I'm using Vimeo API to get video on a web application context and i have a simple question (i hope :P )
It´s possible to do a request for application authorization using oAuth protocol and via the following link: https://vimeo.com/oauth/authorize?oauth_token=XXXX, WITHOUT force the user to login in browser?
I noticed that if I'm not logged on Vimeo, when I go to https://vimeo.com/oauth/authorize?oauth_token=XXXX, Vimeo redirects me to the login page...
Thanks.
I found it =)
You can create the access token using the application credentials or using the login data. In this case you don't have to make a authorize call.
Example (taken from comments):
String vimeoAPIURL = "vimeo.com/api/rest/v2?video_id=213";
OAuthRequest request = new OAuthRequest(Verb.GET, vimeoAPIURL);
request.addQuerystringParameter("format", "json");
request.addQuerystringParameter("method","vimeo.videos.getUploaded";
request.addQuerystringParameter("user_id", "user137");
request.addQuerystringParameter("full_response", "true");
request.addQuerystringParameter("method","vimeo.videos.getThumbnailUrls");
service.signRequest(accessToken, request);
Response response = request.send();
Syso(response.getCode());
Syso(response.getBody());
Related
I am using Microsoft Owin/Katana and implemented the social login authentication in a Web Forms and MVC application which is working perfectly.
I have a requirement to convert the implementation into an API (controllers). In my MVC application, I am calling this line of code inside the login controller,
HttpContext.GetOwinContext().Authentication.Challenge(properties, AuthenticationProvider);
The user is redirected to the login screen of the provider (i.e. Google, Facebook, Twitter).
I was hoping to achieve the following,
User call /api/login controller of my API and it checks the provider and then using the access key and secret key, it returns the login URL as string or JSON and the consumer of the API will redirect to that URl. This way the secret and access keys are not exposed and just the URL is returned.
The problem is that there is no way I am able to find to get the login request URL of the provider. The Challenge method is void and it just redirects the user which in case of an API is not acceptable.
I have used the following code in a Web API,
var properties = new AuthenticationProperties() { RedirectUri = this.RedirectUri };
if (UserId != null)
{
properties.Dictionary[XsrfKey] = UserId;
}
MessageRequest.GetOwinContext().Authentication.Challenge(properties, AuthenticationProvider);
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
response.RequestMessage = MessageRequest;
return Task.FromResult(response);
When I call the API using Postman then it returns the whole HTML of the login page. When I call the API URL directly in the browser then it redirects to the login page correctly but I just want to return the Url of the provider and the consumer should redirect itself.
Is there any way to achieve this?
I am using dropbox javascript sdk for file uploads using following end points.
For file below 150MB
/upload
For file above 150MB
/files/upload_session/start
/files/upload_session/append_v2
For Authorization, I am using the following code for now.
const ACCESS_TOKEN = 'my_access_token_created_manualy_from_app_console';
var dbx = new Dropbox.Dropbox({ accessToken: ACCESS_TOKEN, refresh_token });
Now I don't want to go to the app console every now and then to get access token.
Is there any way I could handle it in my code? Any API/ajax request to get access token in response to app_key and app_secret?
Getting a Dropbox access token for a user's account always requires some initial manual interaction from the user to authorize the app in some way. This cannot be done entirely programmatically. For the developer's own account, such as in your case, you can generate an access token on the App Console. For arbitrary end-users, this is instead processed via the OAuth app authorization flow.
You can refer to the OAuth Guide and authorization documentation for more information. For the Dropbox JavaScript SDK in particular, there's an example of processing the OAuth flow here.
Scenario:
Both Web application and Web API need to be authenticated and protected from the server side.
Requirement:
Web application is serving the contents for the browser and browser should be calling Web API directly (i.e. Browser to API).
Question:
Is it possible to authenticate both Web APP and the API using tokens?
Any sample code or clear direction would be highly appreciated.
Normally web applications are authenticated using cookies and APIs are authenticated using tokens.There are some sample projects available here but they are either browser to API (SPA token based) or Server side Web App calling API from server to server.
UPDATE 1
App is saving the TokenValidationParameters and used bootstrapContext.Token within the app controller to grab for server to server communication.
As per #dstrockis, I'm trying to grab the id_token from the Web App soon after the end of validation (not within the app contrller).
I'm using SecurityTokenValidated invoker in OpenIdConnectAuthenticationOptions.Notifications within the Startup class. SecurityTokenValidated receives a parameter of type SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> but I'm not sure where to find the id_token within it. Method is below.
