I'm trying to get oAuth working for accessing QuickBooks Online. I have a QuickBooks login/connect button embedded on a page that triggers the whole oAuth process. When it's clicked, a window pops up that is directed towards my apps getRequestToken endpoint. The handler (servlet) issues a request to the QuickBooks oAuth request token API, and it gets back:
Request Token
Request Token Secret
Authorization URL
So I have the response send a redirect to the Authorization URL. The pop up window now displays a QuickBooks login, after which there is a request to authorize my app with the users account. Once that's done, the pop up window is redirected to my apps getAccessToken endpoint (the callback URL that I included when calling the request token API).
From there, I obviously have to send a request to the QuickBooks oAuth access token API to get an access token and access secret, but apparently I need to supply:
Request Token
Request Token Secret
oauth_verifier
The oauth_verifier is provided as a parameter in the callback to my getAccessToken endpoint, as well as an oauth_token, but I don't understand how to get hold of the request token and request token secret from here. Am I supposed to have my getRequestToken endpoint store them somewhere once they're retrieved.
I'd prefer not to, but is this the only way to do it?
Am I supposed to have my getRequestToken endpoint store them somewhere once they're retrieved?
Yes. :-)
Does that answer the question? Yes, you need to temporarily store the request token somewhere while you wait for the user to arrive back on your site.
Related
Based on the diagram you can see above (Oauth authrization flow). Reference https://youtu.be/oKzeHshquCs?t=1949
Using user credentials (username, password), we are attempting to
get an authorization code (login).
Authorization code received.
Using the received authorization code we are now requesting an
access token.
When access token is given. This access token will be
now used to access the resource server (as Bearer Token).
I would like to ask how to implement this using API, using the latest implementation of OAuth2. Using custom REST API's on the Authorization Server.
Scenario: using two api's ('/auth/code' then ''auth/token'')
Using user credentials (username, password) the user will request on
api '/auth/code', where authorization_code as the response.
Using the recieved authorization code (from #1), we will request an access
token on '/auth/token'. Access token will be used as bearer token on
the authorization server.
Or if we can do this two step (#1 and #2 above) on one API process (auth/token) would also be great.
Do you have any working project in regards with this?
I have explored the code of Baeldung, but based on this implementation, it is still using the default implementation of spring security. It would be my great pleasure if there are Senpai's out there can help me with this. Thanks :)
There's no such API to get an authorization code directly passing the user credentials. Usually, there would be an API (/as/authorization), which redirects the user to the login page. Once the user enters his credentials, he will be redirected to the target application with the authorization code in code as the query parameter of the URL. (You need to configure your app's URL as a redirect URL or callback URL in the Identity provider)
This code is usually short-lived and can't be used more than a time. (i.e) You can use this code only once to get an access token. When you exchange the code with an access token, you should be seeing refresh_token (if you granted access to refresh_token grant_type in the IdP) as well with which you can request tokens in the future.
You need to configure all these things in an Identity Provider. This could be PingIdentity, Auth0, etc.
Make a call to /as/authorization API
Once user enters his credentials and redirected to the target application, extract the code from the query parameter and make a call to token API (oauth/token) to get access_token and refresh_token
Once the access_token is expired, use the refresh_token to get a new access_token (grant_type should be refresh_token).
Once the refresh_token is expired, you need to again get the authorization_code again with the /as/authorization API.
I feel unclear about authorization code flow. the main difference between implicit flow and authorization code flow is that authorization code flow validates the client(using id and secret). first i define the steps of authorization code flow and I raise my doubt from them.
Authorization code flow steps(some of them skipped)
Authorization code request send to authorization server then user redirect to login page
request contains
- response_type=auth code
- scope
- state
- redirect_uri
- client-id
if user credential are right then auth server redirect the url with auth code and state
client send post request to autherization server for access token
request contains
- grant type
- code (auth code)
- redirect_uri
- client_id
- client_secret
once auth server validated above request we get access token as reponse
using the access token client will access the resource server
My question is why we're sending client secret on 3rd step instead of first step. what if we send client id and client secret in first step and redirect user to login page so after he logged in client can get access token directly why auth code related steps needed.
How i expect above steps to be is
user click the link so request send to auth server. which validates client id and secret if they're valid then user will be redirected to login page
request contains
- response_type: access token
- scope
- state
- redirect_uri
- client-id
- client-secret
if user credential are right then auth server redirect the url with access token and state
using the access token client will access the resource server
client authentication can be done in first step why we need to drag it by sending client secret in 3rd step . why we need auth code related steps it's confusing can anyone explain the purpose of having auth code related steps?
Because anything the authorization server (maybe Google) sends to the browser is logged to the browser. "auth code" is very short-lived (not more than 1 hour). An access token is long-lived so if the authorization server sends the access token to the browser in the first step, it would be logged to the browser so if it is compromised through the log, someone else would access to the app on your behalf.
As I understand, in authorization code flow we need to get authorization code and use it to get token after. We can get this code only when user confirms specified access. After that browser redirects us to redirect_uri and response will contain authorization code as parameter. So, the question: is it possible to get this authorization code without browser or any self made UI? Can we get it in application after correct request to, for example https://mysite.tuz/authorize ?
