I've been having some problems trying to understand the Oauth requirements for Server-side applications which don't require User interaction when querying google API's.
Apologies if this seems obvious to most, but the issue I have is that all the examples and Oauth flows are based on prompting a user to either authorize which features the application has access to or authenticate the user with a google account before being granted a token and refresh token.
Does anyone have experience querying the Sheets API from a server side app without user interaction that could give me some pointers on how to create the Auth token?
I'll be using Javascript, AJAX and JSON to call the REST API.
Many thanks,
Billy
Thanks pinoyyid, having searched this site for and hour and playing around with Oauth playground for better part of an hour, it's frustrating to know the answer was right under my nose in the settings!
Thanks again, really appreciate you pointing me to How do I authorise an app (web or installed) without user intervention? (canonical ?).
For those reading this in the future the link in the comment above will solve your problem, to summarise, you can use your own app settings by going to the google Oauth playground and on the top right select the settings (picture of a cog/gear) and ticking the box to use your app details, enter the client ID and client secret, job done.
Cheers,
Billy
Related
I'am working on an project where we have a Vue.js Frontend and a Microservices architecture for the backend hosted in Azure Service Fabric.
We wan't to add an IdentityService for authentication using IdentityServer4.
What we want to achieve is a login that is basically the same as stackoverflow provides:
You can login on the website with an embedded login or use external providers like Google and Facebook.
My question only concerns the embedded login.
I have read articles that state using Authorization Code Grant with PKCE is the best way in my scenario. Moreover they say, that Ressource Owner Password Grant should not be used.
But as far as I know, with this flow it is not possible to embed the login to our own website. It will always be a redirect to the IdentityService.
How do Stackoverflow achieve this? Do they use Resource Owner Passwort Grant?
Thank you!
First of all, I welcome you to check how Stackoverflow (SO) handle their user registration process.
SO allows you three options. Login through Google, Facebook or register directly to SO. When someone use Google Or Facebook, SO uses Authorization code flow. User is redirected to respective login page. Once you login there, SO receive user profile details from those identity providers, which allows SO to complete the profile and onboard the user.
But when someone use built in register page, it is simply good old registration page. There is no OAuth involved there. SO obtain end user credentials, complete the profile and save them at their backend.
In your scenario also, you can omit OAuth and use a built in registration or login page. Only concern is the maintenance burden of end user credentials.
I am new to titanium and am trying to make a directory of contacts using Google Contact API. I have read up on it yet aren't seeing too many helpful examples. I know I need authentication yet I can't seem to figure out where to start. Any help is appreciated.
You may know some of this already but here's the broad strokes overview for others and an answer to your question (Any help is appreciated).
You need to create an (Google) account and register your project/application first in order to make requests for non-public user data. The request must include an access token. The token also identifies your application to Google.
In order to authenticate a user/application: You will need to Use OAuth 2.0 to authorize requests. You must register your project in the Google API Console and enable the Contacts API service in order to use OAuth 2.0.
To implement the OAuth protocol in a Titanium app you can follow along with the sample/tutorial in this blog post:
OAuth Login for Titanium
The title may sound stupid, but I couldn't find a better way to express myself.
I have an API using OAuth2 server. This API is a backend service for my mobile application, but I will also provide it to thirdy party applications.
I also have a login method, which is used to authenticate the user with email and password and it returns the access_token to this user for my mobile application.
So, whenever you make a POST /api/v1/users/auth with email and password, you will get a 'full-access' token, which have all scopes available. I don't think there's a big flaw here because whoever holds the user's credentials may access the application through the web interface and do whatever he wants.
But still, it's weird to think that anybody can get a access_token from an existing application, because in normal OAuth proccess, only the proper application can fetch a access_token from the server. But I don't even think that Oauth2 was designed to client-exposed applications, like desktop, javascript, etc.
Is there a better way to do this? Am I doing something wrong?
Thanks!
You shouldn't have any worries as long as you're communicating via https and your javascript is secure/stable.
Otherwise you run the following risks:
1) Credentials being stolen by code injected into your page via an XSS vulnerability.
2) An eavesdropper with the ability to read packets could steal the credentials.
3) Software such as "FaceNiff" that sniffs security tokens, such as facebook & google, and allows them to login in with any user's account who is connected to that WIFI.
4) Granting privileges to code that might abuse those privileges either intentionally or by acting on behalf of yet more code that is malicious.
Essentially when going over a non-secure wire, you have to keep in mind that granting an access token means that given user has rights to do actions A, B, and C on Facebook, Github, Google, your platform, etc. Anyone that grabs that token now has the same rights to do actions A, B, and C on Facebook, Github, Google, your platform, etc as the user in question.
This article gives a pretty thorough understanding of the concepts behind OAuth tokens.
Please let me know if you have any questions!
Folks,
I just moved to VS 2012 from VS 2010. I am still figuring out the new SimpleMembershipProvider and OAuth provider.
After creating a default "Internet" project, I enabled Google client. It seems now I can login using either local username/password or Google authentication.
I would appreciate it if someone can help me understand the following:
I would like only authorized users to login. It seems any Google user is able to login at the moment. How do I prevent this?
I would like to set it up such that although anyone can request for "registration," only admins will decide who is allowed to access the system. How can I achieve this?
Is there a way to completely get rid of local username/password and just use Google authentication instead?
Thank you in advance for your help.
Regards,
Peter
Did you look at Using OAuth Providers with MVC 4
There is a tutorial witch shows how you authenticate with Facebook account (with Google will be same), but authorization process need some "wizard". And after success registatrion wizard user is allow to access website. Of course you will have to change above wizard to your needs.
I am working on designing an api/application structure to mimick facebook's for a project of mine. I am wondering what the best way of going about authenticating users is.
For an app how do I give them the nessecaru credentials and how do I authenticate those credentials?
I would investigate these technologies before I started down the road:
OpenSocial this is basically the "open source" facebook platform. You can set up your site as a container, or an application (or some funky combo of both).
OpenID if you just want to be able to authenticate people using their login credentials from another trusted site
OAuth if your looking for a API style authentication framework
All of these techs have reference implementations in the usual suspects and are supposed to be more "open" than anything facebook is doing. We will see what happens in the long run...
Well the facebook api actually has an open source implementation so that's fine. But I'm wondering how does facebook actually authenticate everything? Like how do they pass user data to you?