We've been using pow to easily spin up local development servers for our platform. However, Google recently broke all .dev domains in chrome by requiring them to have SSL certificates. Anvil worked around this by switching to .test domains instead of .dev. This worked for the most part, but we figured out that Google won't let you use a .test domain as a valid OAuth 2.0 callback.
Does anyone have any clue how we could solve this without scrapping anvil/pow or OAuth 2.0?
I'm using xip.io as my workaround at the moment.
E.g. for an app that you used to access using http://blog.dev instead use http://blog.127.0.0.1.xip.io.
This works to access the pow app but also is allowed as a Google OAuth redirect url because it's a .io domain.
This is a very annoying issue. Especially since google were the ones who made .dev unusable in chrome by automatically upgrading it to https...
Related
What would be the best way to obtain an AAD token from an electron app?
Microsoft has 2 javascript authentication libraries: adal.js and msal.js.
Both are designed for browsers and not native Electron apps (For example - AAD won't allow for file:/// scheme as a reply URL).
Sounds like a long term solution would be native AAD packages (like Microsoft built for Apache Cordova), but since that's probably not going to happen any time soon, what is the best short-term option?
Azure Storage Explorer is a good example of an Electron app that does this. It even allows for being logged into multiple AAD accounts at the same time.
You might be able to check out what's going on in the app's dev tools. I've had a poke around and it looks like it uses adal-node npm package instead of the browser based js libraries.
It also looks like it uses an authorization code flow for obtaining tokens.
The Azure AD doesn't support the file protocol as the reply address. To develop the single page application, you can host it on the server and using the server URL as the reply address.
I've taken over development of a Google Analytics API dashboard for a content management platform, and upgraded the code to use OAuth2 as the older oauth was disabled recently. The authentication flow and subsequent API calls are all working fine on my localhost for development.
The problem is when trying the code from a different domain. Google wants the redirect_uri to be whitelisted through the developer console, and if it isn't there, it throws Error: redirect_uri_mismatch
As this is a self-hosted (+ open source) package, people will be able of installing on their own servers, there is no way I'll be able of adding all possible redirect_uri values to the app key in the developer console.
After a bunch of Googling and trying to understand the docs, I get the impression there are 2 possible solutions.
Instruct users to go to the Google Developer console, and to create an app key of their own, before also going through the OAuth2 flow within the distributed app to provide the code access to the data in Google Analytics.
Use a redirect_uri value of urn:ietf:wg:oauth:2.0:oob with an Installed App key, instructing people to copy/paste the code back into the self-hosted app after authentication.
Neither of these are really appealing as it adds a bunch of complexity for the user (though option 2 sounds mostly doable). Are there other options, or am I simply overlooking something simple?
You actually don't have any choice in this matter. You must go with nr 1. When you state this is a dashboard and web application it leads me to believe this is some kind of scripting language. This means that the client id and client secret will be displayed to your users / customers. This is against googles terms of service.
Changes to the Google APIs Terms of Service Asking developers to
make reasonable efforts to keep their private keys private and not
embed them in open source projects.
You may not release your client id and client secret to your users they are going to have to create there own. Which nicely solvers your redirect URI problem they have to make there own.
Further reading Can I really not ship open source with Client ID?
I have seen other questions on SO about this (here, here, and here), but I am not satisfied with any of the solutions, so I am asking it again. I am starting a web application that will utilize OAuth from multiple providers (Google, Facebook, Twitter, Yahoo) for authentication. I am struggling to find a configuration suitable to use for both a local development environment and a production environment.
The leading solutions I've found are to register multiple apps within each provider, receiving a different consumer key and secret for each:
"My App Production" - with a callback URI to http://www.myapp.com/callback
"My App Development" - with a callback URI to http://local.myapp.com/callback
Add an entry to your local hosts file to point local.myapp.com to 127.0.0.1 and some configuration for your application to use the proper consumer keys based on the environment, and you are good to go, right?
But my application is responsive and I need to test my development environment running on my PC from multiple other devices, like my iPhone and iPad, neither of which will be able to resolve the development callback URI.
