I'm trying to setup an OAuth2 flow on my react app and the instructions I've been given from the 3rd party say to add a 'state' parameter with a unique identifier that will be passed back to the redirect URL on a successful request. It's passed back so I know that the request originated from my site.
My question is how should I do this? Should the state I send to them be unique for everyone who clicks the link or should I just set the state to some random string that is the same for everyone?
Also, if it's unique for everyone, how would I stop someone from seeing the state by looking at the link URL in dev tools?
I can't get my head around this one. Here are the instructions in case they help... ...On your site, an [affiliate name] user wants to link their account to us. You redirect to our auth page (https://oauth2.example.com/oauth2/auth) As query parameters you will need to provide:
redirect_url : The redirect url you registered
client_id : The identifier you were given
state : A string that uniquely identifiers this request. We will pass it back to your redirect URL on successful request so that you know you were the originator of the auth flow.
E.g. on your site, someone clicks on Connect Example Account, you open a page with URL https://oauth2.example.com/oauth2/auth?redirect_uri=https://affiliatename.com//auth/callback&client_id=12345&state=very_unique
Related
I'm setting login_hint to a previously retrieved sub identifier (unique Google ID) as part of an authorization request url, but it doesn't select the appropriate account. It does do it if instead of the sub I supply the email address of that user.
According to Google's documentation however the sub identifier should also work:
Optional. If your application knows which user is trying to
authenticate, it can use this parameter to provide a hint to the
Google Authentication Server. The server uses the hint to simplify the
login flow either by prefilling the email field in the sign-in form or
by selecting the appropriate multi-login session.
Set the parameter value to an email address or sub identifier, which
is equivalent to the user's Google ID.
Any ideas how to get it working, or whether this is indeed a bug?
I am trying to determine if page access tokens used with the messenger api are permanent. Seeing this code in one of their examples, which indicates to me that they are using the token as a constant value :
access_token: PAGE_ACCESS_TOKEN
I get the Page Access Token shown on my facebook app dashboard in this way:
I log into facebook, go to developer.facebook.com, select my messenger app, then on the dashboard go to Products > Messenger > Settings and can select my page and then get a token.
Can I put that value in a properties file and then use it indefinitely with my application when getting/sending messages to and from the page?
I am getting a bit confused regarding the documentation around other tokens, like user tokens and login tokens vs. page tokens.
Editing to add that I am using the page access token in order to make a POST request to this url : https://graph.facebook.com/v2.6/me/messages in order to reply to a message sent to my page by a user.
I believe I have solved this and wanted to post in case anyone else had the same confusion.
I assumed I needed to make a GET request to a facebook url in my code to get a new token before each Request to GET or POST to the messenger API. Using the information in the links above, I learned how to get an extended token here:
https://developers.facebook.com/tools/explorer/<my app id here>?method=GET&path=me%2Faccounts&version=v2.10
I then can use that ID indefinitely as it is supposed to not expire. I am going to assume it is OK to put this id into my properties file, if anyone has opinions on a better place to store this token value I would be interested.
Extended Page Tokens are valid forever.
You need to use a User Token, extend the User Token and then get an Extended Page Token with the Extended User Token.
More information:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
I am learning to use dropbox APIs and got confused when came up with the token flow.
As guide indicates, the flow should be like this:
the app redirect the user to a Dropbox webpage, i.e. .../oauth2/authorize
user logs in and approves the app
redirect back to the app. At this point, the app gets an access token.
However, when i requested the URL:
.../oauth2/authorize?client_id=xxx&response_type=token&redirect_uri=xxx
I was directly redirect to the destination with
REDIRECT_URI = "#access_token=xxx&token_type=bearer&uid=xxx"
And the "approve step" was skipped, i.e I got an access token without being allowed.
Is it a bug or my fault?
Any help would be appreciated :]
In certain cases, when the user has already approved the app to access their account previously, they will be automatically redirected through the app authorization flow.
If you want, your app can prevent this behavior from happening by using the force_reapprove parameter, documented for the /oauth2/authorize page here:
https://www.dropbox.com/developers/core/docs#oa2-authorize
I'm building an app where the user will receive an invite to join a team.
The invite link is unique to the user, and when the user hits the sign-up page, they they can login using oauth (google).
After the user goes through the authentication and gets passed back to my app, I need to get their invite code, so I can look it up in the db and add them to the correct team.
I thought I could pass a state variable to the oauth provider which would get passed back to me like auth?state=INVITE_CODE, but when I send a state parameter to google in my auth request, it doesn't respond at all.
What's the best way to accomplish this?
I'm using express passport if that makes any difference.
I was WAY over thinking this, so hopefully this will help somebody else.
If you look at the res.headers.referer it is actually your original link, not the link from the oauth provider, which I expected.
Developing a web application that I've registered with Twitter. In this app, I might have 10 different Twitter Identities that I want to either Allow or Deny access for the application to.
For example:
https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/
It always just defaults to whatever my twitter account is logged in as and I have to specify Logout, then sign-in with new account. Its almost like I need an extra querystring parameter such as
https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/&ForUsername=billgates
Actually, you can pass in an extra parameter with the callback url, like so:
https://api.twitter.com/oauth/authorize?oauth_token=XXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback?ForUsername=billgates
and the parameter will be sent back to you when Twitter calls the return url, like this:
http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback?ForUsername=billgates&oauth_token=XXX&access_token=YYY
You can read more about this in the documentation - http://dev.twitter.com/pages/auth:
Always use an explicit oauth_callback
- It is recommended that you specify a default OAuth callback in your client
record, but explicitly declare your
oauth_callback on each request token
fetch request your application makes.
By dynamically setting your
oauth_callback, you can pass
additional state information back to
your application and control the
experience best.
Note that in the general scope of authorization, the authorized agent does not necessarily know the identity of the user on whose behalf it acts. In other words, there could be an implementation where your app can be authorized to read the Twitter stream of updates, while still not knowing which identity that stream belongs to. Adding the parameter you ask for would be information disclosure in this case, as your app will need a piece of information that the system is designed not to provide.
Or to put it in a real life example - imagine a valet parking, where instead of giving you a parking ticket and taking the keys to the car, the valet would ask you for your SSN just to park the car, just because the valet parks cars for other people too.