I need to validate a linkedin access token on server side, also i need to know if the token is valid for my app. I've tryied with:
{https://api.linkedin.com/v1/people/~?oauth2_access_token=YOUR-ACCESS-TOKEN} , but this obviously works with all valid tokens. I need to check also if the token is valid for my app.. is there a way to do that with linkedin api?
Related
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
I would like to use the oauth2 token permanently in my website.
Using google API, when the user giving permission to manage their google calendar, I am getting the access token from google API. I want to save it in database and use it for the last long.
But it is getting invalid. I tried to refresh the token using the oauth2 refresh token API. But getting the error as follows.
Array ( [error] => invalid_grant [error_description] => Token has been expired or revoked. )
I don't want the user to give the permission each time when he enters the website.
I would also like the admin need to access the user's calendar using this token or any other way if it is.
How can I achieve this?
Instead trying to get the permanent token, I am using the refresh token option.
When I call the google calendar using tag, I have added the parameter like "access_type=offline" as follows
$login_url = 'https://accounts.google.com/o/oauth2/auth?scope=' . urlencode('https://www.googleapis.com/auth/calendar') . '&redirect_uri=' . CLIENT_REDIRECT_URL . '&response_type=code&client_id=' . CLIENT_ID . '&access_type=offline';
After the user allows, I'll get access_token with refresh_token as response. I am saving those in database. Then everytime, when the user's calendar access by the admin, will get the new access_token using the refresh_token that is stored in the database through the refresh_token api call until the user use the unsynchronize option in my site.
Once the user unsynchronized the calendar, I'll update the database.
Problem is resolved.
Bottom line is you can't get a permanent token - but you can mitigate the need for your user to re-supply credentials.
The solution depends what grant type you are using (which depends largely on whether your application runs on a server or or a end-user's machine). You mention a website so hopefully you use a grant type which returns a refresh code too.
If your app runs on a server and you get a token via the authorisation code grant then you should be able to also get a refresh token when you get an access token. You can use that refresh token to request new refresh/access tokens on a back-channel, without need of your user, or their credentials.
Effectively you should then have long-lived access to your user's google resources providing the user doesn't revoke access.
If you use other grant types, like implicit grant, then you can't get a refresh token. You will need to regularly obtain a new access token. If your user remains logged-in to google on the device your app is running on then they should not be required to supply their google credentials when you request a new access token, so you won't be constantly pestering them for credentials.
I need to generate or make url-link with inline token, that i can send to user email for only once login.
I found how get access_token for user for redirect to my endpoint (How do I obtain an OAuth token from WSO2 using the Consumer Key/Secret?), but I don't understand what to do next. I found how validate token, refresh it, but nothing about logon by token.
I need something like https://my_wso2is/auth_token?token=37133621-f099-33c4-b686-c017ed229fc0
You can use OIDC in order to get the user authenticated and then allow access to your application. You can find more information from [1] about how WSO2 IS works with OIDC using one of the sample applications named playground.
[1] https://docs.wso2.com/display/IS500/OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground
I am building my REST API to be used with my IOS app. I have a little problem...
How do I implement the "resource owner password credentials grant"? I cannot store the client credentials in the IOS app code (not secure) so I have no idea how to secure the API.
So basically, I would be using HTTP Basic Authentication over SSL which would return a token. However, this means that anyone can make a simple post request to my API endpoint from wherever and also obtain a API access token. Basically I'd have a open API.
What do you recommend?
you can actually use keychain to store the data you need .. it's totally secure.. but sure don't store password in it, it will be a deal breaker for you :)
you can request with the password of the user an access_token from the oAuth as you've suggest
and store the access token into the keychain.. it proved that it's secure for me .
We have a desktop app (Delphi XE2) that gets an oauth request token from Intuit and fires off the URL call to Intuit where the user authorizes our app. This half of the oauth dance seems to be working.
The problem we are running into is getting the Access Token and Access Token Secret. We never seem to get it.
Details:
This is for QuickBooks v3 API.
We have a web service setup to handle the callback whose URL we pass along when we make the call to get with request token to https://appcenter.intuit.com/Connect/Begin
That opens the Intuit web page with our test company and our app listed. When we grant access to our app from the Intuit site the web browser is redirected to our callback URL and that contains an oauth token (which I'm not really sure is our access token) but we never get the access secret. That's the missing thing for us.
Is the token we are getting in the callback our access token?
If so how do we get the access secret? Is that token another token to be used to make another call to https://oauth.intuit.com/oauth/v1/get_access_token where we would obtain our access token and secret?
I tried using the token returned to our callback URL as a token for the "get access token" url and that gave me unauthorized errors.
If the token returned to our callback URL is not the access token where/how the heck do we get it?
Any help or direction is appreciated.
UPDATE:
So, it turns out I was missing one entire step of the OAuth dance.
After the user authorizes access and that passes the original request token and a verifier key to our web service. That verifier key is used with the original token in yet another call to Intuit to get the access token and access token secret.
Cheers!
TJ
The initial callback returns to you a request token, which you then have to send back to Intuit via the get_access_token URL to get an access token and secret.
Intuit instructions:
Implement OAuth in Your App
The OAuth spec it refers to is RFC 5849.
You can refer the sample V3 APP.
https://github.com/IntuitDeveloperRelations/QuickbooksV3API-Java
To be specific, please refer
OAuthController.java and OAuthHelper.java
Thanks