I want to implement XOAuth 2.0 for my web application in Java.
My application asks for username and password from the user. Now using these credentials I want to authenticate the user through Gmail.
Please suggest libraries, and also how to implement it??
I am new to authentication using Gmail. Need some suggestions.
as I know the purpose of the OAuth 2.0 is to prevent leak of the user's credentials into 3rd party applications.
The abstract flow shows how client (3rd party app) should use the access_token (retrieved with one of the grant types) to access resource.
The specification also defines the basic HTTPS calls to use for example in case of an authorization code grant type (I think this flow best suits for you). This has 2 request, one for the code (user agent redirection is used to send the code to the 3rd party app) and one for the access_token.
Authorization code request&response
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
Token request&response:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
So you do not need to ask a user for the GMail credentials.
Here you can find a spring-security example for an OAuth 2.0 compliant application.
I hope I could help.
Related
Summary : I am working on embedding Power BI reports in a ISV application and when i try to call api endpoint to get embedding details of the report it responds with 400 Bad Request . I am directly calling Power BI APIs without use of SDK as microsoft hasn't officially released PowerBI SDK for Java based application . Also , for debugging I used another .net application which uses PowerBI SDK to make the same API call against same workspace and it works without issues.
All other API endpoints like 'list all workspaces','get workspace details',' list all dashboards' in a workspace ' and even 'list all reports in workspace' respond as requested without issues, but the API endpoint listed here :
Power BI get report embedding details using 'workspace_id' and 'report_id'
responds with 400 Bad request with seemingly right credentials and request.
Interfacing Application Context :
The ISV application is built on Spring boot framework(Java) and Angular 2 framework .
Currently,I couldn't find official Microsoft Power BI SDK for Java based application , because of which i am directly referencing APIs from the Power BI API reference doc
ISV application has all necessary permissions to access the APIs listed here :
https://learn.microsoft.com/en-us/power-bi/developer/power-bi-permissions
The application is able to generate token,make authenticated request and get response from power bi for all other api endpoints which are used in the application .
Issue and Debugging
Debugging :
This is the request that PowerBI .NET SDK makes and which works against get report API :
GET https://api.powerbi.com/v1.0/myorg/groups/d864b33b-74dd-4683-9cfd-91c712039147/reports/d618f04d-0b9d-483b-8f9c-cb1210d14595 HTTP/1.1
Authorization: Bearer auth-token
User-Agent: FxVersion/4.7.2117.0 Windows_7_Enterprise/6.1.7601 Microsoft.PowerBI.Api.V2.PowerBIClient/2.0.2.17225
Host: api.powerbi.com
This is the request that my application makes directly referencing API endpoint which returns 400 :
GET https://api.powerbi.com/v1.0/myorg/groups/d864b33b-74dd-4683-9cfd-91c712039147/reports/d618f04d-0b9d-483b-8f9c-cb1210d14595 HTTP/1.1
cache-control: no-cache
Postman-Token: some-token
Authorization: Bearer auth-token
User-Agent: PostmanRuntime/7.1.1
Accept: /
Host: api.powerbi.com
This is due to Accept HTTP header. Microsoft`s REST Method does not support it.
Try:
curl -XGET
"https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports/{reportId}" -i -H
"Authorization: Bearer {token}" -H "Accept:"
-H "Accept:" will disable this HTTP header. (By default curl sends Accept: * / *)
Setup:
Spring Boot application
OAuth2 security
ReactJS for UI implementation
Use case:
Login to application
open other tab with same application in same browser
Logout from application in one of the tabs, user are redirected to Login view
Go to first tab(user already logout and if I refresh page I will get login form) and do any action that triggers POST/PUT/PATCH request. Example of request and response below:
Request:
Request URL:http://localhost:8080/api/info
Request Method:PUT
Status Code:302 Found
Remote Address:[::1]:8080
Referrer Policy:no-referrer-when-downgrade
accept:application/json
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,sv;q=0.6,ru;q=0.4,uk;q=0.2,fr;q=0.2
Cache-Control:no-cache
Connection:keep-alive
Content-Length:66
Content-Type:application/json
Cookie:_ga=GA1.1.1868465923.1505828166; _gid=GA1.1.612220229.1507272075; session=e4oSW4Kq; prod_user_session=4d6b615f-521704; user_session=g3ggLxJDomyZ
Host:localhost:8080
mode:cors
Origin:http://localhost:8080
Pragma:no-cache
Referer:http://localhost:8080/profile
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Response:
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:0
Date:Fri, 06 Oct 2017 12:12:26 GMT
Expires:0
Location:http://localhost:8080/login
Pragma:no-cache
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
After this response system triggers PUT request to http://localhost:8080/login and fails because PUT method not allowed for http://localhost:8080/login request.
Question:
I understands that I'm getting 302 status and Location:http://localhost:8080/login header because I'm already logged out. I want extend response for this case with JSON body or at least ensure that for this case I will get 401 Unauthorised status code instead of 302.