As you are using authorization code flow, the client requires a user agent (i.e browser or mobile app) to get the authorization code from the authorization server.
The whole purpose of using authorization code is that it can be passed via the user's web browser (user agent) instead of passing the access tokens directly via the web browser (user agent) which is not desired. Using authorization code,the Client then can directly retrieve an Access Token from the authorization server.
So the user agent is required to get the authorization code and act as an intermediary between client and authorization server.
If you do not require a browser then authorization code flow may not the correct choice. OAuth 2.0 supports several different grants i.e ways of retrieving an Access Token. Deciding which one is suited for your case depends mostly on your Client's type.
This might help you in deciding which flow to use
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
You should use client credentials to obtain token without browser or any client. But if you need to use user credentials to get access token and id token of the user without browser or mobile app you need to implement you own client which will do the necessary logic for you and fetch the token for you. I already did it in java for the testing purpose. I don't know why you need to do it but you can implement your own client in almost any programming language . But in case you will decide to go this way you have to handle lot of things.
I expect your authorization server requires Proof-Key for Code
Exchange (PKCE) - so first of all before you start to communication
with server you have to create code verifier and code challenge
(google can help you with that :) in java it is quite simple)
Then you should start communication with server sending get request to url which ends with 'auth' you should send query params as: response_type (which is 'authorization_code' in your case), redirect_uri, client_id, code_verifier, code_challenge, scope, code_challenge_method (probably 'S256')
Then you receive I think two redirects from server so it is better to have some client in java which will automatically call those redirects. I used apache http client for my implementation. It has lot of features.
After successful redirect server will return login page to your client. It depends on authorization server but in this page you should put the data as username and password and submit the page. I have simply parsed the returned page and get the url for user authentication from it and simply make post request to that url with user credentials data sent in encoded form entity. In apache http client you will have all cookies from previous communication set (until you close the client) since apache http client automatically set all cookies returned in previous communication from server.
After make authentication request server will send you two redirects and you can store those redirects int http client context which you will provide for http client when you call authentication url.
In the last redirect there will be query parameter sent be server named "CODE" this is really important for you since you will use it to get token from the server
And finally you have to make one last post request to authorization server with url ended as token. So make a post request with GRANT_TYPE, REDIRECT_URI, CODE (you received in previous redirect), CLIENT_ID, CODE_VERIFIER (you have generated at the beginning);
Then authorization server will send you token and that's all
Hello everyone!
I am writing an application in Java which retrieves information from Instagram server by their API, accumulates it and builds a visualization map.
The problem is that I cannot automate the authentication process. The official Instagram API documentation states that:
In order to receive an access_token, you must do the following:
Direct the user to our authorization url.
If the user is not logged in, they will be asked to log in.
The user will be asked if they would like to grant your application access to her Instagram data.
The server will redirect the user in one of two ways that you choose:"
So it is a compulsory step for a user to login manually into his/her account. I believe that this is done in order to grant permissions to an app that uses Instagram API on behave of a user, for example, if it makes some posts in his/her account. However, I am not going to use any user's personal account. In fact I set up a seperate account for my application and registered the app (I got client_id, client_secret and set the redirect_uri). So I want only to use those credentials in order to get updated access token and make some REST API posts to Instagram.
What I do now, I make a GET request, receive back a login html page, parse it, insert my account credentials and after I make a POST request I receive the 400 code:
Sending 'GET' request to URL : instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Response Code : 200
Extracting form data...
Sending 'POST' request to URL : instagram.com/oauth/authorize/?client_id=CLIET_ID&redirect_uri=localhost&response_type=code
Request content:CONTENT&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 302
Sending 'POST' request to URL : www.instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Request content:CLIENT_ID&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 400
I don't understand why am I redirrected one more time. I am assuming that is because some security issues, maybe some hidden fields... do you have any ideas?
I appriciate any ideas and possible solutions to the problem. Thanks!
As i can understand from the requests it uses oath protocol which is common for google , twitter and more popular site authentication protocol.
Why not trying an oath library such as
https://github.com/google/google-oauth-java-client
When connecting to the google services from a desktop app user is required to enter access code provided to him to generate accessToken.
I can't quite understand how to properly save it and restore into GoogleCredential so user wouldn't have to authorize my app on every launch.
Can somebody provide me with a code snippet of this process or a more detailed instruction than the one Google provides?
First you have to register your project into the Google Developer console. From the console your will get some credentials like: cliend id, client secrets.
Now when you want to authorize your application u need to get an access token. But before u have to get an "authorization token". For this u need to use an url like this
https://accounts.google.com/o/oauth2/auth?
redirect_uri=yourredirectpage&
response_type=code&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&
approval_prompt=force&access_type=offline
The response of this request contains the authorization token. Now you can exchange the authorization token for the access token with another request:
https://accounts.google.com/o/oauth2/token?
code=4/oIdtdqPBW67CTSpijkm_fbwCqMjF_WJPiSmvsq8zScA.Ilw2ePhp3fQeoiIBeO6P2m_Usz4vlgI&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
client_secret={your_client_secret}&
redirect_uri=yourredirectpage&
grant_type=authorization_code
Where "code" is the authorization_token.
For more details check this: Google Api OAuth