order to use the new Linkedin API (the partners one) I should use the first one (https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow)
Here is my petition:
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id={MYCLIENTID}&client_secret={MYCLIENTSECRET}
The response:
Error "access_denied"
error_description "This application is not allowed to create application tokens"
And I get stuck here.
With the second one (https://developer.linkedin.com/docs/oauth2#configure) I actually get a token:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id={MYCLIENTID}&redirect_uri={MYURIREDIRECT}&state={STATERETURNED}
This returns the code (and the State) which I use to make the token request:
https://www.linkedin.com/oauth/v2/accessToken?grant_type=authorization_code&client_id={MYCLIENTID}&client_secret={MYCLIENTSECRET}&redirect_uri={MYURIREDIRECT}&code={CODERETURNED}
And I get the token. But this isn’t the correct way to do it, is it?
By default you will need to use the authorization_code flow to obtain an access token. Per the documentation the client_credentials flow is not enabled by default and needs to be specially enabled by LinkedIn.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm trying to build an app based on a couple with Laravel and Vuejs.
I've implemented a method in Vue that sends POST login and gets an accessToken from back's Laravel. My next challenge is to get an authorized user's data to show in NavBar and so on. What is the right way to do it?
Way 1: The login method on the app's back returns not only the accessToken. He also puts a user's data into the response. So, after the login request, Vue gets the accessToken and user's data that I put into localStorage inside of Vuex.
Way 2: The login method returns only the accessToken. After getting accessToken, Vue makes one more request to get a profile of the authorized user by the accessToken.
What's the correct way to get an authorized user's profile?
Both approaches are correct, but I think there is no need to get the profile with the login response .
I will only return the accessToken and store it somewhere safe, and when you need the user profile you make another request.
and for showing different types of NavBars,you can use an event emitter to trigger different actions (login, logout)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I would like the instructions of getting JWT from postman. What are the fields should i add under header and body? It will be nice if there is an example of end to end execution of JWT in postman. Thanks much!
Tipically JWT works with basic authentication, and in the response body you will obtain the JWT token (and refresh token if it is implemented). In postman you can extract these values into variables in the Tests tab of the request, with something like this:
var data = JSON.parse(responseBody);
postman.setGlobalVariable("jwt_token", data.token);
After that you can use the variable jwt_token in any place (urls, headers, body ...) with the syntax {{jwt_token}}
If you need more information about how JWT works in Node.js, you can take a look to this post: https://solidgeargroup.com/refresh-token-with-jwt-authentication-node-js
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I´m currently designing a mobile application, and I´m having some concerns about securing the backend which runs the services for it to run.
My current planning is, using SSL and a basic workflow like this:
The generated token expires, because it assures that if someone physically access the phone/device, he cant be in control of the user account for too long, but, at the same time, I don't know what duration is appropriated for it, as I don't want to keep asking for credentials every day.
My questions are:
Is this a good aproach? Would you add something else to it?
Whats the ideal duration of tokens when working on mobile apps?
First thing first, you should encrypt session key when you store it on device. For example, use shared preferences with encrypt option. Further info : Android SharedPreference security
Second, you may want to implement "SSL pinning" mechanism. Which means that verify SSL certificates at client side. You must be sure about that received certificate is belongs to your backend or not. So you can protect your backend URLs and parameters with that way. Further info : https://www.infinum.co/the-capsized-eight/articles/securing-mobile-banking-on-android-with-ssl-certificate-pinning or http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/
Third, your design is good. But be sure about your session key generation mechanism is not vulnerability against "Session Prediction" attacks. https://www.owasp.org/index.php/Session_Prediction
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am writing code to login into router and grab some settings. My code,that I wrote for HTML login does not work with the router login.
I have included the image. What is it ? Can I have code in c#, python or C to login into it ?
It's Basic access authentication. And yes, you can use whatever language you are comfortable with as long as you can specify custom HTTP headers for the request.
As Jifri said, it's Basic access authentication. You can log into it by sending the username and password as part of the URL you request:
http://username:password#url.com
See discussion here too: Username and password in https url
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
Does Google Go support decoding of basic access authentication calls? How do I get the username and password from the http.Request?
Go does not seem to intercept basic authentication when it is typed as an URL in a browser, but it does allow one to get it from some other applications calling it.
For example, using a simple Python code for HTTP JSON RPC:
from jsonrpc import ServiceProxy
access = ServiceProxy("http://user:pass#127.0.0.1:8080/")
print access.getinfo()
And in Go calling:
// r *http.Request
r.Header["Authorization"]
One gets this string:
[Basic dXNlcjpwYXNz]
And
dXNlcjpwYXNz
Base-64 decoded gives
user:pass
So some basic authentication in Go is possible, although it might not be something one can rely on.
There seems to be no way to get the user-provided authentication info, but you can provide the valid username and password for HTTP Basic Authentication by calling SetBasicAuth.