I have written a native application to sync data with Evernote and I would like to use the implicit grant flow, because I don't have an idea how to store the client secret in a safe way.
Are there plans to support OAuth 2.0 implicit grant by Evernote?
Any other suggestions how to implement and a ship a native application accessing the Evernote API without exposing the client secret?
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
Which OAuth flow should be used for mobile app developed using Ionic Framework?
I am developing a mobile app using Ionic Framework v3. It will be interacting with my authorization server (www.example.com) using REST calls. To make the REST calls more secure I have introduced OAuth and JWT's. But I am unable to decide which OAuth flow to use.
Also note I will be using my own OAuth server and will not be using public servers such as Facebook, Google, etc.
My understanding is it depends on if you're going to deploy your Ionic app as a Web app or a Native app. For Web (SPA) you'll likely use the Implicit flow, and for Native you'll likely use Authorization Code Grant using Proof Key for Code Exchange - PKCE.
I personally use Auth0 for my auth, and I deploy my Ionic app in Web and Native. My app triggers the Implicit flow when in Web and PKCE for Native. Auth0 has some helpful docs here:
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
https://auth0.com/docs/api/authentication#implicit-grant
https://auth0.com/docs/api/authentication#authorization-code-grant-pkce-
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.
Github API does not allow to use OAuth implicit grant type for Non-Web Application. Basic Authentication is supported. I'm implementing APIs for our own mobile app and third 3rd-party developers. In this case, I guess the password grant type is suitable. I have no idea why Github does not use it. Do you know why?
https://developer.github.com/v3/oauth/
I'm writing a native application that works against a Google API. Upon registering my application, and despite its explicit designation as Native, the Google Developers Console provides me with a client secret.
As far as I understand the OAuth 2.0 protocol, native apps should never have a client secret, since they cannot guarantee its secrecy. Is Google mistaken in its implementation of OAuth 2.0? How should I proceed?
You are correct, the client secret isn't terribly useful in a native application from a being kept secret perspective. I suspect it's there mainly for consistency with the web application flow.
It does however have at least 1 useful feature... the original developer can reset it at any time, effectively revoking all refresh tokens bound to that client ID.