I have a requirement where I am building bitbucket URL to push,commit, manipulated a repository content. Its currently working with "username:pattoken#bitbucket.com/etc/etc/etc" but I want to try a solution where I can, In place of username pass something else to authenticate with pat token. similar to
https://x-auth-token:pattoken#bitbucket.com
I know it works for azure to authenticate with this similar URL https://projectname:token#azure.com/projectname/etc/etc but I am not able to find solution to work with bitbucket. My requirement is to avoid asking user for username. I should be able to generate URL with only PAT token.
Related
i will develope a wordpress plugin to access google analytics and visualize the data in a widget. So i checked some existing wordpress plugins, like the famous known "Google Analytics Dashboard for WP (GADWP)" - https://wordpress.org/plugins/google-analytics-dashboard-for-wp/. I was looking for a way how the user authorizes and get refresh and access token to access ga data in behalf of the user (who installed the plugin). And there i found that this plugin (and all other google analytics wodpress plugins) publish there secret. Because in a plugin (which the user downloads) it is impossible (i think) to hide the client secret, because the user of course see's the source code.
As the google documententation describes (https://developers.google.com/identity/protocols/OAuth2WebServer): Important: Do not store the client_secrets.json file in a publicly-accessible location. In addition, if you share the source code to your application—for example, on GitHub—store the client_secrets.json file outside of your source tree to avoid inadvertently sharing your client credentials.
So in this case i think the authentication of the request is lost. If i get or guess a refresh token of any other website that uses the plugin, i will be able to exchange refresh token with access token (because i know the client id and secret) and access the ga data. I already tested that.
So i am looking for a more secure way to access the ga data in my plugin without letting everybody know my secret. Are there any solutions or hints? I thought about sending every request through my server, so nobody know's my secret, but this is also not the solution of the problem. When exchanging the authorization code and receiving the refresh token maybe i have to exchange something like a key pair that will be used to encrypt every following request? Every following request will be to get a new access code for a refresh token.
Of course every user can create his own client id and secret. But this is now very user friendly.
Maybe is it possible to create a new api project and oauth authentication via api (what you normaly do via the google api console)?
Thanks for your help and hints,
Harald
Please bear in mind that I'm a noob and rather new to oauth2. I wanted to get a feeling of oauth2 and play around with it. For this I've used offlineimap to connect to my gmail account and retrieving email.
let me copy some config file which I will use to state my general question
oauth2_client_id = clientId
oauth2_client_secret = clientSecretToken
oauth2_request_url = requestUrl
oauth2_refresh_token = refreshToken
type = IMAP
remotehost = imap.gmail.com
remoteuser = xyz#gmail.com
remotepass = mailpasswd('gmail')
As far as I understood the client_id is used to identify me as me :) the request url is just my connecting point on the google site for an outside app. The refresh token is used to generate an actual access token.
The client secret, as far as I understood is a shared secret between the app and gmail to convince gmail that the correct app is asking for certain access.
Question If I understood this correctly the refresh token and the client secret should be "secret". Does this mean it is dangerous to put these information in such a config file? Should we encrypt it like the password (with gpg for example)?
The last point which is not 100 clear to me in oauth2 is the following: Do I understand it correctly that I need to provide my credentials (username / password) since for oauth2 basically assumes that I'm logged in?
Is it fair to say all what oauth2 does on a high level is to ensure that a certain outside app gets a certain access to my gmail. It's a granting for a specific app to specific data. But I still need to provide the my credentials to log in to gmail.
Imagine you use a public code repo as github for example and you push your code there together with the config file you are using. You've just exposed your secrets to the whole world and I cannot tell you how many times people have done stuff like this.
If your code is not public, that's better but make sure that your web server does not serve the config file when requested directly. As long as no one can access it once the whole thing is live, you are safe.
Oh and just to clarify how the refresh token works .... it is used to extend the life of a previous token which either expired or was close to expiration so you don't have to request a new one.
If it was me I would encrypt all 3, meaning ClientID, ClientSecret and RefreshToken.
Think of it this way, the ClientID is your username and the ClientSecret is your password.
But the thing is you're providing login credentials only to your Gmail account and not exposing them to 3rd party service. 3rd party app interacting with your account authenticating via authentication token that it receives after login. This token can be easily invalidated if need and the 3rd party application will no longer have an access. All without the need to change the password.
I am prototyping HipChat client and I'm stuck at building good authentication experience. I would like to implement similar authentication dialog as HipChat clients built by Atlassian provide. There is no need to generate auth tokens/etc, you just type email/password and client is able to obtain oauth token.
How do they do? Clients use com.atlassian.hipchat.win-clients as client_name in request to https://www.hipchat.com/users/authorize.
Question that I have: how do I register my own client? If I use any random name I get "Named OAuthClient not found ".
How to register client name that will work with any HipChat server, including hipchat.com?
Updated:
I made an example. Please take a look.
https://github.com/chenghuang-mdsol/StandupCat
#VitaliyGanzha
There's a way I used: Build an auth provider based on the integration token.
Make an integration, take down the auth_token.
Use this auth_token on the api here: https://www.hipchat.com/docs/apiv2/method/generate_token
use grant_type 'password', and fill username and password in your post request.
It will return the user info.
Based on the user info it returned, you do your membership provider.
Note that this auth_token has very limited permission. If you want to do more than authentication, you need another personal auth_token which can be generated in your account center.
Tested in C# WCF
Here I've got an answer that it is not possible right now:
This is currently not possible. The flow you described with the
com.atlassian.hipchat.win-clients oauth id is used internally inside
our new desktop and mobile clients. The only other way to obtain an
access token via a 3-legged oauth flow is to create an add-on that you
have to require a HipChat customer to install. Our OAuth tokens are
scoped by group. We don't have allow global tokens. Sorry about that.
https://answers.atlassian.com/questions/32989448/writing-hipchat-client-hipchat-authentication
We have an application with its own authentication, for which we recently added OAuth2 support. A corporate customer can specify the data for his ADFS or Google domain, and we use that to automatically sign up and log in their users.
Now, the problem is switching credentials. When we log out from our application, clicking the login button (which redirects to the configured ADFS OAuth2 authorize endpoint) will immediately validate the user and send him back to our app, with a valid code for his current credentials.
The Google endpoint has a special parameter, approval_prompt, which we can use to force an intermediate step, at which the user can switch his credentials. I don't think ADFS has that.
What other solutions do we have? Is it possible to configure something on the ADFS server that would prompt the user to enter his credentials for every authorize request?
Here's how those url parameters work, as best as I understand them:
wa is the operation we're requesting. So far, I've only seen two values: wsignin1.0 and wsignout1.0
wfresh has something to do with the max age of cached credentials, but I don't entirely understand it. 0 means don't use cached credentials.
wtrealm is the AppID configured in ADFS. This tells the ADFS server which app is trying to authenticate. For us, this is the base url of the app.
wctx is some app-specific data returned to the app from the ADFS server after the request. Since we're using the standard System.IdentityModel setup, it handles parsing and reacting to this value, not our code. There's an ru parameter encoded inside it. This is the return url. This is how we get back to the page we came from.
wct is the timestamp of the authentication request
For us adding the parameter prompt=login to que authorization request URL is working with OAuth2 :
/adfs/oauth2/authorize?response_type=code&client_id=XXX&resource=YYY&redirect_uri=ZZZZ&prompt=login
I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.