I tried to Get Token secret by using dotnetopenoauth.
I searched in it and find
SimpleConsumerTokenManager
class which has
GetTokenSecret()
which seems fine to me but could not making an object of it as it depend on "AuthenticationOnlyCookieOAuthTokenManager"
could you please guide me if you know how can I initialize this class , or even is this the right way of getting secret token to make my twitter signature string
thank you
DotNetOpenAuth does not store token secrets. The SimpleConsumerTokenManager that you found is meant only for temporary storage of a single token and secret during authentication. The IConsumerTokenManager interface is how DNOA interacts with your app so that your app can store and retrieve tokens and secrets.
So in other words, I don't know why you're looking for a way to use DNOA for retrieving token secrets.
Related
I'm developing a Mobile Apps. For now i put my access token on SharedPrefences. I want to ask is store access token on SharedPrefences secure? if no where is best practice to put access token.
Thank You
You should use EncryptedSharedPreferences instead of SharedPreferences as described in the official documentation https://developer.android.com/topic/security/data#edit-shared-preferences
I’m building a react native app that will interact with APIs that I also write/manage. I have found Auth0 documentation for implementing this flow, but I’m not sure on where/when to save the tokens. I want to be sure I nail this step, because I feel like it has the potential to reduce the security of the flow by a great deal if I don’t do it correctly.
Here is the flow as I understand it (no error handling, only happy-path for sake of brevity):
A user enters the app for the first time, or is not already logged in
They log in using the Auth0 web-login-thingy
I receive a token
I can use the token to authenticate with my API
Questions:
Do I store that token? I don’t want my users to have to log in every time they use the app. If I do store the token, where do I store it?
If I’m not storing it, what do I do? Do I ping an authentication/authorization endpoint with Auth0 every time they open the app and get a new token?
Say I am storing the tokens, if I'm using the ID token for user data, should I be hitting the API again regularly to keep it up to date? Only when the user opens the app again? Not until they trigger a change in the app?
Instead of using the ID token for user data, should I just use that to get the user's ID and ping my database for user data?
I have the basics of this flow, and I'm able to sandbox it, but I want to start applying production-ready app logic to this flow and that's where I'm stuck. I’m a little lost here, so any help is good help.
Thanks!!
Here's a brief answer to your questions when using Auth0:
Yes! you store it, the most secure way to store the token is in your device's local storage, that way it is not kept either in application's state or in a global variable.
2&3. See above, but to add more information, you can configure your tokens to have an expiry length. in theory you would convert this 'expiry time from inception' to a date object, and can do one of two things; you can request a new token using the Refresh Token (that comes with the original) once the expiry has been reached, or force the user to re-log in and re issue a new token at this time (i prefer the latter, prevents people from just renewing their tokens forever as long as they remain logged in)
Use the auth token to request user information after login, this can be stored in app state/global variables/wherever. You then want to use the auth token in the Authorization Header for each API call, along with whatever data you are sending. this ensures that even once someone is INSIDE the application, they need to have a valid token to actually do anything involving data (imagine someone back-dooring into your app and skipping the authorization, or using something like postman to just hammer your API with garbage). it would work something like this: GET userData { Header: auth token } -> GET userProfile (by sending your user ID returned from GET userData) PLUS {Header: auth token }
I can give more in depth examples if you wish, and i apologize if i misunderstood any of the question and gave redundant/incorrect answers
Edit: Resources about using secure storage for keys
Document for when to use in-memory storage Vs persistent storage. The TL;DR is use in-memory if the key is expected to expire before a standard session duration, and persistent for storing a key between sessions
https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10
link to Keychain Services doc
https://developer.apple.com/documentation/security/keychain_services#//apple_ref/doc/uid/TP30000897-CH203-TP1
link to SharedPreferences doc
https://developer.android.com/reference/android/content/SharedPreferences.html
AsyncStorage is a simple, unencrypted, asynchronous, persistent,
key-value storage system that is global to the app. [1]
You could store it in your AsyncStorage, but thats not necessarily a secure location itself (e.g. not encrypted, accessible on rooted devices...). Typically clients will issue access tokens that last anywhere from several hours to a couple days and these will provide their owner access to your API-resources. If there is sensitive data behind your login screen, you're probably better off simply re-doing the auth-flow and invalidate older access tokens on login.