Let's say I already have a DNS server on my network and am able to add the entry for local.myapp.com there instead of my local hosts file and can now access my development instance from any device on the network.
But my development team all operates on the same local network. Now local.myapp.com points to the same IP for everyone. Let's go back to setting the hosts file on each developer's computer so that they can all work independently from within their workstation. Now no one can test their development instance from their iPhone again. It hardly seems like the right answer for each developer to register an application with the provider just so they can specify a unique callback URI.
Normally when I get way down in the weeds with a complicated solution for a seemingly straightforward issue, it usually means I'm doing something fundamentally wrong. Am I missing something about OAuth, is it not intended to be used like this? I am tempted to scrap OAuth altogether and just go with OpenID (no app registration required and can specify the callback URI from within the app), but then I lose two of the big hitters in Facebook and Twitter. I don't really need any of the user's data, it's just a nice to have if it's available. Can someone talk me back into OAuth?
I can't speak for FB or Twitter, but in Google's Oauth implementation you can register several oauth callback URLs. So you simply need some logic in your app which senses that it is in test mode, and then starts the Oauth flow with the appropriate callback URL. There are downsides, eg clashes between the live and the test refresh tokens, but they are manageable.
In my app I have a singleton which manages all of this. When my app needs to start an Oauth flow it calls the singleton with the request URL and any other salient data (eg. debug flag) and the singleton returns the correct callback URL, client ID etc.
I posted the following answer about a rails app I wrote:
OAuth2 in development and production
It was a gem called figaro which did per env configs for google OAuth2.
I have yet to find a less manual approach that enables dev access to all concerned devices:
Assign each developer's machine a fixed IP through the local network's DHCP system based on their MAC address, or (less recommended) have them choose an IP and hope for the best
(optional*) Assign each developer's machine a DNS hostname in the local network based on that IP
Register an oauth entry for developer on each provider with the hostname of the developer's machine.
Each developer configures their application to use their unique oauth dev tokens.
Assuming all the devices in the network rely on the same DHCP and DNS servers you'll then be able to visit alice.dev.myapp.com or bob.dev.myapp.com from any device on the network.
Note, you'd manage the oauth configuration for each an every other environment separately, but following the same approach.
There are likely tools to automate registering a developer's machine IP and hostname to ease that part of the puzzle. Registering the oauth config on each provider per dev is the most tedious step.
UPDATE
*You can skip the DNS part if you use a xip.io url e.g. 10.0.0.123.xip.io if you know Alice is 10.0.0.123, but you'd still want that IP to be fixed as you don't want to keep updating the url for the oauth tokens in step 4.
I created an app to be used in a page tab. I have it hosted on my server which has a SSL protocol associated. However, the https url hasn't the usual naming (you can see it below):
https://secure395.websitewelcome.com/~rexdot/discoverylocker/
Is there any reason FB doesn't accept this? I'm sure this is the https url, it was given from my server support. And I'm also sure the app is there and fully working.
Thanks!
according to hostgator only solution is to pay for your own SSL. I've used other hosting services with reseller accounts and never had this issue before. In fact, the apps were running fine on those shared SSL certs from other companies.
So, one big reason why hostgator is not the way to go... their shared SSL is for websitewelcome.com which has been flagged as spam.
I've been working on a Google Maps based Rails app and it was working fine until I installed Phusion's Passenger and now Google Maps API won't recognise the API Key which I generated for http://localhost:3000.
Now I'm running Passenger, the URL for my app is http://mygooglemapsapp.local. I've generated a Google Maps API key using this new URL but I'm still getting the same error.
"The Google Maps API server rejected your request. This could be because the API key used on this site was registered for a different web site. You can generate a new key for this web site at %1$s."
What URL should I give Google Maps API so it will recognise the Passenger generated URL?
Thanks in advance.
Nick
Depending on your Apache config (I'm assuming this is an OS X install from the .local URL) you might be able to change the set-up such that you run multiple Rails apps via http://localhost/MY_APP/
There's some good examples on setting up mod_rails for multiple directories here
Pay attention to the example for deploying multiple apps under one VirtualHost. If you can get this configured, then you can just request a Google Maps API Key for http://localhost/ and reuse it as much as you need in development.