Here is my project details,
We have a Mobile App that should send device's data to Thingsboard server.
For this, we need to have a user accounts in Thingboard, so that they can JWT token on sign-in in the Mobile App. And this JWT token is user for the data upload & retrieve.
So, for the new users, we have developed a form page to register in the APP. When user fill-up the form and submit, what api shall be used here that will create a new User entity in Thingboard and send an account activation link to provided email?
Your help would be appreciated.
Thank you.
The Thingsboard REST API has proper 'saveUser' method that can be used to create user accounts, however this endpoint requires a JWT Token with proper authorization to Create Users.
We had a similar problem and ended up creating a custom REST api service to wrap the Thingsboard Native REST and user a hardcoded username and password in order to auth the account creations. We did this to avoid having the username and password hardcoded in our Mobile App. We later switched to adding the users directly in database with an ORM.
We had to use this approach because we user Thingsboard PE, if you use TB CE you can try to modify the REST Api in order to allow this endpoint to be used without JWT.
The swagger UI can be checked at:
{base_url}/swagger-ui.html
and the crate user endpoint is:
{base_url}/api/user?sendActivationMail=true
Related
I'm in the process of converting an internal C# API that uses a legacy SOBO integration to one that uses OAuth 2.0 as required by DocuSign. The legacy application makes all requests to DocuSign using DocuSign credentials of an application user (a non-person) and injects SOBO data (email address) in the appropriate header when we need to generate an embedded sending URI and have it appear that the envelope was sent by a real person without using their credentials.
I have successfully converted another (non-SOBO) internal API using JWT grant, but I do not know how replicate the SOBO dependent workflow. Have read Matt King's article "From the Trenches: OAuth 2.0 and the new SOBO", but still a bit confused. I know how to extract userId from email address as mentioned in the article, but not sure what do with it. Similar to my legacy application, I am using a application user to get consent and ask for JWT token without prompting internal users for their consent. Is this still possible using OAuth 2.0?
Happy to help here. Once you've retrieved the user's apiUserName / userId you'll want to add it into the JWT assertion's sub line.
When you go to generate the token, if consent has not been provided by or for the user, our system will send back an error of "Consent_Required." See https://www.docusign.com/blog/developers/oauth-jwt-granting-consent for different methods of granting consent.
For individual consent, the user needs to go to a specific URL containing your clientId, redirectUri, and some additional scopes. If they hadn't previously consented to the scopes in your OAuth request they will be prompted to do this once. You can confirm consent has been applied by having them visit the same link afterwards, which will send them directly to your redirectUri.
Domain consent works a little differently -- you need to have an organization, a claimed domain, and the users you're providing consent on behalf of need to have an email address that is part of that claimed domain.
Happy to connect and walk you through it -- if you can open a ticket at support.docusign.com and in the details request they reach out to me I should be able to have the case transferred and work with you from there.
Regards,
Matt King
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
I'm new to Auth0 and having real trouble wrapping my head round it. My app is going to be built using React, packaged using Phonegap.
Am I able to use Auth0 with a completely custom UI for creating accounts, logging in etc.?
Ideally my signup flow would be...
User Signs up using my react form
Details are sent to my API and then passed to Auth0
Success message is received from Auth0 and the user is mirrored in my local DB
My ideal login flow would be...
User fills in email/password on my custom form.
Details sent either directly to Auth0 or via my API
Token is sent back and stored in localStorage
Then each request to my API...
React attaches token to every request in header (actually Axios interceptor does)
My API is able to verify that the token is valid and not expired
API performs request.
Not sure how to deal with social logins, claims etc. but that's for another day, basically I want to do everything through the API and not use their lock screen etc. Is this possible?
Yes! That is definitely possible and to achieve this you would want to use 'Resource Owner Password' grant type.
Once you collect the credentials from user in your custom form, you can directly pass those to Auth0 by calling an endpoint - 'https://yourapplication.auth0.com/oauth/token' with all the necessary parameters. You can make a simple POST request to this endpoint from you client application. For ease of use, there is a javascript library provided by Auth0 for all of their endpoints- (https://auth0.com/docs/libraries/auth0js/v9).
Auth0 will return a token which can be used to call your server side APIs by passing it to the request header.
So to conclude, you can do it through API without using their lock screen.
Let me know if you need any further help. We can discuss on social logins and claims also.
Boomerand and Streak and other similar browser extension apps that use oAuth2 to authienticate the user to google also have to authenticate the user to their backend servers. They dont use a separate login system to their web backend app.
I am assuming they piggyback on the initial oAuth2 traffic with google and set a 3th custom token to identify the user to their backend server.
It gets tricky when multiple gmail users sign in from the same browser. The extension must keep track of every gmail user and associate them with a new token.
Is this how they do it? What would your expert advise be on creating such a 3th token? I am thinking of taking the email address and whatever unique ID I can get from the client browser and encrypt this on the server to create a token for the user. Would this be secure enough? Do you have any better suggestions?
How do I secure my API when I want an app to be able to retrieve app-specific information without a user logged in and when I have an OAuth provider for another section of my API? Can I use the client app's OAuth credentials to hit the API without a user logged in?
I have create an OAuth provider and client using doorkeeper following railscasts 353. I can successfully authenticate a user to my provider app and make requests on behalf of the user to my provider API.
However, a portion of the API is user independent, meaning that the information returned from the API is not specific for a user and therefore a user should not have to be logged in. For example, assume an ecommerce site and items and prices are stored on the provider for multiple clients. I want a client app to be able to securely retrieve the items/prices associated the retrieving app without a user having to be logged in. So if you went to example.com the items would be displayed even if a user is logged in via OAuth.
I have only be able to retrieve this information via OAuth when a user has logged in through OAuth (creating an access_token). Is there a way to use OAuth without having a user present (I've been trying to read about 2-legged OAuth and if that is an appropriate solution)? Or do I need to use Api keys (or Http Basic Auth) for the application to retrieve the application specific data?
If OAuth is not the right solution because I do not have a user present, could/should I use HTTP Basic Auth over SSL and use the client site's OAuth secret key as the API key for the basic auth username?
If you need to authenticate your client apps in you API (without requiring a user specifically) use the Client Credentials flow