The Request Token and Token Secret MUST be exchanged for an Access Token and Token Secret.
To request an Access Token, the Consumer makes an HTTP request to the Service Provider’s Access Token URL. The Service Provider documentation specifies the HTTP method for this request, and HTTP POST is RECOMMENDED. The request MUST be signed per Signing Requests, and contains the following parameters:
oauth_consumer_key:
The Consumer Key.
oauth_token:
The Request Token obtained previously.
oauth_signature_method:
The signature method the Consumer used to sign the request.
oauth_signature:
The signature as defined in Signing Requests.
oauth_timestamp:
As defined in Nonce and Timestamp.
oauth_nonce:
As defined in Nonce and Timestamp.
how to get these parameters in java
AppKeyPair appKeys = new AppKeyPair("INSERT_APP_KEY_HERE", "INSERT_SECRET_HERE"); //Both from Dropbox developer website
WebAuthSession session = new WebAuthSession(appKeys, Session.AccessType.DROPBOX);
DropboxAPI<WebAuthSession> mDBApi = new DropboxAPI<WebAuthSession>(session);
System.out.println(mDBApi.getSession().getAuthInfo().url);
The URL contains all the information need I believe.
Dropbox API downloaded form here: https://www.dropbox.com/developers/reference/sdk
Go here to get App key information:
https://www.dropbox.com/developers/apps (Must sign in to dropbox and create new app)
You don't need all the extra stuff other than oauth_token if you connect over https.
If you're using the HTTP API directly, you can get a request token via the /oauth/request_token call.
Instead of using the HTTP API directly, you might find it easier to use the official Java SDK for Dropbox. Documentation on the OAuth flow: WebAuthSession.java.
Related
I confused with basic http authorization. It is needed to send every request to server with Authorization header or just first one and after that browser rember auth tokens like session id?
You have to send the Authorization header on each request. But for example Chrome remembers the auth tokens and sends it automatically on each request.
Using basic authentication, every request needs to have an Authorization HTTP header in the format:
Authorization: Basic <base64(username:password)>
where the username and password are concatenated using a colon (':') and the resulting string is base64 encoded.
If the Authorization header is not part of the request, or the credentials inside are not valid, the server should respond with an HTTP 401 Unauthorized response and include a HTTP header like:
WWW-Authenticate: Basic realm="myRealm"
Basic authentication is an implicit authentication scheme, so after the user enters valid credential, the browser will send them along with each page request.
For AJAX requests you'll need to attach this header from code. However, you really should not use basic authentication to protect an API, for a number of reasons:
You'd force the client to hold those credentials in code, where they can easily be stolen.
You must use HTTPS with basic authentication as base64 encoding gives no protection of the credentials at all.
Username/password combinations are usually valid much longer than an access token, thereby increasing the risk if they get stolen.
Password validation should be a slow process to mitigate brute force attacks, where token validation is just verifying a digital signature.
Having to send the username/password over the wire every time increases the attack surface for someone trying to break the encryption.
Better alternatives to protect web APIs are token based authentication schemes like OAuth2 or HMAC based authentication schemes like Hawk or AWS
Ya that's correct , so for first time when user logs in , his credentials are verified against some data , if correct , a auth token is generated.
Auth token is pretty much a self contained entity (which stores some data signed with a key)
this token gets stores at client side(usually along with a refresh token)
for all subsequent requests , this token is kept in Authorization header(Bearer+token)
When server receives this token , it decrypts it with the key , which it used earlier to sign that token. And uses that stored data
If that auth token is expired , refresh token comes into play.
some links to begin with
On a high level, how does OAuth 2 work?
and jwt.io to get the feel of tokens
I am trying to generate an Oauth signature in order to authenticate an user in flickr.com from my android app.
According to the article in flickr.com, I have to send a signing request in order to get the signature. The hyperlink to the flickr.com guide page is:
http://www.flickr.com/services/api/auth.oauth.html#request_token
According to the post, I have to send a request like this to the flickr server in order to receive the signature key:
http://www.flickr.com/services/oauth/request_token
?oauth_nonce=89601180
&oauth_timestamp=1305583298
&oauth_consumer_key=653e7a6ecc1d528c516cc8f92cf98611
&oauth_signature_method=HMAC-SHA1
&oauth_version=1.0
&oauth_callback=http%3A%2F%2Fwww.example.com
I have send a request from my app, in the above mentioned format, but all I received is an error saying oauth_problem=parameter_absent&oauth_parameter_absent=oauth_signature.
My request code is:
HttpGet get = new HttpGet("http://www.flickr.com/services/oauth/request_token?oauth_nonce="+nonce+"&oauth_timestamp="+ts+"&oauth_consumer_key=****&oauth_signature_method=HMAC-SHA1&oauth_version=1.0");
Actually the problem is that, the url through which I am requesting for the signature is responding in a wrong way. Where it should return the signature, its asking for the signature.
The signing step is no request. You take the URI you have so far and transform it into the base string as seen in the documentation (URL encoding its parts and the like). The you use the HMAC-SHA1 algorithm witch takes the 2 parameters key and data. Use the base string as data and key
is the concatenated values of the Consumer Secret and Token Secret, separated by an '&'.
The value you get back from the algorithm (the signature) is then appended to your URI with
&oauth_signature={ALGORITHM_OUTPUT}
Using this new URI you can then request tokens.
If you think this is too much work, check out some Java OAuth library, e.g. scribe-java.
I am using the HTTPComponents library for this implementation.
My RESTful implementation comprises of supplying a username/password, to generate a token. This token, in turn is supplied as a header to the ensuing API calls as:
authorization = <40 char token>
However, a method.addRequestHeader("authorization","<40 char token>"); isn't authenticating the service call.
Do I need to specify the token differently?
I think this is acceptable method to pass token in httpheader.
but try to send token after encoding on network for more secure transmission.
Right now i'm using java to build rest service, and trying to use spring security to securing my service.
I have a few parameter that server needs to process the service (ex: application ID, username, password, consumer ID) . For username and password, I put in on http header "authorization", encoded with base64. Is there a way to put another parameters above (ex. AppID, consID) into http header?
Some sample of code would help, thanks.
You can put whatever you want in a whatever header you like. You can create custom headers. So you can have a App-Id header where you pass the appId. Alternatively you can pass those as parameters in the URL. That way you'll get rid of the option that some (stupid) proxy trims your headers.
Btw, I would suggest not to send the password, unless you are using https. Generally, I can recommend two similar scenarios:
use OAuth - let the user grant access to the API client via the OAuth dance. The client ends up with a token which it uses on each request.
use a custom, simplified token scheme - login once (with username and password, over https), and send a short-lived token in response. Each subsequent request can be made over an unsecured connection by providing the token, and (optionally) some HMAC of the request parameters, using a consumer secret as a key, so that you can verify the client is legit.
I implemented a Facebook app with Java servlets. I wonder how I can read the access token from the HTTP request sent by Facebook after authentication.
The request sent to me by Facebook looks like this: http://myserver/app/servlet#access_token=3108888%7C2.AQByEGAdEk7D5hs3.3600.130400.1-10005014%7C3XTVE&expires_in=4317
How can I read the access token (which is a fragment and not a parameter) in my Java servlet? If it was a parameter I would do:
request.getParameter("access_token);
To make facebook send the request which contains access_token in http parameters, one needs to change the resoponse_type parameter in request. It is of two types code and token. If we pass token the access_code will be in url fragment and if we pass token it will be request parameter with key as code.
See: Constructing a URL to the OAuth Dialog
For server side handling of access_code e.g. in some servlet, it is needed to send request_type as code else it can be handled only in client side through javascript.