I'm working with a 3rd party REST service that requires retrieving a authorization code grant before issuing an access token. The code will be passed along with the client id and secret in order to retrieve that token. In order to get the code, you have to type the username and password in the form and click the allow button in order for the code to be generated in the redirect uri.
I don't think it's possible, but can this be done with Spring/Java purely using code and not having to go to the browser to retrieve the code?
Your 3rd party REST service needs to provide this functionality (and likely guidance in their API docs). If they do provide it....then yes you can do it entirely in your java code.
Related
I want to implement DocuSign JWT grant authentication. I went through examples provided by DocuSign and I am able to run the application perfectly. But I need to implement DocuSign in my application which is of providing Restful APIs using Spring boot and DocuSign login should happen without explicit login. In the given example, it will ask for explicit login as shown in the image. enter image description here
What setting do I need to change in the example or any sample example where I can give account details inside the code so that it will be authenticated automatically and using JWT grant it generates an access token. Using FeignClient can I call this API https://account-d.docusign.com/oauth/auth?response_type=YOUR_RESPONSE_TYPE&scope=YOUR_REQUESTED_SCOPES&client_id=YOUR_INTEGRATION_KEY&state=YOUR_CUSTOM_STATE&redirect_uri=YOUR_REDIRECT_URI
What you are missing over here is to login to be able to provide user consent, which can be done through any of the following ways mentioned over here
Update:
Replying to the comment regarding an example, not sure if you are using the SDK or directly calling the API but here goes both:
1- If you are using the SDK, you should be able to go through the authentication process of the JWT using this guide.
2- If you are calling the API directly, you can follow this guide. Start with step number 2 if you already have the consent.
I have created a third party api(REST) that I wanted to make public but is only allowed to be accessed from a specific domain. How do I perform domain specific authentication/authorization?
For example, I have an api running on domain say mydomain.com and I wanted to create a JS widget that calls this api, but the widget is used in a different domain say otherdomain.com. How do I make sure only otherdomain.com has access to my api and it is not accessible from say anotherdomain.com.
I could use a api-key to authenticate the api, but I am not sure if that is secure enough as anyone who has access to source of otherdomain.com can copy the script and the api-key and try to access api directly. How can I avoid these kind of security holes.
Using mechanisms like Oauth2 may not help as there is no involvement of a user in this case and hence cannot do user authentication by getting user credentials.
Another idea would be to check for origin header, but it can simply be mocked as well using some reset clients I suppose(or am I wrong in this case)?
Please suggest some ideas to tackle this scenario.
I have created few rest services using jersey implementation.
In security concerns, service can invoke by any one. So I decided to use the token based authentication system.
I wrote one filter in spring security which handles every request before its hits the server.
One login service were created so user can invoke this service by passing the username and password for valid credentials it will generates the access token and expiry date and saves it in Hashmap and DB and returned as a response to the user.
For remaining services user have to pass the generated token in header to access the JAX-RS services.
All these process are coded by us i.e., generation,storage and expiration of the token.
Since we have some security API like oauth1,oauth2 in market is it good to provide the security for rest service by above mentioned way???
Is oauth api will suits my requirement . If it is please guide me how to achieve this ?
Please help me out with valuable suggestions ???
Thanks in advance.
We've been in a similiar position before starting with our rest api. The only difference we had no exisitng code. So basically we saw 2 choices
Run our own Tokenhandling, that what you already have
Use something existing, i.e. oauth2
Our main requirement was authentification via token and we prefered an existing solution. So we just run with oauth2 in form of spring-security-oauth2, even we are not using the whole self authorization stuff.
What i like and probably had missed in an own implementation is that a token generally identifies a user and a client combination and that clients can have rights too. Its nice to have this extra layer of security in our rest api, so i can block early on before even hitting one line of our code.
In form of spring-security-oauth2 its proven code, which works and like much of spring its customizable. Example: In our first version we did use the provided JdbcTokenstore for storing the token, but as requirements changed, we just coded our own and switched it in the config.
The disadvantage of using at least spring-security-oauth2 is that the whole authorization flow is normally webbased and needs communication between the client, the user and our app. As this would not work with our clients we had to trigger the token generation, etc ourselfs, which is doable with spring, but needed some code exploration :-)
If i had to build it again with java and where already using spring, i'd go with spring-security-oauth2 and the oauth way again. But when i had an existing working solution and dont need any of the oauth stuff i would keep the homegrown solution.
I'm using a Trade Me API. Which requires OAuth access tokens according application registered with it. So i have got OAuth access tokens. I have URL of API, all the parameters and values. But I don't understand how to get started. It is obvious that I need to use access tokens but don't understand where and how to use them. As we cant pass them into URL.
I'm using this API :
http://developer.trademe.co.nz/api-reference/my-trade-me-methods/retrieve-your-sold-items/
At the bottom of the API documentation page you provided in your question, there is a Request Builder. This allows you to generate an API request by filling in the form provided and clicking Send Request.
If you were to capture the HTTP requet generated by the browser when you submit this form using an application such as Fidler, you could determine the correct format for the request, and then generate similarly formatted requests from within your own application.
You might also want to check out the OAuth page of the Trade Me Developer API reference which explains how OAuth authentication should be performed for the Trade Me API
Sorry I can't be of more direct assistance, as I'm not a Java developer.
I'm a bit confused as to how to use Facebook's app access token with Spring Social.
I already have an app access token by making a GET request to:
http://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
I can't use (for reasons I don't want to discuss here) the standard Spring Social connection creation flow and I want to use this token (if possible).
My question is generally directed toward the GraphApi.
So in general can I use an app access token acquired via a standard GET to make requests to the Graph Api through Spring Social ?
Thanks,
There are very few things that the app access token can be used for. Most of the operations in the Graph API are for fetching user data and therefore you MUST obtain a user access token. The app access token you have will not work.
If you're planning to use your app access token to fetch a user's profile, see their friends list, or post to their timeline (or anything that pertains to a user), then you're out of luck. Imagine the chaos that would ensue if all you had to do to read and post on behalf of a user is obtain an app access token! You must get the user's permission for that kind of thing.
There are 3 ways to get a user access token: Authorization code grant (which is what Spring Social's ConnectController does and is most appropriate for traditional web applications), implicit grant (which is more appropriate for client-side Javascript), and resource owner credentials grant (which is most appropriate for mobile or desktop applications where doing a browser redirect is awkward, difficult, or impossible).
The app access token you have is only intended to consume API endpoints that are application-centric and do not pertain to any given user. There are a few such operations in Facebook's API, but the only one that immediately comes to mind is that you can use an app token to create test users (see https://developers.facebook.com/docs/test_users/).
Just as most of Facebook's API is user-centric, likewise is Spring Social's Facebook API binding. If, however, there's an app-centric operation that you'd like to see added to Spring Social, I'd appreciate it if you'd let me know at https://jira.springsource.org/browse/SOCIALFB.