I know there is an ongoing battle about OAuth1 vs OAuth2 and Google seem to have taken the side of v2 and deprecated their super useful online testing tool that was hosted here...
https://oauth.googlecode.com/svn/code/javascript/example/signature.html
We still use OAuth 1.0a and it suits our needs perfectly. Does anyone know of an alternative online test tool for verifying signatures?
Since this question came up when I searched for it and even though it's probably too late for the asker:
I couldn't find any online tools, but Postman does a great job of allowing you to test OAuth1. They have easy to follow instructions as well:
https://learning.postman.com/docs/sending-requests/authorization/#oauth-10
Related
I have a big problem with development of Office add-in that is causing me big headache.
I need to extract the OAuth 2 token from a back-end written in Spring. I have tried all the samples from Microsoft Documentations, GitHub snippets and projects etc. Nobody works. Apart from MSAL Library that is extracting the token but the window is stuck in a loop of trying to login with Azure.
I know, this is not the correct way. But until now I haven't found any better solution yet. That's why I'm asking here.
Someone got a sample project? A snippet? Or something that could help me to do the job? Unfortunately, office-js-helper is abandoned. So I don't know what I can do.
Thanks
I'm trying to develop an open source solution which will be deployed on Raspberry Pi's or similar SBCs. The RPi part is only relevant insofar as it means all the code and app resources need to be publicly available.
The solution needs to read Twitter statuses, as close to real time as possible, and with as little interference from third parties as possible. I found Twitter's Streaming API, which is blazingly fast, and would be perfect for my application – except it requires OAuth. And as far as I can tell, the OAuth mechanism isn't well suited for deployment on users' machines, since it relies on a secret key which belongs to the application owner (the consumer secret).
I couldn't find any easy way around this – the only solutions I could think of are either handling request signing on a central server, or asking each user to create their own Twitter app account. And I find both solutions terribly distasteful.
Do you see any elegant way out?
It turns out this is indeed not currently feasible cleanly with any of Twitter's public APIs; not now, and not in the foreseeable future. Refreshingly, for once we do have proof for a negative: I also asked this on Twitter's own forum, and I was lucky enough to have my question kindly answered by Andy Piper, Global Lead Developer Advocate at Twitter. There you go.
Your app can open a web browser with Twitter's application authentication webpage loaded. When the user enters their credentials Twitter will return a code which they can copy/paste into your app. It's not particularly elegant. Here is a Python example of the workflow: https://github.com/geduldig/TwitterAPI/blob/master/examples/oauth_test.py
I have spent the past three days researching OAuth 2.0 and I understood how OAuth can be used to interact with a service provided by a heavy weight such as Google or Facebook. However, I'm struggling to see how someone without a team of tech wizards (aka Me) goes about protecting their API with the protocol.
I have a number of questions and was wondering if someone with some experience can help me.
Here goes nothing...
Is there a clear cut leader in terms of an OAuth Authorization Server implementation (Java)? If yes, is there any good resource out there to teach me how to use it?
Its my understanding that I would need to either build an authorization server or leverage a library to dish out client secrets/tokens.
Should I even be thinking about a library or should I be building my own implementation?
Is OAuth still relevant? From what I can see, it seems like the hype around the technology has leveled off or diminished since 2010. I also saw an article where the spec lead disassociated himself from the protocol.
I appreciate any advice or help, I can't find many resources on this topic that address it clearly (tons of Powerpoints, no code). There seems to be a bunch of talk about how it works, yet no book or article can give a solid tutorial. The documentation for the providers I have found is also very spotty at best. I'm just really starting to question whether this is a legitimate undertaking for someone looking to protect their own simple API. Thanks ahead of time.
Take a look at the Libraries on the OpenID Connect developer pages here: http://openid.net/developers/libraries/
I don't think there's a clear cut leading Java implementation yet
I would not recommend implementing the Authorization Server part on your own, that is the complex part and details matter because this is about security; the client part is easier and should be possible to build even without a library
OAuth is very relevant as it is the only standard out there for securing REST APIs; the hype is over, and now it is common technology; just take a look at all big vendors/SaaS out there, they all use it (starting with Google, Microsoft, Facebook, Twitter etc.)
Disclaimer - I am an extreme n00b when it comes to SAML, ACS and OAuth .. and just auth in general. I'm used to Windows Auth and at a push ADFS. I'm afraid you might need to give me the slow "one word a page" version here
As you are I'm sure aware Google has now deprecated the use of the OpenId 2.0 API for authentication (as of May 19th 2014). This has of course completely broken the "Google" Identity Provider (IP) in Azure Access Control Services (ACS). I basically need to add Google Support back in for a new project and understand it might be a bit more complicated than "click a few buttons".
I have seen a few blogs mention that I might need to "create an STS for the Google Auth, which I then add to ACS as the IP" but they didn't go into any more detail and I honestly don't have any idea how to do this or what it involves. I am happy to write code (I've been writing C# for almost 10 years) but have never done anything like this before.
Can anyone point me at samples / tutorials that will hopefully not go completely over my head?
The latest samples for Google+ are the ones on the Google+ Github page. Check out the .NET sample, this shows the code flows for OAuth 2.0 using Google's client libraries. There's a blog post on the key OAuth 2.0 flows in .NET as well.
If you are using MVC, there is a blog post on integrating OAuth 2.0 with Microsoft's MVC framework.
Although the samples are not targeted to Azure, I have deployed them to Azure instances without issue. If getting integrated into Azure is shown to be problematic and you think it would be worth it for Google to provide support, please request a feature in the issue tracker.
If you create a plugin, extension, etc that would be useful to other developers, please share with the Google+ developer community.
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)