Unable to use Resource owner credentials of Oauth2 for Rdio - authentication

We are using rdio to get music from rdio in our app. We have used OAuth2.0 for authentication. Currently we are using authorization code. I am exploring to switch to Resource owner credentials documented in (http://www.rdio.com/developers/docs/web-service/oauth2/auth-password/ref-oauth2-auth-password ). I have created the app in rdio site, obtained the client_id and client_secret. I am making POST call to https://services.rdio.com/oauth2/token and passing username= password= (HTTP Authorization header method of client verification) . The response comes as "error_code":"unauthorized_client" "error_description": "This client is not authorized to use the password grant". I have tried to substitute username and password with real username and password, but that doesn't work. Is it the validity of client_id and client_secret that is the issue? I've followed all the steps to T. Please let me know what am i doing wrong?
Regards Vinay

This OAuth 2.0 grant isn't available to every one, the documentation says:
This method is limited to trusted Rdio partners. Please contact us if you feel your application needs to use this method.

Related

Malformed mfa_token message when trying to challenge an user with MFA

I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.
I am getting an MFA Token by doing the following steps:
Added scope enroll read:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
Added an audience:
https://<my_domain>/mfa to the authorisation endpoint
Then I make a post request to token endpoint with authorization code to get the mfa_token.
The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec. By using this access token(=mfa_token)
I built a custom pages for my user for enrollment and challenging the user via sms.
I am able to enroll user, confirm enrollment using this access token.
But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.
{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}
Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?
Thanks in Advance!
I think the access_token only serves as mfa_token during OOB/device registration. Thenafter, the user will get an mfa_token during auth, which is passed for MFA/OTP challenges
https://auth0.com/docs/login/mfa/ropg-mfa/manage-authenticator-factors-mfa-api#resource-owner-password-grant

Which Google OAuth2.0 token do I use to uniquely identify a user and log them in

I'm trying to set up Google OAuth2.0 from this guide and I have everything set up and running. I can get the authorization code, the access_token, and the refresh_token to show up in my console.log's. My question is which one of these tokens can I use to properly identify and log in a user to my backend?
In a normal scenario, a user would enter a username & password and that would uniquely identify them. However in the Google OAuth2.0 case, it seems the authorization code, the access_token, and the refresh_token all cannot be used to properly identify and log someone in. Is this understanding correct?
I read a similar post but it doesn't seem to provide a very recent answer that also securely identifies the logged in user.
If I cannot use any of the above mentioned tokens to securely identify and log in a user, is it even possible? How come I see other websites and apps use "sign in with Google" and "sign in with Facebook"?
Another solution I read in a different StackOverflow post said to just get the account ID and use that as an identifier. Isn't that insecure? Can't someone guess the account ID? Also this would be assuming these account IDs are private.
My question is which one of these tokens can I use to properly identify and log in a user to my backend?
the id token from open id connect.
explanation
You are confusing authorization and authentication.
Oauth2 a user to grant and authorize your application access to their data the access token gives you access to their data for a limited time (1 hour). If the user is off line you can use the refresh token to request a new access token. None of theses will tell you that a user is behind the calls.
open id connect allows you to authenticate a user logging in will return an id token
Id token verification
After you receive the ID token by HTTPS POST, you must verify the integrity of the token. Verify the integrity of the ID token

Onelogin API authentication error

I am attempting a very basic call to the one login API to get an authentication token. I copied the client id and client secret correctly from the api credentials page (although the "copy to clipboard button doesn't seem to be working).
r2 = requests.post('https://api.eu.onelogin.com/auth/oauth2/v2/token',
auth=('<CLIENT ID>','<CLIENT SECRET>'),
json={
"grant_type": "client_credentials"
}
)
When I run this, I get an authentication failure error. I have no idea what I am doing wrong, any help would be really appreciated.
The client_id and the client_secret to use in this call actually are not the ones from an app configured in the oneLogin account, you have to set up some API client_id and client_secret in your oneLogin account administration page, give them at least an auth level and then use them in your call to get the tokens
Sure.
Depending on what privileges you need, there are different profiles in the Developers>API credentials section from the Administration portal.You can create a new profile by clicking in the top left blue button named "New credentials".
In your case, I think is enough with a "Authentication only" profile.
Once you have those API credentials, when you are using a BASIC authentication method, you have to set them in the JSON header, but encoded in base64, not just as plain text, and the client_id and client secret are separated by (:) not by (,).
You also need to set up the content type to "application/json" in the header.
Hope this helps.

Laravel 5, how to send API token to mobile app

I have a mobile app which will call a REST API written using Laravel(5.2) framework.
This article on Laravel API authentication mentions how to authenticate users making calls to such an API. The caller should send the correct api_token to the server in the request.
My question is what would be a good way to get the api token to the mobile app? I'm currently thinking of creating a rest api which will authenticate the user based on username and password sent in the request and send the api_token in the response if the user sends a valid username/password pair. Is this method correct/secure? What things should I consider additionally if I do use this method?
You must use one of this methods to have a secure API
JWT TOKEN https://github.com/tymondesigns/jwt-auth
OAUTH2 https://github.com/lucadegasperi/oauth2-server-laravel
With this methods you only send once username and password and you obtain a token that is valid for a time you can decide. But as bigger is the time, more insecure.
To solve this, there are a renew token methods. With a valid token, you can obtain another valid and refresh the old. In this way, the username and password are more protected because they are not sent in every request.
Is not a good idea have the same token for each user all the time, as you saw in the example you provide. It´s very insecure. If someone get this token, he always will can send request in your name. The tokens must have a lifetime.
to answer your question how to send API token to mobile app i will recommend you that your mobile apps get a valid token and after refresh it.
Something as this works great to get a token in your app:
if ( thereAreTokenStored() )
{
if (! theTokenStoredIsValid() )
{
$authentication = refreshToken();
}
}
else
{
$authentication = authenticate();
}
To know all this issues I recommend you this book: https://apisyouwonthate.com/ . I learnt a lot of the 'API WORLD' with this book. It will help you to know all you need to create an API in a professional way and will provide the necessary tools and packages to achieve it and save a lot of work. And you will love your API!!
Yes this approach is safe. Additionally you also need to secure your connection to server by using HTTPS with a SSL certificate.

Validating user's API credentials - PayPal DoDirectPayment

Hello I am working on a site that accept PayPal API Credentials for every restaurant owner so that amount could be transferred to their account directly.
The problem that I am facing, some times restaurant owners add wrong API credentials so when any order is placed the error "Security Header is not valid" appears means their API credentials is wrong.
The solution I want is that the API Credentials could be verified when they are added by restaurant owner, so that order could be placed by end user.
Is there any way to Verify/Validate PayPal API Credentials(User Name, Password, Signature), Please help.
Thanks in advance!
PayPal Don't have any External API to validate the API Credentials alone.
instead. You can Use the Express Checkout SETEXPRESSCHEKOUT API to call with very Minimal data and the API credentials, which will validate the API credentials and will generate a Token. If you get a Token it means the API credentials is correct. This will not do any money Movement with this API Call. PP have this API available in both NVP and SOAP format.