My Rails app is an oauth provider with Doorkeeper. Client registered apps could make API calls to retrieve informations from my service on behalf of user.
What i want to achieve is client app being able to :
register new user on my app via API dedicated endpoint
authorize this user and return an authorization code
In one or two calls, it doesn't matter.
Users are managed by Devise. I see how I can create user via Devise Invitable but I don't know how I can authorize this user with Doorkeeper because User must be authenticated before being authorized even with skip_authorization config.
I would like some help or just ideas to achieve that. Thanks
Finally I found a solution in Doorkeeper issues :
app = Doorkeeper::Application.where(uid: params[:client_id]).first
access_token = Doorkeeper::AccessToken.create!({
:application_id => app.id,
:resource_owner_id => #user.id,
:scopes => 'all',
:expires_in => Doorkeeper.configuration.access_token_expires_in,
:use_refresh_token => Doorkeeper.configuration.refresh_token_enabled?
})
#token_response = Doorkeeper::OAuth::TokenResponse.new(access_token)
puts #token_response.body
I can use this code in my user signup endpoint to create user and then return access_token.
Related
I have the following scenario:
Rails app with User and Admin devise models, so I have two scopes.
Created on ember app on router:
Router.map(function() {
this.route('panel', function() {
this.route('login');
this.route('logout');
});
this.route('admin', function() {
this.route('login');
this.route('logout');
});
});
I'm using jj-abrams branch once my app is Ember 2.0
Both authenticating on /users/sign_in and /admins/sign_in
I followed steps on https://github.com/simplabs/ember-simple-auth/tree/master/packages/ember-simple-auth-devise#server-side-setup and authentication is working.
Ember is hitting the right urls after creating authenticators and adapters, but the problem is that ESA just have one session service. Once user or admin is logged in session.isAuthenticated is true and I don't know which scopes are logged in.
Which is the best way to proceed:
Add a role on user reply and set on session
Create a new session for admin user
I solved this problema creating 3 authenticators for each scope, and I handle each one.
It is a particular solution once I don't use other authenticators (OAuth2), but now I can check if authenticator:user, authenticator:admin, authenticator:manager was used on to login.
I have created checks on routes, so user can only access his panel, admin can access user and admin panel, and manager can access the whole system.
I've posted the ember and the API on github:
https://github.com/fernandes/ember-auth-web for the ember
https://github.com/fernandes/ember-auth-api for the devise api
ps: I think would be better to create sessions for each scope, but I don't know how to do it (and if its better or not), in this solution you can login one scope at once (not like devise on rails you can log with many scopes at once).
I would like to let my users sign up for my laravelbased application using facebook or similar through socialite.
My users use a mobile app on their smartphones, which accesses the API of my app. Those API-routes are currently secured through the auth.basic middelware
Route::group(['prefix' => 'api/v1', 'middleware' => 'auth.basic'], function()
{
// ...
});
The app interacts with the api restfully through basic protected urls..
https://user:pass#myapp.com/api/v1/item/1
Now, how can i enable my users to access my protected api-routes, when they have registered through socialite? Is there a Package or a predefined middelware? Also, how would the URLs look like? Is it even possible to allow API calls with both, normally registered users and those being registered through socialite at the same time?
I see 2 best options in here.
Easiest is to use simple auth middleware in combination of logging in to the API at first before any other API calls
Secondly you can create custom middleware and include a token in your API call that authenticates the user. Example of such call after logging and getting token is below. Middleware gets the url param and checks if this is correct.
https://myapp.com/api/v1/item/1?token=123456
Hi all could you just tell what is the difference between Twitter Authenticate and Authorize
$twitterConnect = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET);
$twitterToken = $twitterConnect->getRequestToken();
$redirect_url = $twitterConnect->getAuthorizeURL($twitterToken, true); // authenticate
$redirect_url = $twitterConnect->getAuthorizeURL($twitterToken, false); //authorize
With oauth/authenticate if the user is signed into twitter.com and has previously authorized the application to access their account they will be silently redirected back to the app.
With oauth/authorize the user will see the allow screen regardless if they have previously authorized the app.
This method differs from GET oauth / authorize in that if the user has already granted the application permission, the redirect will occur without the user having to re-approve the application.
https://dev.twitter.com/oauth/reference/get/oauth/authenticate
Note:
You must enable "Sign in with Twitter" in the application settings to achieve this.
Desktop applications must use this authorize and not authenticate.
I've developed a REST api for my Symfony2 application. This api will be used by a mobile app. Much of the functionality is done in the context of the currently authenticated user, ie:
$this->container->get('security.context')->getToken()->getUser()
I'm hoping that the mobile app will be able to post to the login action just like a traditional web form. If the credentials check out then Symfony2 does it's thing and sets a cookie (does this even work in the context of a mobile app accessing an api?). Then later api requests from that mobile phone will (hopefully) work with the native symfony2 security.context service container.
Would this work? I need to figure out this authorization process before I take the API to the mobile developers. If possible I'd obviously like to be able to use the native security.context service instead of building out a new auth system for the api that uses xAuth or something similar.
