For an Alexa Skill user that has completed account linking - is a way to get their account linking accessToken outside of the skill session?
For example I know that as part of the out of session Skill Messaging API - you can do this to get the skillMessagingToken:
SKILL_CLIENT_ID='YOUR_SKILL_CLIENT_ID'
SKILL_CLIENT_SECRET='YOUR_SKILL_CLIENT_SECRET'
API_URL='https://api.amazon.com/auth/O2/token'
curl -k -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&scope=alexa:skill_messaging&client_id=$SKILL_CLIENT_ID&client_secret=$SKILL_CLIENT_SECRET" \
$API_URL
Rather than using the scope alexa:skill_messaging maybe there’s another scope value that returns the user's account linking accessToken?
Any scope provides an access token. The scope determines what you can do with the access token, not whether or not you get one.
Edit
The "out of session" example above retrieves a token assigned to your skill, not a specific user. But the account linking access token is assigned to a specific customer and is returned from a successful authorization from the customer.
There is a linking workflow that doesn't necessarily involve a skill session or the Alexa app.
https://developer.amazon.com/en-US/docs/alexa/account-linking/app-to-app-account-linking-starting-from-your-app.html
As for the scope, you specify that in the skill linking config in your skill config. So the scope is what you specify. For Login with Amazon, the basic profile scope is usually all that's needed as it will give you a unique user ID for the customer that will be the same across your skill and your external app(s).
Related
In wso2 api manager there is Token API that can be used to revoke specific tokens by clients. This is for applications to handle token revocations during logout etc.
But how to revoke all tokens for specific user when I do not want to let user use API anymore? For example when I removed user account from my service.
Is there ani API that can be called from third party application to api manager with information that the user is removed and therefore api manager should invalidate user’s tokens.
In WSO2 API manager, the access token is generated for an Application. When a user is going to use an API, he/she first needs to Subscribe to that API by create an application for that particular API.
So, if you need to revoke a particular token, you should do it for the application. The Token API of the WSO2 API Manager provides a method to revoke the token.
curl -k -v -d "token=<ACCESS_TOKEN_TO_BE_REVOKED>" -H "Authorization: Basic <base64 encoded (clientId:clientSecret of the application)>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/revoke
AFAIK, there is no straight forward option to remove the keys for particular user, as users are subscribed to apis via Applications.
However you could do it by deleting the database entry for that particular user in IDN_OAUTH2_ACCESS_TOKEN table, where all the access token information are stored.
For more information for the Token api, please refer the following documentation.
https://docs.wso2.com/display/AM210/Token+API
On a related note: If you want to block a user from accessing APIs, you can use blacklisting feature.
See https://docs.wso2.com/display/AM210/Managing+Throttling#ManagingThrottling-Blacklistingrequests
Any route requires you to be authenticated as a DocuSign user to use it. With the standard service integration flow, you direct the user through docusign's /oauth/auth flow, use the returned code to get an access token via /oauth/token, then use that token on /oauth/userinfo to get the user's ID which you can then sign and use in a JWT.
Instead of directing users through the oauth UI to get their consent, DocuSign allows organization admins to pre-authorize an application for everyone in the application. No need to send organization members through the oauth flow. Great.
However, once this action has been taken, it's not clear how my application could make requests on behalf of any user, since the /oauth/userinfo route that gives you the user id requires an oauth code that you get by passing the user through DocuSign's oauth browser UI.
More specifically: if the admin of foo.com's DocuSign organization authorizes my app, and bob#foo.com starts using my application, how do I get bob#foo.com's user ID to create a JWT with?
When you say "bob#foo.com starts using my application" what, exactly, does that mean?
Case 1: Bob is interacting with your application. In that case, you should be using a User Application OAuth flow such as Authorization Code Grant to enable him to login.
If your app needs to later act on behalf of Bob when he's not around, then store Bob's user id for later use with the JWT grant.
Case 2: Your app is running in the background (no human interaction). At some point your app needs to starting doing things for Bob by impersonating him. All you have is his email address.
If this time arrives and your app has had no interaction with Bob, then yes, you need prior access as an admin (in Bob's account) so you can look up Bob's user_id from his email.
This second account would be the "admin user account" for your app. The account would need admin privileges to lookup the user's information. Your app would get access to this admin account when your app is installed.
Use the Users:list API call. Remember to encode the email address.
Example:
GET call: /v2/accounts/{accountId}/users?email=larry%2Buser%40foo.com
Re: user_id lifetime I'm reasonably sure that the user_id guid doesn't change for a given accounted user (someone who is a member of an account on DocuSign). I will check to make sure.
I need to access several YouTube channels for my job to pull analytical data and export it to a database. The problem, is that this requires using OAuth, which would be fine except I don't know the controlling person's username/password. She probably won't give me her credentials since it's personal.
Is there a way to do this without explicitly using her username/pass? Like, she tried making me a content owner, but I still can't authorize this level of information.
This is exactly the reason why OAuth was created, to make requests on behalf of a user without their username and password.
Have that user generate an access token. Here are the Google Docs. In a nutshell:
Have your user send a post request to https://accounts.google.com/o/oauth2/token with your app key. The response should look something like:
{
type: "oauth",
token: "XXXXXXX"
}
Then, make an API request on behalf of that user with their token by passing in the token returned from the previous step as value for the Bearer filed for any web request to the YouTube API. This will allow you to perform an authenticated request without explicitly knowing the user's username and password.
Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth
Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)
I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)
My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.
It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :
curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"
Up to you after to check if you have a resource_owner associated to your doorkeeper_token.
I have a grails application in which I want a user to grant me access to his/her LinkedIn account to get information and show it in different ways.
I was able to do the following:
Get the authorization code
Use that authorization code to get the Access Token
I store that Access Token together with the expiration date in my User entity.
Refresh that Access Token when the expiration date is within X days from today.
Now the issue I'm having is that I would like the user to revoke or invalidate that token so that someone else can use the same computer and session and login to a different LinkedIn account.
Is this possible?
If not? Is there a way to delete the LinkedIn cookies? so that the user's LinkedIn session is finished and by being logged out from LinkedIn then they will have to grant access to my application again.
For reference:
I'm using Grails 2.1.1
I'm NOT using oauth to do the authentication, I just use the HTTPClient from Groovy to do plain and simple GET and POST requests.
Thanks a lot in advance!
I have managed to revoke token on API v2 with this call:
curl --request POST \
--url https://www.linkedin.com/oauth/v2/revoke \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID_HERE \
--data client_secret=CLIENT_SECRET_HERE \
--data token=YOUR_TOKEN_HERE
The easiest thing to do is just to delete the Access Token from your storage. This way you no longer have access to that account. When LinkedIn was using OAuth 1.0a, they had an Invalidate call which would invalidate the Access Token. But when they moved to OAuth 2.0, that went away.