When connecting to the google services from a desktop app user is required to enter access code provided to him to generate accessToken.
I can't quite understand how to properly save it and restore into GoogleCredential so user wouldn't have to authorize my app on every launch.
Can somebody provide me with a code snippet of this process or a more detailed instruction than the one Google provides?
First you have to register your project into the Google Developer console. From the console your will get some credentials like: cliend id, client secrets.
Now when you want to authorize your application u need to get an access token. But before u have to get an "authorization token". For this u need to use an url like this
https://accounts.google.com/o/oauth2/auth?
redirect_uri=yourredirectpage&
response_type=code&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&
approval_prompt=force&access_type=offline
The response of this request contains the authorization token. Now you can exchange the authorization token for the access token with another request:
https://accounts.google.com/o/oauth2/token?
code=4/oIdtdqPBW67CTSpijkm_fbwCqMjF_WJPiSmvsq8zScA.Ilw2ePhp3fQeoiIBeO6P2m_Usz4vlgI&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
client_secret={your_client_secret}&
redirect_uri=yourredirectpage&
grant_type=authorization_code
Where "code" is the authorization_token.
For more details check this: Google Api OAuth
Related
Based on the diagram you can see above (Oauth authrization flow). Reference https://youtu.be/oKzeHshquCs?t=1949
Using user credentials (username, password), we are attempting to
get an authorization code (login).
Authorization code received.
Using the received authorization code we are now requesting an
access token.
When access token is given. This access token will be
now used to access the resource server (as Bearer Token).
I would like to ask how to implement this using API, using the latest implementation of OAuth2. Using custom REST API's on the Authorization Server.
Scenario: using two api's ('/auth/code' then ''auth/token'')
Using user credentials (username, password) the user will request on
api '/auth/code', where authorization_code as the response.
Using the recieved authorization code (from #1), we will request an access
token on '/auth/token'. Access token will be used as bearer token on
the authorization server.
Or if we can do this two step (#1 and #2 above) on one API process (auth/token) would also be great.
Do you have any working project in regards with this?
I have explored the code of Baeldung, but based on this implementation, it is still using the default implementation of spring security. It would be my great pleasure if there are Senpai's out there can help me with this. Thanks :)
There's no such API to get an authorization code directly passing the user credentials. Usually, there would be an API (/as/authorization), which redirects the user to the login page. Once the user enters his credentials, he will be redirected to the target application with the authorization code in code as the query parameter of the URL. (You need to configure your app's URL as a redirect URL or callback URL in the Identity provider)
This code is usually short-lived and can't be used more than a time. (i.e) You can use this code only once to get an access token. When you exchange the code with an access token, you should be seeing refresh_token (if you granted access to refresh_token grant_type in the IdP) as well with which you can request tokens in the future.
You need to configure all these things in an Identity Provider. This could be PingIdentity, Auth0, etc.
Make a call to /as/authorization API
Once user enters his credentials and redirected to the target application, extract the code from the query parameter and make a call to token API (oauth/token) to get access_token and refresh_token
Once the access_token is expired, use the refresh_token to get a new access_token (grant_type should be refresh_token).
Once the refresh_token is expired, you need to again get the authorization_code again with the /as/authorization API.
I've implemented an application that redirects to the wso2 identity server login page. If the login is successfull the user is redirected to a page where he can read his profile details.
Based on his role he can perform certain action, like create a new user.
I've implemented an API (http://localhost:8080/add-user) that calls this URL ( https://localhost:9443/t/carbon.super/oauth2/token) to generate the access token with the desired scope (for example internal_user_mgt_create) that I need in order to call
the wso2 SCIM2.0 API (https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/createUser).
Everything works if I use grant_type=password and I use the user credentials to generate the access token to call the wso2 SCIM2.0 API, but I want to use "authorization_code" as grant_type to avoid sending user credentials in my application.
How can I do that? And I know that one of the parameters that I need to use this flow is "code", where can I get its value?
You can configure authorization code grant in your application by selecting the Code from the Allowed Grant Types list OAuth/OpenID Connect Configuration in your application. [1]
When using the auth code grant your application needs to wso2 authorize endpoint to obtain the authorization code Using this authorization token and client secret you can obtain the access that is capable of calling the scim endpoint.
Refer to following documents for more information
[1]. https://is.docs.wso2.com/en/latest/guides/access-delegation/authorization-code/
[2]. https://medium.com/identity-beyond-borders/generating-access-tokens-using-wso2-identity-server-4d8c084a3bf5
It's harder to provide an exact answer to this question without knowing more details about the app and the flow you'd expect your users to go. However, it'd be much easier if you have a better understanding of the OAuth2 code grant type. The following is the basic flow.
