Does the current version of Swagger-UI (the UI specifically, not the OpenAPI specification) support OpenID Connect when it authorizes users?
My search on Google, Stackoverflow and the SmartBear sites did not provide a definitive answer. With Swagger-UI having almost weekly build cycle, I thought I'd ask just in case I might have missed mention about it.
Related
Sorry for a fuzzy newbie question but I didn't find a similar yet - maybe I'm just asking wrong..
I'm working on an open source Python application which reads and processes emails from given mailboxes using IMAP and SMTP (from various (self hosted) email providers, so a MS/Google specific implementation is not an option for me).
Currently I'm extending that application to support OAuth2 after Microsoft announced they will no longer support standard IMAP/SMTP authorization.
I found lot's of HowTos, tutorials and examples and managed to read/write mails using OAuth2 with GMail-servers now but I hope I just missed the recommended scenario for open source applications.
Currently I've set up a Google "Project" using tutorials I found in order to get ClientID and ClientSecret. Google told me it would cost me $15k to $75k to get my application verified, while Microsoft wants me to create an Azure/Identity Platform account and want's my telephone and credit card number in advance in order to bill me after 12 months.
Question: What am I supposed to provide with my application regarding OAuth2? I don't want to publish my ClientID/Secret do I? Does every user have to go through those registration procedures in order to access its mails using a command line script?
How to other open source mail-applications solve this issue? At least Thunderbird can authenticate with GMail (see https://www.supertechcrew.com/thunderbird-oauth2-gmail/) do they provide ClientID and -secret with the application?
Here is an old thread discussing the issue: https://groups.google.com/g/tb-planning/c/RRSPwp36bi0?pli=1
Disclaimer 2: I know this question sounds very obvious but I really didn't find a hint yet :)
Basic authentication is working fine in my openapi v3 document running in swagger-ui. Now I want to add Google+ oauth2 authentication. Can you point me to good newbie documentation how to do this?
I find the configuration options a bit overwhelming as I don't know what options to choose. Most examples I find using a google search seem to be swagger v2 based or result in me thinking I'm an idiot (which may be the case, but I think it has more to do with knowing little about google oauth flows).
The OpenAPI Specification supports the description of OpenID Connect authorization, however Swagger-UI and Editor have not yet implemented it.
The lack of this functionality has been added to the GitHub swagger/swagger-ui issues #3641 list of features not yet supported by Swagger-UI.
Disclaimer - I am an extreme n00b when it comes to SAML, ACS and OAuth .. and just auth in general. I'm used to Windows Auth and at a push ADFS. I'm afraid you might need to give me the slow "one word a page" version here
As you are I'm sure aware Google has now deprecated the use of the OpenId 2.0 API for authentication (as of May 19th 2014). This has of course completely broken the "Google" Identity Provider (IP) in Azure Access Control Services (ACS). I basically need to add Google Support back in for a new project and understand it might be a bit more complicated than "click a few buttons".
I have seen a few blogs mention that I might need to "create an STS for the Google Auth, which I then add to ACS as the IP" but they didn't go into any more detail and I honestly don't have any idea how to do this or what it involves. I am happy to write code (I've been writing C# for almost 10 years) but have never done anything like this before.
Can anyone point me at samples / tutorials that will hopefully not go completely over my head?
The latest samples for Google+ are the ones on the Google+ Github page. Check out the .NET sample, this shows the code flows for OAuth 2.0 using Google's client libraries. There's a blog post on the key OAuth 2.0 flows in .NET as well.
If you are using MVC, there is a blog post on integrating OAuth 2.0 with Microsoft's MVC framework.
Although the samples are not targeted to Azure, I have deployed them to Azure instances without issue. If getting integrated into Azure is shown to be problematic and you think it would be worth it for Google to provide support, please request a feature in the issue tracker.
If you create a plugin, extension, etc that would be useful to other developers, please share with the Google+ developer community.
i have several questions...
Does yahoo and microsoft api support
oAuth 2.0?
