I am trying to build an application for my users so that they can log in to my website using Twitter and they can manage their Twitter account from the website itself.
I have created a full 3-legged authentication flow and other managing API calls at my server (some server url) when I call authentication API from the browser it works fine.
But now I want to use a webpage for my users so that they can log in and manage their accounts from that website (a website URL different that server url). So I am trying to create a flow like this:
User will click to log in on my website.
Website will send a login request to my server with the user credentials so that I can verify the
user and its request at my server first.
Then the server will redirect the user to the authentication page of Twitter.
But this is not working, I am getting a CORS error in the console, I attached a screenshot for reference.
Thank you.
Error I am getting in console
I have tried whitelisting server and website URL in twitter developer console.
I know the flow may work if I return the authentication url from server to frontend and navigate user to that url, this may get rid of CORS, but I want to know whether this can be achieved by directly redirecting user to authentication URL from server?
Related
We have a desktop application that requires the user to login. We're using OIDC (Auth code with PKCE) to do the login. I'd really like to be able to launch a browser and go to our website and log the user in automatically without resorting to anything dodgy.
From my understanding of OpenID Connect, I'm pretty sure this can't be done. Am I correct, or is there a mechanism I've missed?
This should work fine if the user has a valid session cookie with the OpenID Provider (OP) in the browser. There's no need to send something to the browser, as the user is already authenticated there.
When subsequently your native app requests authorization, the OP can authenticate the user based on the existing session, provided that request parameters like prompt, max_age and acr_values allow for that.
I am redirecting the authenticated user to link of my website from iOS App (user is authenticated from iOS app). There is log in page on website and some other pages. I want to redirect to my website without asking for log in. How can i achieve this?
What is needed to do at iOS side?
What is needed to do at website side?
I'm assuming that when you login through the iOS app, you are receiving back an authToken from the server that you can save for further queries. I would recommend sending that token to the server when you redirect and verify the token on server side.
As an added layer of security, you can encrypt your token before sending it to the server and then decrypt it on the other side
I have website running on the Play Framework with Scala. As part of the site, I pull in content from a separately hosted WordPress instance, using the WP REST Api.
I've been trying to use their OAuth plugin to access authorised JSON on my WordPress instance. As part of the process, I need to be able to callback to my original website after receiving verifier. To handle OAuth1 requests in Play, I'm using the excellent Scribe library.
I can get to the stage in the OAuth1 workflow where I need to exchange my verifier and request token for an access token, however I can only get beyond this by intercepting my outgoing request and attaching a WordPress login cookie that I have previously set.
My workflow is this:
Consumer successfully created using WP CLI
Can hit
http://mywordpress.com/oauth1/request and receive a request token
Can hit
http://mywordpress.com/oauth1/authorize?oauth_token=mytoken&oauth_callback=http://mysite/callback
When I hit the above URL, I am redirected to
http://mywordpress.com/wp-login.php?action=oauth1_authorize&oauth_token=mytoken&oauth_callback=http://mysite/callback
From there, I authorize the token, and am redirected back to
http://mysite/callback?oauth_token=mytoken&oauth_verifier=myverifier&wp_scope=%2A
BUT when I try to post my request to get the access token, I get a 401
from http://mywordpress.com.
However, if I intercept the same
request using a debugger, and instead send the same request with my
WordPress login cookie appended in the headers, I successfully
receive the new access oauth_token and oauth_token_secret.
So I need to manually attached the cookie from the http://mywordpress.com domain, with key starting wordpress_logged_in_... to be able to get my access token.
When I manually append the wordpress_logged_in_..., I'm sending as a post via with Advanced REST Client app for Google Chrome, with the OAuth parameters as the Authorization header. As mentioned, this successfully gets me back an access token.
Has anyone else had this issue, and worked around it? Have I made some basic error in my setup or in my requests?