The user accesses your application through a web browser.
Your application redirects the user to the identity server, with the following parameters in the request.
client_id=xxx
response_type=code
redirect_uri=yyy - Location in your application where you want to get the authz code. This needs to be registered with the IS service provider beforehand.
scopes
The IS prompts the user to log in.
The IS then redirects the user to the given redirect URI, with the authorization code.
Once the code is received by the client, it makes a back channel call to the token endpoint of the IS (https://localhost:9443/t/carbon.super/oauth2/token) with the following parameters.
grant_type=authorization_code
client_id=xxx
client_secret=zzz
code=ccc
IS validates the code and issues an access token.
Read more on OAuth2 here.
Now, if you're getting the "Inactive authorization code" error, your application might already be calling the token endpoint with the code received, before you call your add-user API.
Ideally, your add-user API shouldn't call the token endpoint at all. You should call the token endpoint from your application, get an access token and pass that to the add-user API if needed. Or you can directly call the SCIM API from your application itself.
I hope this helps!
I'm just trying to make a simple app, but I can't even get past authenticating the user. I am using the Google OAuth Client Library for Java.
These are the current steps I am taking:
Start local web server to listen for the loopback response after the OAuth authentication.
Generate the auth URL:
String url = new AuthorizationCodeRequestUrl(AUTH_URL, CLIENT_ID)
.setScopes(scopes) // Contains https://www.googleapis.com/auth/drive.readonly
.setRedirectUri(LOCALHOST + r.getPort()) // Port of local web server
.build();
Use URL to authenticate account.
Google returns auth code.
Exchange auth code for access token.
TokenResponse token = new AuthorizationCodeTokenRequest(...)
.setRedirectUri("http://localhost") // <--
.setClientAuthentication(getClientAuth()) // ClientParametersAuthentication object
.execute();
This is where my problem occurs. No matter what value I put in for redirect_uri, I always get {"error":"redirect_uri_mismatch","error_description":"Bad Request"} in return.
Searching Google for the error, every single result says that it's because the redirect_uri I sent is not registered in the API console.
When I download the credentials json file, the redirect_uris section contains "urn:ietf:wg:oauth:2.0:oob","http://localhost", but it's all the same error no matter what I put in.
I went to the Credentials section of the project to fix it, but since this is an installed application, creating credentials for the project gives me no option to set any redirect uris. The only way to get access to changing redirect_uris are to create the credentials for "Web application," but this isn't a web application and I don't have a domain it can redirect to.
So I'm stuck, redirect_uri options are not available to me and no value that I use works, I honestly don't know what else to try. What steps can I take to fix this?
It turns out that the same redirect_uri must be used for the auth code and access token even if it's not going to be used for retrieving the access token.
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
Hello everyone!
I am writing an application in Java which retrieves information from Instagram server by their API, accumulates it and builds a visualization map.
The problem is that I cannot automate the authentication process. The official Instagram API documentation states that:
In order to receive an access_token, you must do the following:
Direct the user to our authorization url.
If the user is not logged in, they will be asked to log in.
The user will be asked if they would like to grant your application access to her Instagram data.
The server will redirect the user in one of two ways that you choose:"
So it is a compulsory step for a user to login manually into his/her account. I believe that this is done in order to grant permissions to an app that uses Instagram API on behave of a user, for example, if it makes some posts in his/her account. However, I am not going to use any user's personal account. In fact I set up a seperate account for my application and registered the app (I got client_id, client_secret and set the redirect_uri). So I want only to use those credentials in order to get updated access token and make some REST API posts to Instagram.
What I do now, I make a GET request, receive back a login html page, parse it, insert my account credentials and after I make a POST request I receive the 400 code:
Sending 'GET' request to URL : instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Response Code : 200
Extracting form data...
Sending 'POST' request to URL : instagram.com/oauth/authorize/?client_id=CLIET_ID&redirect_uri=localhost&response_type=code
Request content:CONTENT&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 302
Sending 'POST' request to URL : www.instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Request content:CLIENT_ID&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 400
I don't understand why am I redirrected one more time. I am assuming that is because some security issues, maybe some hidden fields... do you have any ideas?
I appriciate any ideas and possible solutions to the problem. Thanks!
As i can understand from the requests it uses oath protocol which is common for google , twitter and more popular site authentication protocol.
Why not trying an oath library such as
https://github.com/google/google-oauth-java-client