If yes then what are the main
security measures those should be
taken care of while shifting from
oAuth 1.0 to oAuth 2.0.
Google API supports oAuth 2.0. But
they have still marked it as an
experimental. Is it good to start
shifting even though it is
experimental?
I see while registering an
application on google (for oAuth
2.0), they ask for callback url. If a single application uses a
condition dependent callback url
such as -
if($myVar == NULL) $callbackUrl = 'http://www.mydomain.com/test.php?m=f¶ms=null'
else $callbackUrl = 'http://www.mydomain.com/test.php?m=x¶ms=1'
How can i implement above when the callback url is already specified? The above conditional mainly handles fallback model of an application or if browser supports java then java based model of an application. Kindly suggest
May i know how many of email
providing websites and social
networks supports oAuth 2.0?
Yahoo does not support OAuth2 yet, only Oauth 1.
Microsoft does support OAuth2. http://msdn.microsoft.com/en-us/library/hh243647.aspx
Oauth 2 is simpler since it uses SSL (HTTPS) to provide transport security, so the signatures and token-secrets are not needed. When you switch you will need to re-implement your OAuth flow. I can't think of any specific security measures specifically applicable to upgrading from OAuth1 to OAuth2, but the spec details some security considerations in section 10 (The parts applicable to clients are 10.3, 10.4, 10.5, 10.6, 10.8 and 10.9).
The OAuth2 specification is still not finalized, and may change. You could begin to implement your OAuth2 flow with Google, but bear in mind that it is possible that names or requirements of parameters, endpoints etc. could change and your application will break / you will need to make changes in future. [Experimental Features] could change (or even be removed) at any time. It is probably a bad idea to use experimental (or beta) software in a critical production environment.
Also, not all Google services support OAuth2 at the moment. eg. If you want to use OAuth for IMAP access to Gmail you will have to use OAuth1 for now.
In the API Console, you can specify multiple callback URLs for your OAuth2 application, one per line. An alternative would be to store your 'm' and 'params' parameters in a browser session / cookie and do the redirect to the correct page once authorization is complete.
Support (some revision of) OAuth2: Facebook, Microsoft/Live, Google (with exceptions described above), Foursquare, GitHub, Gowalla, GeoLoqi, Salesforce.
Support OAuth1 Only: Yahoo, Flickr, Twitter.
Source.
Can you use oAuth to only authenticate like you can with Twitter?
If you check Google's docs at http://code.google.com/apis/accounts/docs/OAuth2.html you'll find that the scope (meaning, the service you're supposed to ask permission to) is a required field.
It may be a turn off for many users if you ask them to access their contact list when the most you really do is authenticate, so I rather stick with OpenID which is designed just to retrieve the UID.
So, the answer is really NO, unless you're planning on using an additional API with Google.
OAuth is an authorization protocol and can't be used for authentication only unless the provider defines a dummy scope which, in effect, authorizes you to access "nothing", or "basic user info" (name, e-mail, etc.).
AFAIK, Google provides no such "dummy" scope. However, they do implement OpenID for such authentication purposes, as the protocol is better suited for that task, anyways.
Yes you can there are many options it depens on your platform advice you to check
oauth.net
You can find there options for Java, .NET, Cold Fusion,PHP,etc.
There are many Frameworks that have OAuth capabilities, on Spring you can use this
Sounds like there is some plans afoot on this...
http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html?showComment=1300267218233#c6336940633709651714
some chap:
"Can someone help by pointing to the documentation for the API of "just get basic information for a user"
other chap:
"The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.
Will Google support login for basic user informations with OAuth 2.0 for Google APIs?"
google dude:
"Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)"
Seems to me, as OAuth2 covers authentication and authorization, it would make sense to allow basic info and make it easy on the integrator using one method for all
I'm plumping for this possibility anyway, hopefully by the time I'm ready to put my app live it will be available from Google - Facebook has this anyway and in my case that's a big enough draw