Is it possible to use twitter API having just oauth_token and oauth_token_secret on client?
I’m getting these tokens via a standard oauth flow on server-side part of my app, but I wonder if I can send requests from the client using just oauth_token and oauth_token_secret, keeping oauth_consumer_key and oauth_consumer_secret secure on the server.
The idea is that once I’ve got the tokens, I’ve confimed my identity and should be allowed to use just them(for some time, at least, refreshing them eventually).
Related
It looks like Twitter changed terminology over the years and did not update their docs appropriately, which leads to confusion (at least on my part).
According to https://dev.twitter.com/docs/auth/authorizing-request I need to use oauth_consumer_key and oauth_token.
At this time I want to access the account that is owned by the website that is making the request, so I am not trying to get a token for a website user, but instead use the tokens provided by Twitter for the Application.
In the Application details page, I have values for API key, API secret, Access token, and Access token secret
Can you tell me how these keys/secrets map to the oauth_consumer_key and oauth_token? And what are the other two used for?
Thanks!
OK, I figured it out.
It looks like Consumer maps to API and Access Token maps to OAuth Token, so to clarify:
oauth_consumer_key : API Key
oauth_token : Access Token
Consumer secret : API Secret
OAuth token secret : Access Token Secret
I'm having an iOS app where the user authenticates with Facebook on the device and also communicating with my server API.
Authentication
Today I'm sending the Facebook user access token (over SSL) and the server verifies the token with Facebook. Thats the authentication mechanism for the API.
Session token
Instead of using a generated token to user for all future API calls, I use the Facebook access token as the session token as well. This makes it a lot easier on the device as you don't have to care about first getting the token and then call the API. You just send the Facebook token in each call, easy.
Is this a good solution when authenticating with Facebook towards an API?
I am following this tutorial about OAuth2.0 https://developers.google.com/youtube/v3/guides/authentication
It looks quite clear how OAuth2.0 works. But I have a bit confusion at the access token part.
After obtaining an access token for a user, your application can use
that token to submit authorized API requests on that user's behalf.
The API supports two ways to specify an access token: Specify the
access token as the value of the access_token query parameter:
www.googleapis.com/youtube/v3/videos?access_token=ACCESS_TOKEN
if someone acquired this access token during the url transferring they can access this protected resource right?
How the server know if the request is coming from the client initially requested the access token?
UPDATE:
after reading this post Are HTTPS headers encrypted? my confusion is cleared. I thought query string is not encrypted during transmission in the network.
Generally I think the consensus is that OAuth 2.0 is a server side technology and all access tokens and communication should be transmitted using SSL as the bearer tokens need to be kept as secure as possible.
Also, you need to know that there are 2 types of flows in OAuth 2.0
i) Implicit grant flow - This is the flow where the user logs in to the service provider and his browser gets the access token. Say you have X.com and Log in via Facebook. Once the user keys in his FB credentials, the access token is sent to his browser.
ii) Authorization Code flow - In this flow (consider the above situation again), facebook will pass an authorization code to the user's browser. If anyone, somehow, intercepts the authorization code there is nothing he can do. An authorization code can be exchanged for an access when passed with valid client credentials. So, when the user logs in, his browser gets an authorization code which is passed to your server at X.com. from there you would hit the code-token exchange endpoint provided by FB and get the access token returned to your server!
Authorization code flow adds another layer of security, where the access token is visible only to the client + server and not to the user agent. And as you figured out yourself, the token is passed via HTTPS.
I'm interacting with a custom APEX service which obviously require OAuth authentication. I can easily authenticate and authorise my application. Everything works fine.
However, the access token I receive tends to expire.
Of course, I can refresh it by sending a refresh_token. Sounds great.
The problem is I don't receieve a refresh_token in a response from SalesForce.
I do send requests to [instance].salesforce.com/services/oauth2/token, I also tried to using login.salesforce.com/services/oauth2/token, but I cannot find 'refresh_token' in the response. There's everything apart from it there!..
Please check Selected OAuth Scopes section, which is needed to be enabled Perform requests on your behalf at any time in order to get the refresh token.
Сreate > Apps > API (Enable OAuth Settings) > Selected OAuth Scopes.
I've solved the problem thanks to my wonderful colleague.
I should have added 'refresh_token' to the scope when retrieiving an auth code.
I have 3 web apps - A, B and C. App A contains the user database. If accessing App B and App C, I would like the user to be redirected to App A to be authenticated, and then be returned back to whichever app they tried to access. At the same time, they should be logged in to all apps. Unless anyone has a better solution, I have gone with an OmniAuth/Devise combo solution as described in this blog post.
I have forked and updated to Rais 3.1.2 a sample App A and a sample app B/C.
App A - Provider - https://github.com/RobZolkos/sso-devise-omniauth-provider
App B/C - Client - https://github.com/RobZolkos/sso-devise-omniauth-client
These sample apps work, and I am get redirected to the Provider App to authenticate however it doesn't seem to authenticate. I have attached the log here. The provider seems to go through the motions, but then on line 26 of the log you can see that there seems to be an authentication issue.
Am I missing something simple to make these sample apps work?
I've found two issues:
Since 0.2.1 version omniauth has changed auth parameter name from access_token to oauth_token while fetching access (POST /oauth/token request).
Since 0.3.0 version omniauth has changed method of passing oauth_token in auth request (GET /auth/josh_id/user.json). Prior 0.3.0 token have been passed through request parameter oauth_token, but since 0.3.0 it become passed through HTTP_AUTHORIZATION header.
I don't know how to nicely get token from header (I think it can be fetched by devise), so I ugly hack client for sending oauth_token through GET parameter like this (in lib/josh_id.rb):
def raw_info
#raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
end
You can find fully workable code in our github repos:
https://github.com/openteam/sso-devise-omniauth-client
https://github.com/openteam/sso-devise-omniauth-provider
I have no experience with oauth in rails, but i'll explain the flow I used to create my own provider in Java. It should be easy to apply this in rails. If you use Devise with omniauth you need to find out, how they provide OAuth support and which version.
Basics
Consumer logs in to the app, and gets a consumer_key and consumer_secret. This is done with a regular form, usually on a developer account.
(optional)Provider approves the created account
All OAuth requests depend on a proper OAuth header in the request. A proper header means:
All oauth attributes and their values have been alphabetically sorted
All keys/tokens active for the particular Consumer request are provided.
The request is signed using all relevant secrets. Secrets are known to the Provider and Consumer but are not included in the header.
The Provider generates the same signature. If so, the request is valid. A nonce can be used to prevent replay attacks.
2-legged flow (consumer vs provider)
Consumer requests a resource, providing consumer_key.
Provider checks signature based on consumer_key and consumer_secret
Access to resource is granted
3-legged flow (person vs consumer vs provider)
Consumer request resource providing its consumer_key
Consumer gets a unsigned oauth_token and oauth_token_secret from Provider
User(person with user account on the provider) logs in at provider to authorize the oauth_token providing the oauth_request_token and consumer_key
Consumer has a authorized request_token
Consumer uses the request_token to request a access_token providing the oauth_request_token and consumer_key
Provider gives a access_token and access_token_secret for the specific resource
Consumer uses access_token to do something
Provider invalidates access_token after a certain duration
Consumer uses the request_token again to get a new access_token if expired
A decent resource for oauth is the official site.
For 3 legged examples you can have at the google oauth playground