How can a user convert a oauth_token (a short lived token) that is generated from the JavaScript SDK to a access_token (long lived token). I do not see any such information in the documentation, so not sure how to do that. I can see that I can use this oauth_token for accessing LinkedIn services, but to use it for a longer period , I would like to convert that to a long lived access_token.
I have seen the REST API's flow, but that does not seem to be helpful to what I was looking for.
Any help would be grateful.
Related
Lets say I have created my own application. We have react front end and RESTful API as backend and we are using Google OAuth for Authorization of our users. Front end is making calls to the APIs. Front end uses Authorization Code Flow of OAuth. After getting access token from Google OAuth server, front end uses this token to make calls to my backend.
Now Malicious user will get my API's URL, other information required for REST API from Chrome Network tab and can call directly to APIs with access token.
Questions:
How will my REST API know from where the request is coming?
Also how it will validate the access token?
Is it possible once User got all information about my REST API, it can call directly with fake access token?
I have look into the diagram for Authorization Code Flow. Below is the link.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-app-types
But how will web api validate the token?
Please guide me if I am lacking some information.
Google's OAuth server will issue your front-end a JSON Web Token (JWT). This token is singed by Google private key. Your API needs to:
Obtain Google's public key and
Verify the signature of the JWT.
If that is valid, the token originated from Google. If not, it didn't come from Google or was tampered with.
After this, your API needs to do a few additional checks:
Check the expiration time and see that it's not in the past. This can be found in the exp claim.
Check that the token is not only from Google but for your API. This can be done by looking at the aud (audience) claim and seeing that it's for you.
Check when the token was issued, and ensure that it's not in the future. The issuance time is in the iat claim.
Check that you should start using it already, and there wasn't some sort of embargo on the usage period. This will be indicated in the not-before claim (nbf).
Check that the type of token is an access token (as opposed to an ID token).
(You can find a longer more detailed description in this howto.)
If you do these things, you can be sure that Google issued the token and that it was intended for your API. It does not indicate to your API that the caller was your front-end. The reason is that the token is an "bearer token", meaning the token is bound only to the one that bears or presents it. To ensure that only your app provides the token, you need it to prove possession of a private key. This is not possible when using Google as your token issuer (to my knowledge).
My question is basically how do my rest api validate integrity of the token. I found the link: https://developers.google.com/identity/sign-in/android/backend-auth
I have a rails application which can post embeds of public facebook videos. In order to properly credit the videos i retrieve video owner via a graph api call like
https://graph.facebook.com/{video_id}?access_token={facebook_user_access_token}
which works fine. The issue is with oauth and long-term tokens. I know I can exchange a short term token for a 60 day token,
https://graph.facebook.com/oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
but the issue is generating the short term token. Is there a way to generate a short term token just on the server-side via the api. I will only ever want to oauth one user in order to access the graph api. But all the oauth flows require a facebook dialog login, which won't support me just on the server side. At this stage I am thinking of simply updating the token manually every 60 days so any ideas or help is welcome.
Have you thought about using the Koala gem?
And there is another SO thread - Renew Facebook access token with Koala that explains how to generate the short term token with koala
I've been spending some time trying to get my web app set up to use this method of authentication, but it really seems like there aren't any examples out there, and the documentation is sparse, seemingly more so in the specific areas I need (Calendar API using OAuth).
Anyhow, I'm stuck on converting the request token I get from google's OpenID+OAuth into a long-lived access token and token secret.
You don't have long lived access tokens + token secrets in OAuth 2.0.
Google's OAuth now gives access tokens (short lived access tokens that can get data from an API) and refresh tokens (you need to persist these tokens, and exchange them for access tokens whenever you need to access user data.)
You have some documentation in these links that you can use -
i) http://code.google.com/p/google-api-php-client/wiki/OAuth2
ii) http://code.google.com/p/oauth-php/wiki/ConsumerHowTo - You can find real life examples here about setting up OAuth clients using PHP.
The Facebook OAuth 2.0 implementation allows you to convert a client side short lived access token into a long lived token using the FB_Exchange_Token grant_type i.e.
https://graph.facebook.com/oauth/access_token?client_id={YOUR_CLIENT_ID}&client_secret={YOUR_CLIENT_SECRET}&grant_type=fb_exchange_token&fb_exchange_token={SHORT_LIVED_ACCESS_TOKEN}
My question is does Google's version of OAuth 2.0 have a similar mechanism allowing me to get the short lived token via the client side flow, pass this token off to server and have the server convert that token so we can store the refresh token?
No, Google doesn't have that functionality. You'll need to use the server-side flow.
Can you give more info on the use case (in comments below?)
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.