I am working on Instagram api. I am getting problem with getting likes and comments of a public post in Instagram as it requires access token .
As we can see from the Documentation is:
https://api.instagram.com/v1/media/{media-id}/likes?access_token=ACCESS-TOKEN
I could use a third party app to generate Instagram access token and save it to my database but the problem is access token can expire any time or once we change the password so I needed a life long token like as Facebook and twitter provides APP access token or Bearer Token to post of get on behalf of app which could be generated using APP Secret and Client Token.
Or Please let me know if there's any ways to get Instagram public post likes and comments using Id.
Thanks in Advance.
There are no life long tokens by design. You'll have to implement logic to refresh a token when it expires. There is no way around this, you have to use an access token and you have to deal with the fact that tokens expire. It's on you, as the developer, to implement logic. From the documentation:
Access tokens may expire at any time in the future.
The solution you're looking for does not exist. It's so easy to implement a refresh, just look for an error or type OAuthAccessTokenException then rerun your auth flow.
The new Firebase for Unity support has just been released into Beta and I am trying to implement Auth with it. I already have a Google sign-in that implements the oauth2 flow using an auth code from GooglePlayGames.PlayGamesPlatform.Instance.GetServerAuthCode and sending it to a server that exchanges it for an access token using the https://www.googleapis.com/oauth2/v4/token endpoint.
I assume this access token is the second parameter of the Firebase.Auth.GoogleAuthProvider.GetCredential method, but what is the ID Token that the first parameter is asking for? Is that the token obtained from GooglePlayGames.PlayGamesPlatform.Instance.GetIdToken (same as GoogleAuthUtil.GetToken, if my reading of the docs/code is correct)?
If this is the case, why are both required? I thought the access token was all that was needed to authenticate a user with google cloud services and that the ID Token was being phased out.
Edit: After some testing, I found that passing the ID Token obtained from GooglePlayGames.PlayGamesPlatform.Instance.GetIdToken does allow Firebase to authenticate. Problem is, it asks for the user's email address every time. I'd like to avoid this if possible.
What is the difference between GetToken, GetAccessToken and GetIdToken, aside from the fact that GetIdToken requires a callback?
I managed to "hack" this in order to get it working... But still i think the correct method should only be using GetServerAuthCode but I cannot make it work with that.
Do your normal process of getting idToken and AccessToken the first time, when you log in to firebase get the user's email and store it in playerprefs. Then the second time if you already have the email you do this:
AndroidJavaClass authUtil = new AndroidJavaClass("com.google.android.gms.auth.GoogleAuthUtil");
AndroidJavaClass unity = new AndroidJavaClass("com.unity3d.player.UnityPlayer");
AndroidJavaObject currentActivity = unity.GetStatic<AndroidJavaObject>("currentActivity");
string idToken = authUtil.CallStatic<string>("getToken", currentActivity, PlayerData.Email, "audience:server:client_id:XXXXXXXXXX-xxxxxxxxxxxxxx.apps.googleusercontent.com"); // your client id, should be a number a dash and then a bunch of numbers and letters
string accessToken = authUtil.CallStatic<string>("getToken", currentActivity, PlayerData.Email, "oauth2:https://www.googleapis.com/auth/plus.me");
Hope it helps although it would be greatif someone posts a solution with GetServerAuthCode cause that is the correct way
I have a general quation about the access token for Facebook API Graph.
I'm doing some testing with the API Graph explorer. I want to display some public facebook events on my website. https://graph.facebook.com/search?q=party&type=event
For the testing I created a access token and it's working.
Now my question: Can I use this token for my website or has it to be renewed all x-days? So when only searching for public events this token is good?
Thanks for your help.
Ben
You should be able to use an App Access Token, it is valid forever. It´s just a combination of App ID and App Secret, including a pipe sign: App-ID|App-Secret
Careful though, don´t use that token on the client.
More information:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
Edit: I just tested it with an App Token, it seems that you do need a User Token after all. You can use an Extended User Token, it is valid for 60 days.