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
return new OpenIdConnectAuthenticationOptions
{
// For each policy, give OWIN the policy-specific metadata address, and
// set the authentication type to the id of the policy
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
//NEW METHOD INVOKE ************************************
//******************************************************
SecurityTokenValidated = OnSecurityTokenValidated
//******************************************************
},
Scope = "openid",
ResponseType = "id_token",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
SaveSigninToken = true
},
};
}
//NEW METHOD ************************************
private Task OnSecurityTokenValidated(
SecurityTokenValidatedNotification<OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> arg)
{
//QUESTION ********************************************************
//How to find the just saved id_token using incoming parameter, arg
//*****************************************************************
return Task.FromResult(0);
}
UPDATE 2
Instead of SecurityTokenValidated, I tried AuthorizationCodeReceived and it's not getting called at all. As discussed here, my redirect url does have an ending slash as well.
Any Ideas?
Our ASP.NET OpenID Connect middleware which supports AAD B2C is built to rely on cookie authentication from a browser. It doesn't accept tokens in a header or anything like that for securing web pages. So I'd say if you want to serve HTML from your web app in the classic way, you need to use cookies to authenticate requests to the web app.
You can definitely get & store tokens within the browser and use those to access your web API, even if you use cookies to authenticate to the web app. There's two patterns I'd recommend:
Perform the initial login using the OpenID Connect Middleware, initiating the flow from the server side as described in the samples. Once the flow completes, the middleware will validate the resulting id_token and drop cookies in the browser for future requests. You can instruct the middleware to save the id_token for later use by using the line of code written here. You can then somehow pass that id_token down to your browser, cache it, and use it to make requests to the API.
The other pattern is the inverse. Start by initiating the login from javascript, using the single page app pattern from the B2C documentation. Cache the resulting id_tokens in the browser, and use them to make API calls. But when the login completes, you can send a request to your web app with the id_token in the body, triggering the OpenID Connect middleware to process the request and issue a session cookie. If you want to know the format of that request, I'd recommend inspecting a regular server side OpenID Connect flow.
Found the answer to my own question and adding here for the future reference.
After a successful validation, id_token can be accessed by invoking the SecurityTokenValidated notification. Code sample is below.
private Task OnSecurityTokenValidated(
SecurityTokenValidatedNotification<OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> arg)
{
//Id Token can be retrieved as below.
//**************************************
var token = arg.ProtocolMessage.IdToken;
return Task.FromResult(0);
}
However, saving this directly into a browser cookie may not be secure.
I am trying to implement social authentication from a c# client within a windows universal 8.1 app. When I post to the auth provider .../googleoauth for example the client fails. Fiddler is showing a 302 redirect so the deserialization fails n the response. The authentication flow works if I use a browser so I think everything is configured correctly, but of course could have missed something. If anyone has any insight or an example using social authentication providers from a c# client that would be much appreciated.
ian
The OAuth flow requires a browser to work in order to redirect the user to the remote OAuth website where they can approve access. So you'll need to launch the url in a WebView then capture the Session cookies after the user approves your application and is redirected back to your website.
The TechStacks Auth Example demonstrates this strategy using Xamarin.Auth component for Xamarin.Android.
Just in case anyone else was looking for a sample in UWP. This seems to be working for me. The CreateCookieContainer method for the most part simply loops through the cookies and adds them to a new container that is returned. Thanks #mythz again for the awesome work and support in ServiceStack
// Grab auth cookies from callback uri
var cookies = _httpFilter.CookieManager.GetCookies(uri);
var authCookies = cookies.AsEnumerable().Where(x => new[] {"ss-id", "ss-pid", "ss-opt"}.Contains(x.Name))
.Select(x => new Cookie(x.Name, x.Value, x.Path, x.Domain)).ToArray();
string sessionId = null;
var cookieJar = CreateCookieContainer(authCookies, uri, ref sessionId);
// Store the tokens for autologin
await DataServiceFactory.Instance.StoreSingletonSetAsync(authCookies);
// Set auth on the current client
_serviceClient.CookieContainer = cookieJar;
_serviceClient.SessionId = sessionId;
From the Google Documentation I understood that the email quota is not used anymore. I'm OK with that, but the question is how to provide credentials for user creation in Google Apps. Currently I'm doing it like that:
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(transport)
.setJsonFactory(jsonFactory)
.setClientSecrets(adminid, adminpwd)
.build();
But I'm receiving 401 Unauthorized.
Where's your access token? Try
credential.refreshToken();
accessToken = credential.getAccessToken();
credential.setAccessToken(accessToken);
You'll probably want to retrieve a refresh token too. It may be cleaner to build your credentials with the tokens. Refer to the docs here or here.