i have a problem with moya with multiple asyncronous https call when oauth2 access token expire.
Anyone implement oauth2 paradigm with moya?
Related
Have an app running in GCP using App Engine and secured by IAP. To the best of my knowledge IAP uses OAuth, but when I open the app in the browser and inspect the outgoing XHR requests I don't see the HTTP Authorization header on any of them. There does appear to be a token in the cookies though, something named GCP_IAAP_AUTH_TOKEN.
Just wondering if this is still considered OAuth or is it some other form of authentication?
Cloud IAP can use either the cookie GCP_IAAP_AUTH_TOKEN or Authorization: Bearer. Both are derived from OAuth2.
The credential that Cloud IAP relies on is an OpenID Connect (OIDC)
token. That token can come from either a cookie GCP_IAAP_AUTH_TOKEN
or an Authorization: bearer header.
Authenticating with OpenID Connect
I'm using the newest version of Doorkeeper (which is a wonderful gem) and enabled PKCE. It works great for authorization flow (I use authorization_code). However, when I'm trying to refresh token later I'm getting 401.
Params
{"refresh_token"=>"[FILTERED]", "scope"=>"xxx",
"redirect_uri"=>"com.example://callback",
"client_id"=>"xxx", "grant_type"=>"refresh_token"}
The client is a mobile app using AppAuth which as can you see above doesn't send code_challange when refreshing a token. As we read here creators of PKCE says that server should allow for refreshing token without sending code challenge again. How the gem implements that?
I am newbie to OAuth2 and understood its implementation theoretically very well. I followed this link to handle OAuth2 callback URL Build Authorization Callback Handler. But i am using Spring Security in my project, so i don't have to do much work myself. I am using salesforce API. Whenever there is UserRedirectionRequiredException, the spring security OAuth2's ClientContextFilter handles it and redirects for authorization.It all works very Well. I am able to get contacts , tags from salesforce account using RestTemplate and salesfore Resource.
The question is how to handle oauth2 callback URL using spring security. whenever i call any salesforce api e.g getContacts, if access token is available it works. But if i don't have accesstoken, the user is redirected and when authorized, the access Token is obtained from provider but the control goes to my Oauth2callback url and finishes there. Now i have again to call the getContacts Api and it retrives the contacts.
Help me in implementing OAuth2Callback URL using spring security so that when i call any Api, if unauthorized, after authorizing and retrieving accesstoken it automatically calles back to that API rather than stoping on my OAuth2callback URL.
I am trying to implement OAuth2 for an iOS app and I am currently using this extension for AFNetworking : https://github.com/AFNetworking/AFOAuth2Manager, but it doesn't renew automatically the access and refresh token. Can you tell me, please, what should I use?
Does oauth2RestTemplate or access token providers support validate token request?
Here is the flow:
Mobile/Web-App authenticated from third party Authentication server
and obtains Access-Token.
User tries to access a secured resources, and passed the Access-Token in the request, as expected by the protocol.
Is it possible to check this token against third-party server?
I found a bit similar here in the form of a refresh token.
Is validation request the part of the OAuth2 standard?
Thanks
No, OAuth2 doesn't enforce a specific token format or API for validating tokens. This is something that has to be decided independently between the resource server and the authorization server.
For example, the UAA project, which uses Spring Security OAuth2, uses signed JWT tokens, so the resource server can validate the contents without having to ask the authorization server directly. It also provides a /check_token endpoint, which will decode the token and verify that it has not expired.