How to get new access token whiteout identify as a registered user - oauth-2.0

When I enter a some websites (YouTube, Spotify...) in the browser (not connecting as a registered user),
some http requests are performed in order to fetch the relevant data (for example a podcast episode on Spotify).
This http request are passed with access token.
How can I get a new access token by writing a code for it, without registering to a user account?
Where can I get more info about how those websites give access token to the browser without obligating the user to sign in first?
thanks!
I've tried to look into OAuth 2.0 but I'm not sure it's relevant.

Related

Programming Flow with Signin with google

I am trying to write a web app which uses sign in with google. I am a bit confused about the sequence of steps which should be followed. According to google docs , the normal flow for signing in a user is:
What i intend to figure out is:
1.) Am i supposed to send the IdToken with each and every subsequent API request from web to my server.
2.) what to do if someone steals this access token and sends a call to my server with it?
Quintessential information from your sketch is presented in Google's official publications:
A volatile token is generated and signed by the issuer (Google) and usually
expires after a rather short lifespan (related post, while not google-login-specific: What is intent of ID Token expiry time in OpenID Connect?). The Google docs describe how to send a token XYZ123 via https to
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
As #ian-barber writes here: "Be sure to always send ID tokens over HTTPS - though they can't be used maliciously in themselves, an attacker could use one to establish themselves a session with your app server if they could intercept it, so its important they aren't sent in plain text."
(Refreshed) tokens are to be used to authenticate users. Then your backend logic (the blue server part) can grant further privileges or e.g. transmit data in a post response. The API (JavaScript version) provides a toolset to monitor the user's session status.
As stated here, you must specify "authorized origins". Only authorized
origins may validate their client users through the Google Identity
API. Please note that even the port
matters, i.e. if you allow localhost:8080 as an authorized origin,
then localhost:9999 is not included! Additionally, the client ID per se is no secret and is naturally exposed in your html document or app. But only authorized origins are eligible to traverse the login workflow and transmit the token to the backend, where it is validated through calls to the API.

Access LinkedIn REST API without front-end (e.g. OAuth2 redirect)

Goal
Fetch a company's updates save them locally in a background task
Problem
This should be done as a backend service without any real user interaction. We could provide a user account to use, but the authentication is a problem: There is literally no one to answer the OAuth redirect and there is no public redirect URL to configure, since it's a background service.
Is there any way to access the API without having a redirect URL or a real user?
You can get an initial access token in a regular front end flow, for you as the app developer i.e yourself as the LinkedIn user. Once you've got that, you can store it in the backend and use it for 60 days to get access to the LinkedIn APIs.
After 60 days you need to refresh the token as documented in:
https://developer.linkedin.com/documents/handling-errors-invalid-tokens
Unfortunately LinkedIn does not (yet) support an autonomous refresh flow where your app can get a new access token by presenting a refresh token on a backchannel. So the developer will have to refresh the access token by a manual login every 2 months.
Well, it is still all HTTP and HTML, so in fact there is no real reason to show the OAuth dialog to a user, as long you can strip out the necessary parts in the HTML authentication dialog and send a valid response back to the server, using the username and password from the user (which you can obtain from him, or save it yourself in a config file if it is you).
Note that there might be a legal issue if LinkedIn demands you to actually show the dialog, beside that, there is no technical need.

Session handling in OAuth

I am writing an application which will connect to multiple email servers using OAuth. As part of initial connection establishment, user will be prompted to give access to application. After granting access, it will redirect to the url provided while registering the application in OAuth API.
Now i want to identify for which user the access token and refresh token belongs after redirect url comes to my application. I want to treat all requests happening in one user session as unique. Can someone help me.
I'm not 100% sure I followed your question, but my understanding is that you want to determine some of the information about the user that's just logged into your API client. You can get email addresses by requesting the https://www.googleapis.com/auth/userinfo.email scope and running a oauth2/userinfo GET request:
gapi.client.oauth2.userinfo.get().execute(function(resp,raw)...
Depending on which scopes you have access too, you will also get a display name and some other info. Best bet is just to console.log(resp) and pick out what you want to use.

How to ensure that my iOS app has a valid access token for use with the Instagram API

I'm building an iOS app that will use instagram photos in a slide show as the background of the app.
What I want to do is just set up a specific account that I can upload pictures to, and then the app will pull in the most recent photos from this account.
So far, I've set up the account and have been able to generate an access token manually by inserting my client id and redirect URI into this URL
https://instagram.com/oauth/authorize/?client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&response_type=code
However, I've read that the access token generated from following this procedure is not permanent. I do not want the users of my app to ever see the authentication going on in the background. They themselves will never actually login into Instagram.
What would be the best way of making sure my app is always authenticated at launch and that the access token is always valid?
Thanks
A typical OAuth flow has the resource owner (a user) approve or deny requests from a client application. When you first got an access token, you had to complete a form approving access to Intsagram by your app.
Since you want to hide the auth_server/resource_owner interaction from your end users, you'll have to automate the role of the resource owner. The access token should tell you when it expires. Since it's your redirection endpoint that has the access token, that's where you'll need code to detect the token will soon expire and request a new one. Your code will need to
Simulate a request from the client app by going to https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
Respond to the HTML page that is returned. Approve the request.
The server will respond with an authorization code that you can exchange for
a new access token.
There are some hoops to jump through because OAuth is designed for the resource owner to approve or deny each request.
I don't think you would want to do this by logging into the target account because having your app's user log in to Instagram as the account you are talking about may be unnecessary.
While I am not an expert on the Instagram API, it looks like you can avoid using an access token for getting the feed of a particular user.
Here is some support for this:
Do you need to authenticate?
For the most part, Instagram’s API only requires the use of a client_id. A client_id simply associates your server, script, or program with a specific application. However, some requests require authentication - specifically requests made on behalf of a user. Authenticated requests require an access_token. These tokens are unique to a user and should be stored securely. Access tokens may expire at any time in the future.
http://instagram.com/developer/authentication/
If a client ID is only associated with your application and does not require the user to authenticate, it appears that this endpoint should work:
GET /users/user-id/media/recent
https://api.instagram.com/v1/users/3/media/recent/?client_id=YOUR-CLIENT_ID
The functionality is the same with the previous one, but use client_id
instead of access_token
PARAMETERS
COUNT Count of media to return.
MAX_TIMESTAMP Return media before this UNIX timestamp.
MIN_TIMESTAMP Return media after this UNIX timestamp.
MIN_ID Return media later than this min_id. CLIENT_ID A valid client id.
MAX_ID Return media earlier than this max_id.
http://instagram.com/developer/endpoints/users/#get_users_media_recent_with_client_id

Oauth flow for google

I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
Getting request token from Google.
Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
get Access Toekn from google by providing request token and verification code given by google.
Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
Redirecting user to google
Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user.
The request token contains 2 things
Toekn -->which is based on the registered application so not an issue
Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to
login using google
This is not of any problem because for every single user on your site, you are given a different request token.

Resources