I have written an OAuth 2 code & token service and configured my Actions on Google app with Account Linking. I'm trying to implement the Streamlined Identity Flow but when I request the SIGN_IN intent, I don't see any activity in my logs.
When I try to test my auth endpoints from Google's OAuth 2.0 Playground I do see activity in the logs, so I know I'm doing something right. If I configure the gactions app to use "Google Sign In", the app moves forward, so I've got the code in my app working also.
I've tried "OAuth" and "OAuth & Google Sign In".
I've created and provided a Client ID and secret.
I provide my "/auth-code" in "Authentication URL" and my "/auth-token" in "Token URL"
I've also tried testing using the gala-demo but it says "Invalid response" (but no activity in my logs).
The documentation doesn't make it very clear, but the auth/code endpoint is not used at all by the Streamlined identity flow. It calls directly to the auth/token endpoint with the JWT assertion.
The Authentication URL that you provide in the Account Linking page is the fall-back web UI that the user is redirected to if the token endpoint replies with 401 {"error": "linking_error"}
Related
I'm trying to understand the flow of "sign in with apple".
I found some examples in the internet but most of them are about making "authenticate" API endpoint which finds or creates user on the backend.
But how should I authorize the following API calls? My first guess was to use a custom auth token that backend generates after "authenticate" endpoint has validated successful sign in with apple.
Though I'm not sure if it's optimal because as I understand JWT is designed to be used without session tracking on the backend.
Also, here in the schema apple says "establish user session". What does it mean exactly?
I am building an application that would need access to dropbox files which used Oauth 2.0 to authenticate, I have been following the tutorial step by step below, using POSTMAN to get access token by authorization code. But I couldn't get the same result as the tutorial video (16:39) on my request. Here is my response:
"Error (400)
It seems the app you were using submitted a bad request. If you would like to report this error to the app's developer, include the information below.
More details for developers:
No scope requested can be granted for this app."
I also noticed there's an update on dropbox API when I created my app in dropbox app console, there's an option called "scoped access" instead of the two options (dropbox API or dropbox business API) shown in the video. do anyone knows how to fix the problem? thank you
Tutorial link:
https://www.youtube.com/watch?v=YpmEkNJubHA&t=921s
This error message indicates that none of the "scopes" being requested during the authorization flow are registered for the app. When using a scoped app, you need to enable all of the scopes that your app will need before initiating the authorization flow with those scopes.
You can enable whatever scopes you need from the "Permissions" tab on the app's page on the App Console.
You can find more information on how the OAuth flow and scopes work in the OAuth Guide and authorization documentation.
I'm currently unfamiliar with the OAuth2.0 Authorization Code Flow and I've read many articles about it and currently I still don't know how to properly implement it. So far, what I know about the flow:
User Logs in using OAuth
User is redirected to the authorization server for authorization code
Callback for permission/scope
Redirected to authorization server for access token in exchange for authorization code
Redirect back to the client with the access token
Client uses access token to access resource server.
Right now, what I'm still confused is that where should the login validation come (Login of username - password)? Is it a separate validation before going to OAuth flow and once the user is valid, it should go back to the flow?
I have some resources that explain OAuth 2.0 using Google Sign in as an example. Let me try to rephrase it according to your question.
Let's use the example of a user logging-in to Intercom using "Sign in with Google".
The user presses the button "Sign in with Google". This will redirect to the identity providers /authorize endpoint (could be different for each provider) which go to their login page.
The user is redirected to Google's accounts page. If not already logged-in, the user can enter their Google email/password here.
Google redirects back to Intercom with an authorization_code (for example, it redirects to https://intercom.com/authcallback?code=XYZ...)
Intercom's backend server sends this authorization_code with the client_id and client_secret (from their project in google), and receive an access_token (usually to the /token endpoint)
Intercom can then use the access_token to access the user's profile from Google.
So to answer your question, the user can enter their email/password inside the OAuth provider's page. Keep in mind that OAuth 2.0 doesn't specify how the provider is authenticating the user. This means, that the OAuth provider can authenticate their users in different ways, like email/password, email magic-link, SMS OTP, etc. Your website is just supposed to trust the OAuth provider that they are authenticating the user for you correctly.
Some extra resources that would help you understand OAuth 2.0 more:
How to store the OAuth 2.0 access and refresh token in your front end
Picking the right OAuth 2.0 flow
login validation come (Login of username - password)?
OAuth 2.0 NOT an Authentication protocol
The OAuth 2.0 specification defines a delegation protocol
Any use of username - password is outside of OAuth 2.0 and you should be looking at Open ID Connect which is an authentication protocol built on top of OAuth 2.0.
Best current Practice for Authorization Code flow is to use PKCE on OAuth or OpenID Connect.
The usual solution is to externalise both OAuth 2.0 and Open Id Connect from your code by using a mature security library. When you're new to this type of security there is a learning curve. My resources will give you an idea of how it all fits together:
Code Sample
Tutorial Blog Post
The libraries you integrate depend on the technology stack you are using. The resources above are for a Single Page App and NodeJS API.
I am trying to use the bitbucket API for getting details of my repositories, issue, etc., but I am not able to find a clear way of authenticating the API request.
I would like to have a simple way of authenticating the endpoints like
https://api.bitbucket.org/2.0/repositories/usamarehank_dckap?access_token={my_access_token}
Here I obtained the access token from the app password section of my account.
I am getting an error on doing so like
{"type": "error", "error": {"message": "Access token expired. Use your >refresh token to obtain a new access token."}}
I tried using consumer key creation but I am not sure where to plug those values in the request and with the OAuth it asks for client_id which I am pretty sure not giving in the docs where to get them.
How would I basically do a simple access_token request just like github API without any OAuth?
Right, this access_token is part of the OAuth authentication process: https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html
To use just these app passwords you can create via your profile, you need to use simple Basic Authentication with that app password.
You can read a bit more about it here: https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication
I'm having some issues with the above api that I can't seem to solve and would appreciate any help: I'm trying to build an oauth url with the scope of https://www.googleapis.com/auth/adexchange.seller+https://www.googleapis.com/auth/adexchange.seller.readonly and i'm not prompted for those permissions when redirecting to the oauth urls.
I've taken the developer console URIs and only changed the client_id and redirect_uri and it still doesn't work, so I believe the problem is with my google developer console application?
e.g. the google developer console URI which prompts me to authorise for "View and manage your Ad Exchange data" and "View your Ad Exchange data" is:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/adexchange.seller+https://www.googleapis.com/auth/adexchange.seller.readonly&response_type=code&access_type=offline&redirect_uri=https://developers.google.com/oauthplayground&approval_prompt=force&client_id=407408718192.apps.googleusercontent.com
Now if I only change the client_id and redirect_uri to use my application i only get prompted to "Have offline access" which in turn does not allow me to access any data as it says that this user does not have any adx account.
Both cases I'm authenticating with the same user (I also tried with other adx users), using a "client id for web application" credential.
Thanks
Amnon
If anyone ever has this problem: the issue was caused because I once tried to authenticate with a google credential for installed application and for some reason until I revoked the access for the application from google.com/settings it wouldn't prompt me for the correct scopes. after revoking everything started working as expected.
Amnon