If I understood your question correctly, it sounds like you need two different responses for unauthorized requests coming via a regular webpage load (produces="text/html") vs an AJAX call (produces="application/json"). Currently your unauthorized AJAX call gets redirected to the login page which is a legit page, hence no 401 response code. Here's an example of a setup that accomplishes what you want using XML configs Spring Security Ajax login and #Configuration config https://stackoverflow.com/a/27300215/1718213
Another option that is even more user-friendly is to use Spring's WebSocket support to signal logout events to all the tabs a given user might have open (across all devices and browsers) that would trigger each tab to redirect to the login page.
I used Java Hipster to create my Rest API. I want to use this Rest API in my Java code (I'm developing an Android application). But I don't understand how authenticate me to use my Rest API !
As example, my api is blabla/api/getUser. With Firebug I tried to understand how call my API. I simulate a HTTP request POST with parameters ?id=x and my token in the header (token I got from the request to login from the browser). It's okay, it works, I have my information.
But now, in my java code, I can't send the same HTTP request because I don't know the token. How can I get it ? How can I log me as admin ?
I know : login for admin, password for admin and the URL of my API and parameters I have to send.
Thank's !
OAUTH2
POST
URL:
http://localhost:8080/oauth/token
in the header:
Authorization: eg. 'BASIC Y2xpZW50aWQ6Y2xpZW50c2VjcmV0'
BASE 64 encoding the client details (source: www.base64encode.org/)
Y2xpZW50aWQ6Y2xpZW50c2VjcmV0 == clientid:clientsecret
in the body:
username
password
grant_type
scope
curl -X POST -vu clientid:clientsecret http://localhost:8080/oauth/token -H "Accept: application/json" -d "username=admin&password=admin&grant_type=password&scope=read"
edit:
in android look at retrofit by square
I am trying to reverse engineer a web app (which uses flash object to communicate with server). I have grabbed the network traffic via fiddler i.e., Browsed the app using IE and captured network traffic in Fiddler. This first time i am doing something this so i might be asking very basic questions :(
Now, I have those events/requests in Fiddler but I am having hard time understanding them (besides basic HTTP requests). So I am going to post the traffic flow and then its respective traffic here and at the end the questions
FLOW ON IE
Entered the url website.com/app/app-subdomain/web-app
An HTML page is displayed with user & password request
After login, an HTML page is displayed with Flash object in it (the original app)
IN FIDDLER
(requests in order)
The first thing i see is request to URL:www.website.com:443 which results in 200 status. Fiddler shows there are no cookies or whatsoever. Only the "Clients" are there
The second request i see is to URL:app/app-subdomain/web-app. However, here is the part where i am confused at. In fiddler request body, I see a cookie. which is something like this
GET https://www.website.com/app/app-subdomain/web-app HTTP/1.1
Accept: text/html, application/xhtml+xml, \*/\*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.website.com
Cookie:
NAME-WEB-SESSION=akcxxxpxkxfaxdxccajkjumxax;
hl=us;
dxxxxcxx=0;
NAMESSO=fdxdfxdfdxcfabxxxcxxcdbfexxxxfxfxxxefxecxxaxxxxxxefxxxxxxxxfxaxx;
XSRF-TOKEN=vXXnjhHE-ptnvmYfKfQVxscHyrGrfbwxyxkGzfWZGoU
So far, the thing which is confusing me, is who generated this cookie ? so lets say i am using Apache HTTPClient, would this cookie be generated by it or do I have to ? If i have to, then how to generate the values of those key-value cookie ?
You didn't specify what the first request was exactly, but more than likely this was just a HTTP CONNECT tunnel through which secure traffic flows. You should NEVER see a cookie on a CONNECT tunnel. Have you cleared your browser's cookies and cache? If not, the cookie you saw was likely set on a previous visit to the site and stored in the client's cookie jar. If you have cleared the cache and cookies, that implies that something on the client (e.g. Flash) generated the cookie via some other, non-standard, process.
I am using SOAP UI for testing the web services. In the Authentication tab, I have entered the username and password and domain name.
Sample:
WSDL URL: http://localhost:8080/soap/helloTest?wsdl
Username:hello
pass:helloworld
domain: http://mysysfullname:8080
I have given the correct credentials. I also replaced domain as http://localhost:8080.
Even then I am getting invalid credentials only. The username and password are correct and they are not my windows credentials.
Can some one help how to give the credentials.
Adding Raw Request
POST http://localhost:8080/soap/helloTest HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:8080
Content-Length: 1004
Thanks.
It also depends on the WSS-PasswordType
verify that also.
Try setting SOAP-UI to use Preemptive Authorisation Type.
As per SOAP-ui documentation:
Send Authentication headers with each request without first receiving an authentication challenge. This is a potential security hazard but will improve performance since only one request will be required for authenticated endpoints instead of two.