Thanks
I think you should do it stateless (without cookie).
I had the same problem, what i did:
in your app/config/security.yml, add:
security:
...
firewalls:
rest_webservice:
pattern: /webservice/rest/.*
stateless: true
http_basic:
provider: provider_name
...
Now you can make a request to your webservice:
class AuthTest extends WebTestCase
{
public function testAuthenticatedWithWebservice()
{
$client = $this->createClient();
// not authenticated
$client->request('GET', '/webservice/rest/url');
$this->assertEquals(401, $client->getResponse()->getStatusCode());
// authenticated
$client->request('GET', '/webservice/rest/url', array(), array(), array(
'PHP_AUTH_USER' => 'username',
'PHP_AUTH_PW' => 'password'
));
$this->assertEquals(200, $client->getResponse()->getStatusCode());
}
}
Here you are, How to create a custom Authentication Provider awesome article.
To Authentication to a Symfony2 application through api, you need use:
WS-Security
Yes Marc, jules is pointing to an example just to show you how to test authentication with http_basic.
To be RESTful you should avoid using cookies, otherwise just call it an API. About how secure is your authentication system you can go with http_digest over https or more secure signed request with api_key/api_secret approach.
Have a look here http://wiki.zanox.com/en/RESTful_API_authentication
I am new to using APIs of Websites. But since a long time I wanted to learn this and today started with the simple example of how to access information from soundcloud. Here is the code of the simple example from their website
require 'rubygems'
gem 'soundcloud-ruby-api-wrapper'
require 'soundcloud'
gem 'oauth'
require 'oauth'
# Create a Soundcloud OAuth consumer token object
sc_consumer = Soundcloud.consumer('YOUR_APPLICATION_CONSUMER_TOKEN','YOUR_APPLICATION_CONSUMER_SECRET')
# Create an OAuth access token object
access_token = OAuth::AccessToken.new(sc_consumer, 'YOUR_OAUTH_ACCESS_TOKEN', 'YOUR_OAUTH_ACCESS_SECRET')
# Create an authenticated Soundcloud client, based on the access token
sc_client = Soundcloud.register({:access_token => access_token})
# Get the logged in user
my_user = sc_client.User.find_me
# Display his full name
p "Hello, my name is #{my_user.full_name}"
I know what to set as:
'YOUR_APPLICATION_CONSUMER_TOKEN'
'YOUR_APPLICATION_CONSUMER_SECRET'
as this was given when registering a application on soundcloud.
I set the 'YOUR_OAUTH_ACCESS_TOKEN' to http://api.soundcloud.com/oauth/access_token
which was also written on the soundcloud site, but I have no idea where to get the
_YOUR_OAUTH_ACCESS_SECRET_ from.
Is this access secret also a random string that I get from somewhere, do I have to generate it by myself.
EDIT As suggested in the answer of the Elite Gentlemen I also tried the Soundcloud example on authentication. I post here the piece of code which already leads to the error:
require 'rubygems'
gem 'soundcloud-ruby-api-wrapper'
require 'soundcloud'
# oAuth setup code:
# Enter your consumer key and consumer secret values here:
#consumer_application = {:key => 'QrhxUWqgIswl8a9ESYw', :secret => 'tqsUGUD3PscK17G2KCQ4lRzilA2K5L5q2BFjArJzmjc'}
# Enter the path to your audio file here.
path_to_audio_file = "your/absolute/path/to/audio_file.ext"
# Set up an oAuth consumer.
#consumer = OAuth::Consumer.new #consumer_application[:key], #consumer_application[:secret],
{
:site => 'http://api.sandbox-soundcloud.com',
:request_token_path => '/oauth/request_token',
:access_token_path => '/oauth/access_token',
:authorize_path => '/oauth/authorize'
}
# Obtain an oAuth request token
puts "Get request token"
request_token = #consumer.get_request_token
The error message I receive then is:
OAuth::Unauthorized: 401 Unauthorized
method token_request in consumer.rb at
line 217 method get_request_token in
consumer.rb at line 139 at top
level in test1.rb at line 25
How can this simple example fail?
The answer to the question is very simple. My problem was that I had
registered my application on the soundcloud production system
soundcloud.com but directed my requests against sandbox-soundcloud.com.
I had to go to sandbox-soundcloud.com, register a new user account and make a
new client application and everything worked perfectly.
More information on the Sandbox is available here:
http://github.com/soundcloud/api/wiki/Appendix-B-Sandbox
As with OAuth, you will have to register your application with Soundcloud if you want the end-user to access Soundcloud's protected resources through your application.
When you request an access_token from Soundcloud using OAuth, it will return you and access_token and a oauth_token_secret. That oauth_token_secret is what you mentioned as YOUR_OAUTH_ACCESS_SECRET
I don't know how familiar you are with OAuth. The documentation can be found here.
Edit OAuth authorization scheme changed a while back, (e.g. getting an access token requires you to specify a oauth_verifier).
See the SoundCloud example on Authentication using the latest OAuth specification.