I have Rails 5 app. As for the frontend we use Vue js. So it is closed app for only authorised google users. How it works now:
Vue calls Google and authenticates user, after that it send the payload to rails server. I use google-oauth gem, so I can see token, expiration date, id_token as well as refresh_token for the first time. I check against my database if we do have same user by it's email as google provided. And if yes I create a JWT token that I send back to frontend with expiration date for 1 day. The token is saved in cookies.
Every time API call is made to backend the jwt token is provided and I check again against user if it still exist on my database.
The problem is that is not a good UX for users to log in everyday again and again. I would like to refresh user, but I do not save any tokens from google in my db. Should I use that?
Do I need to do additional calls to google from server side maybe?
Did anyone implemented anything on their projects like this? How does sign in authentication works with google and do I need to do calls to google everytime?
I don't have Redis on my server as it is not possible to get it installed, so I can't use jwt sessions gem.
Related
I have developed an express app that's purpose is to send emails. I authorized an email sender using googles oauth2 playground, and their google api. I wanted to use this strategy rather than working with a third party email sender to not be subject to vendor lock-in. I had the system working successfully, but after a day it stopped working with "invalid-grant". In production, I'd like to have a permanent email address (under their google workspace) that is solely dedicated to these bot emails. The oauthplayground says you can avoid the 24 hour expiration, but I recall doing that before and it eventually came up with invalid grant. Is there a better way to set up a bot like this? Or should I just try the oauth playground and using the config panel to avoid the refresh token expiration again?
To start with let me say that invalid-grant means that your refresh token is no longer valid. It is no longer valid because googles oauth2 playground is intended for use for testing purposes only.
Access tokens will expire in less than an hour and refresh tokens created using it will expire in 24 hours.
While it is possible to configure it to uses your personal client id and client secret it is still not the optimal way to go
Even using this method for production is not going to work well for you. If your app is still in testing phase then your refresh token is goin to expire in seven days. You will need to set your app to production in order to have a refresh token that does not expire.
The issue then becomes that in order to use the gmail api your going to need to have your application verified. You can not verify your application using the googles oauth2 playground as a redirect uri as you can not verify that you own this domain.
The solution to your problem is to create an application of your own hosted on your domain. This will allow you to create the credentials you need and have your app verified by google.
under their google workspace
You made one comment that is not clear. If you are using google workspace then why not just set up a service account with domain wide delegation to the user on the domain. You will avoid all the issues you are having above.
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2
I have a Single Page Application in AngularJS with API in Ruby on Rails (Grape framework).
My authentication system looks like this:
User create an account. Sends information to server.
Server save user in database and generate token with Devise. Token and user information is send to Angular.
Angular save token and user info in storage (angular-storage) and token is added to every request (Authorization header).
When user click log out button, storage is cleared and token is deleted in database.
My question is: it this secure, or do I need to use something like JWT? Can I send a role name (for example 'moderator') to Angular without any encoding this? (of course server will always check, if this user with this token can do something)
I also will implement doorkeeper to my app in near future.
Boomerand and Streak and other similar browser extension apps that use oAuth2 to authienticate the user to google also have to authenticate the user to their backend servers. They dont use a separate login system to their web backend app.
I am assuming they piggyback on the initial oAuth2 traffic with google and set a 3th custom token to identify the user to their backend server.
It gets tricky when multiple gmail users sign in from the same browser. The extension must keep track of every gmail user and associate them with a new token.
Is this how they do it? What would your expert advise be on creating such a 3th token? I am thinking of taking the email address and whatever unique ID I can get from the client browser and encrypt this on the server to create a token for the user. Would this be secure enough? Do you have any better suggestions?
I am trying to build out a video collaboration platform. I wish to design it in such a way that there is an API and my web app is like a 'third party' app.
The way I see it working is with three main components..
JSON API written in Ruby
Web App written in Ruby/Rails
Front End Application in Coffeescript
I want to be able to make authenticated requests for resources such as 'projects'
As of right now, I imagine the front end application talking to the Rails app in order to get an authenticated request, and then the front end app using that authenticated request to call the API.
I have a few questions about this architecture.
If I plan to open the API up later, is OAuth what I should be using?
If so, what would the request flow look like?
I am only asking these questions because OAuth looks to be the standard and I can only see it in terms of authenticating a third party app to access resources in another app.
I guess I am mostly looking for some guidance, as I can build applications, I am just no security expert. Thank you all for the help.
I can tell you what I'm doing right now in my project:
Rails API (JSON); you can use rails api gem, grape or full rails framework.
Single page web app using AngularJs (it can be anything else you feel comfortable with, like backbone, emberjs, etc.)
How I'm authenticating the user:
The user posts to /login with username and password
The Rails part authenticates the user (by the username and password), creates an access token (persist it in a table, with expiration time, for example, 30 mins) and returns it to the user.
Each request from the client side (angularjs part) is passed with a Token authentication header like so: Authorization: Token token=[the token goes here]
The rails api uses to token to get the associated user
If the token has expired or is invalid, it returns 401 (unauthorized); once the angularjs part intercepts a 401 it redirects the user to the login page.
If the request is authenticated, the expiration time is reset to 'now' so the 30min i'm talking about acts like 30 mins of inactivity
You can do a lot more with the access token - you can do roles, like Admin, User, etc. and limit the user's access to resources.