I was trying to find the token on a login page. I've already searched on page source but it'isnt here. I'd like to know the practices for passing an access token and then the way to find it
The best way for token authentication is to pass it along with the request headers.
Normally u can find the tokens in the cookies with the respective key name
Related
I'm in the process of implementing auth0 login in my project, and to be as fast as possible I'm using a hosted login page. Following the auth0 vue docs I've got up and running quickly and I can login and logout users.
Now, I'm trying to create a user profile page with a route of user/:id. For the :id part I want to use the user_id of the user profile, but I'm having issues understanding the optimal way to get it. I realize I can use the auth0 api users endpoint but I'm not sure that's the correct way. Do I actually need to make an API call to the users endpoint each time an user clicks their profile? Is there no better way to get the user_id, maybe from the id_token which is set in localStorage upon login?
Even better, is there a way to get actual user ids? I know that if I would setup my own login with my own db, I'd have an auto incrementing id which I'd use for user id. This does not seem possible with Auth0, or am I wrong about that?
Disclosure: I work for Auth0.
The idToken returned at the end of the authentication / authorization is a JSON Web Token. This token contains the Auth0 user_id as the sub (subject) claim (property).
If you are using Auth0.js or our AuthService tutorial, Auth0.js will decode this token and give it to you as idTokenPayload object in the authResult. This can be used to identify the user as idTokenPayload.sub.
You can store this object as a whole in localStorage or simply decode the token that you accquired from localStorage. However, please note that you should validate the token after accquiring it from localStorage aswell.
To avoid all the above, you can simply use the checkSession method each time your application bootstraps to get a new copy of the accessToken / idToken and rely on that directly :)
I am working on Instagram api. I am getting problem with getting likes and comments of a public post in Instagram as it requires access token .
As we can see from the Documentation is:
https://api.instagram.com/v1/media/{media-id}/likes?access_token=ACCESS-TOKEN
I could use a third party app to generate Instagram access token and save it to my database but the problem is access token can expire any time or once we change the password so I needed a life long token like as Facebook and twitter provides APP access token or Bearer Token to post of get on behalf of app which could be generated using APP Secret and Client Token.
Or Please let me know if there's any ways to get Instagram public post likes and comments using Id.
Thanks in Advance.
There are no life long tokens by design. You'll have to implement logic to refresh a token when it expires. There is no way around this, you have to use an access token and you have to deal with the fact that tokens expire. It's on you, as the developer, to implement logic. From the documentation:
Access tokens may expire at any time in the future.
The solution you're looking for does not exist. It's so easy to implement a refresh, just look for an error or type OAuthAccessTokenException then rerun your auth flow.
sorry if this is question is too broad, but I have to ask this since I'm learning web development and I feel if don't ask I won't know.
So, I'm doing authentication using oauth2, and right now I'm already at point where I successfully authenticate user, and now I'm receiving what they call tokens. The question is, how do you use token to authenticate user to your own server?
I'm thinking something like creating a cookie that maps to a token, so when user acts, each time I'll get a cookie and I know that this is user A. Is method like this safe or not? If not, in what way people usually use the token? Although this is only a hobby project, I'd like to be "as real as possible". Any thoughts?
As per my knowledge Oauth2.0 provides InMemoryTokenStore and JdbcTokenStore for persisting tokens. When a request comes from an authenticated user Oauth2.0 will check if it has a valid token already. In case it doesn't it will create one.
Basically usage of tokens depends on the grant-type you are using . Following are the two commonly used grant types -
1) Implicit - The token is send back in the url as a parameter and is included in the subsequent request* in the parameter.
2) Authorization Code - In this case the token is generated and set in the header of the request*.
*the request here is the one which is finally sent to resource server for accessing protected resources.
I think you dont need to create a cookie for storing tokens. In case you are using Authoziation Code grant type which is the default, Oauth2.0 will use session for storing state and code which will be used for retrieving token.
I tried to Get Token secret by using dotnetopenoauth.
I searched in it and find
SimpleConsumerTokenManager
class which has
GetTokenSecret()
which seems fine to me but could not making an object of it as it depend on "AuthenticationOnlyCookieOAuthTokenManager"
could you please guide me if you know how can I initialize this class , or even is this the right way of getting secret token to make my twitter signature string
thank you
DotNetOpenAuth does not store token secrets. The SimpleConsumerTokenManager that you found is meant only for temporary storage of a single token and secret during authentication. The IConsumerTokenManager interface is how DNOA interacts with your app so that your app can store and retrieve tokens and secrets.
So in other words, I don't know why you're looking for a way to use DNOA for retrieving token secrets.
The logic looks circular to me(although I know I'm missing something)
I want to use this:
https://dev.twitter.com/docs/auth/pin-based-authorization
But in order to make the url to send the user to get the pin you need an "oauth_token" :
https://dev.twitter.com/docs/api/1/get/oauth/authorize
But to get the "oauth_token" you need a:
https://dev.twitter.com/docs/api/1/post/oauth/request_token
But that at the bottom shows it needs an "oauth_signature"
Well, an "oauth_signature" requires an "oauth_token"
( https://dev.twitter.com/docs/auth/creating-signature ) which you don't have, making impossible to get an "oauth_token" because you need one to get one.
What am I missing here? I mainly just want to find out how to get that initial url for the PIN-based authorization, so I need that first "oauth_token" somehow.
There are two different types of oauth tokens - let's call them request tokens and normal tokens. Request tokens are used for the authentication, then once the authentication is done you get normal oauth tokens.
Calling oauth/request_token will generate a request token for you, which is a temporary token used for the actual authentication. Once that's done you have the normal tokens.
set the callback URL both https://apps.twitter.com/ and in your code
. It is working for Me.
oauthCallback:#"myapp://twitter_access_tokens/"