That's the problem: the WP cookie, the browser won't allow you to send it via http headers. Have you tried this instead: https://github.com/WP-API/OAuth1/issues/39#issuecomment-57620637 ?
I have successfully accessed the WP API through a JSON Web Token approach, which might be okay in this case if you set a timer on the token and then refresh it as needed.
I used this plugin: JWT Authentication for the WP REST API and it worked like a charm.
I know this isn't OAuth1, but it definitely saved me a lot of time in securely authenticating to Wordpress.
I'm testing some social API using OAuth2 and facing a problem with redirect url, my application is using an embedded browser to get access token from server and redirect url to http://localhost, it worked fine on my computer, but if other user's computers don't have any web server installed, how should I set the redirect url, and how can I make my application listen to the access token instead of copy and paste it back manually ?
Any help will be appreciated. Thank you.
You don't necessarily need a webserver. You could register a fictitious redirect_uri in your STS and then configure your hosted WebBrowser listen for a redirect to this url and extract the access_token from the fragment portion of the url that the STS will send. The response from the STS will look like this:
http://fictitious.com/#access_token=some_token&token_type=bearer&expires_in=3600
So in order to implement the implicit grant flow there are 2 steps:
You direct the hosted WebBrowser to the authorization endpoint of your STS: http://sts.com/authorize?client_id=CLIENT_ID&response_type=token&redirect_uri=http%3A%2F%2Ffictitious.com%2F
The user authenticates against the STS and is redirected back to the fictitious url that was provided as redirect_uri in the first step.
You intercept the redirect to this url and extract the access_token from it.
i wonder how do desktop apps without any domain names use oauth? or is it not supposed to be used this way? if so what do i use? say for tumblr they have an authentication api so i will have to put the username and password in the url/query string?
i am thinking of using WPF/Adobe AIR. how does something like tweetdeck work?
I've been puzzled by the same question about lack of domain or app url, but it turns out redirection is not the only possible way to complete OAuth authentication process.
I.e., when webapp requests access it provides callback url: the one user will be redirected to when process is completed. That's how webapp know that everything's done.
But you can't redirect to application on user's machine. Thus, there's another way: upon successful authentication server presents special code to the user. Then user copies this code and provides it to application.
You can see both ways described in specification draft.
Also, here's an example of this authentication flow with twitter.
It looks like it may be possible, see googles docs on the subject:
https://developers.google.com/identity/protocols/oauth2/native-app
For a desktop app where a user needs to authenticate himself, you will usually want to use the Authorization code flow.
The approach goes roughly like this:
setup a temporary webserver that listens on the loopback interface
present the login page to the user (either in an embedded browser control or an external browser), with the URL of your temporary webserver as redirect_url
upon successful login, the user will be redirected to your temporary webserver and you can obtain the access code from the code query parameter
Using the access code, you can obtain a token and start making requests using it
Shutdown the temporary webserver
Please note that you will have to allow localhost as redirect URL in your identity provider, in ordrer for this approach to work.
For further details, please take a look at these sample apps from Google.
You should start by reading about getting started with OAuth. Eventually, even a desktop application will open a browser window to authenticate the user - TweetDeck and other Twitter clients do this, as you've probably noticed.
Tumblr, in your example, doesn't use OAuth but rather basic authentication that is being performed via simple HTTP web requests.
Twitter doesn't want users entering their credentials into your application. So at some point the desktop app will need to open a browser window through which Twitter can authenticate their users and return an access token representing the user. From that point the desktop app can use the access token to represent the user in all subsequent API calls to Twitter.
In a desktop environment you have another way to get the token, the browser open url itself.
the OAuth2 server will redirect the users browser to the Redirect URL with the token as a query parameter, so if you control the browser used, you can read the the token directly from the url that the user was redirected to.
Graphical libraries like GKT+ have integrated options to create mini browsers that the user can use to authenticate, and it automatically return the token to the app, but other options are possible, like reading Firefox url for example.