My ASP.NET MVC system don't use ASP.NET Identity, so i went with full custom IPrincipal implementation. I have to use Google OAuth to authenticate on Google then do my own business on my external login callback.
The problem is that, after the user insert Google's e-mail and password ans successful login, in my external login callback, my application just won't get the user Claims from HttpContext.OwinContext().Authentication. Claims are empty and I only need user's e-mail.
This is my Startup.Auth.cs
There's no e-mail after login.
Assuming there's no bug in Google's OAuth, what did i do wrong?
One more thing: Sometimes (testing on other computers) the claims are returned to me with user's mail and some other data. But when i try to log with many different mails, they stop working too.
Below is my Google API config, i have enabled Google+ API, but that doesn't seem to make a difference.
EDIT
Sometimes it works on Chrome's anonymous navigation.
Use async await method for google api auth like in google doc
https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth
Related
I'll try to connect to the content api for shopping via API.
I'de tried some different oAuth ways (e.g. "three-step-method" with access key and baerer-token) but for a spezific integration I need the "credentials-oAuth".
Currently I tried as following:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=[my client id]&
scope=https://www.googleapis.com/auth/content&
redirect_uri=[some random request bin -> added in Authorised redirect URIs ]&
response_type=code
If I call this via Postman, I'll be redirected to the login page of Google. But why?
How can I solve this problem?`
BG
David
Shopping API data is private user data. In order for your application to access private user data it must have the permission of the user who owns that data.
We use OAuth2 to do that. The user must consent to your application accessing its data. In the below image the application Google analytics windows is asking the user for permission to access their Google analytics data.
If I call this via Postman, I'll be redirected to the login page of Google. But why?
You are seeing a login screen with Postman is simple the user needs to be logged in before they can grant access to their data.
How can I solve this problem?
You dont as there is no problem the user must login to grant your client application consent to its data. This is working exactly as it should
Service accounts
Update to answer comment Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the Content API for Shopping with service accounts.
I'm new to Auth0 and having real trouble wrapping my head round it. My app is going to be built using React, packaged using Phonegap.
Am I able to use Auth0 with a completely custom UI for creating accounts, logging in etc.?
Ideally my signup flow would be...
User Signs up using my react form
Details are sent to my API and then passed to Auth0
Success message is received from Auth0 and the user is mirrored in my local DB
My ideal login flow would be...
User fills in email/password on my custom form.
Details sent either directly to Auth0 or via my API
Token is sent back and stored in localStorage
Then each request to my API...
React attaches token to every request in header (actually Axios interceptor does)
My API is able to verify that the token is valid and not expired
API performs request.
Not sure how to deal with social logins, claims etc. but that's for another day, basically I want to do everything through the API and not use their lock screen etc. Is this possible?
Yes! That is definitely possible and to achieve this you would want to use 'Resource Owner Password' grant type.
Once you collect the credentials from user in your custom form, you can directly pass those to Auth0 by calling an endpoint - 'https://yourapplication.auth0.com/oauth/token' with all the necessary parameters. You can make a simple POST request to this endpoint from you client application. For ease of use, there is a javascript library provided by Auth0 for all of their endpoints- (https://auth0.com/docs/libraries/auth0js/v9).
Auth0 will return a token which can be used to call your server side APIs by passing it to the request header.
So to conclude, you can do it through API without using their lock screen.
Let me know if you need any further help. We can discuss on social logins and claims also.
we have users who authenticated via the google hybrid Openid (OpenId+OAuth1 [0]) protocol. To use the newer APIs from google we have to change to oauth2 based authentication. Is there a way to know after an oauth2 login if he is one of our openid users?
the ids look very different. A userid in google_oauth2 looks like this:
12345678901234567890
and a userid in google hybrid looks like this:
https://www.google.com/accounts/o8/id?id=AItOawnlIGFin5I0F059UdqSYbK9JmA99e99ms
Is there some way to fit this together? Is there an oauth based call i could make to retrieve such an openid userid? Since we use it for login purposes i would not want to put 2 google login buttons on the login page. I can hardly imagine our users to understand this.
Is there a common strategy to resolve such issues?
[0] https://developers.google.com/accounts/docs/OpenID#oauth
Google talks about a combination OpenId/OAuth call that should do what you need. However, all the links in the document are to OAuth 1.0. So you will need to investigate to make sure it works with OAuth 2.0, since Google's deprecated the OAuth 1.0 interface.
Ok, it seems i have a way to do it. Have to implement and check but theoretically it should work like this:
send user to oauth2 login
-> if known, log him in
-> if unknown send him to openid with immediate mode
-> if successfull log him in, associate the former oauth connection
-> if error the user is unknown and will be created with his oauth token
Immediate mode could also fail if the user was not logged in with google, but since he just came back from the oauth2 dance he would have to have logged out in between which is very unlikely since he gets redirected immediately.
I am creating an API (Restlet, GAE) and implemented OpenId for authentication and OAuth2 to protect access to the API. When testing this from a client web app that I built, everything is fine. When the user hits a part of the web app that wants access to the API, the user is asked to login via OpenId and then is asked to grant access to the web app to grab resources from the API.
However, I noticed that the web app doesn't know who the user is (!). All the web app has is an auth token. Thus, the web app can't say "Hello, username", since it doesn't know who the user is.
With Restlet technology, the authentication is essentially:
// Authentication code
OpenIdVerifier verifier = new OpenIdVerifier(OpenIdVerifier.PROVIDER_YAHOO);
verifier.addRequiredAttribute(AttributeExchange.EMAIL);
Authenticator au = new MyRedirectAuthenticator(getContext(), verifier, null);
While the following handles both authentication and OAuth2 authorization:
// Authentication + OAuth code:
OAuthParameters params = new OAuthParameters("2345678901", "secret2", "http://localhost:8888/v3/", roles);
OAuthProxy local = new OAuthProxy(params, getContext());
Initially I was only using the "Authentication + OAuth" in my web app and the authentication was happening "invisibly" (as mentioned above).
I figured that one way around the "problem" is that if the web app handles the authentication "visibly". So I added the Authentication code to the web app. The flow looks the exact same to the user, but the web app is able to capture the user info (email) and all is fine. There doesn't seem to be any conflict with the "both" code either.
Another way around the problem is to add something to the API that would return the user info associated with an authToken (a la Twitter's verify_credentials).
My question: Is the approach I have taken reasonable? Should I use the Twitter approach instead? Or something completely different? (I am pretty new to all this stuff, so it is hard to figure out if I am choosing a solution that seems to work, only to hit a brick wall later on).
The short answer is that when a client web app gets permission to access OAuth resources on behalf of a user, the client web app isn't supposed to know anything about the user (login, password, etc.). If the client web app wants to know who the user is, it can provide authentication.
I have implemented the above scheme with Restlet and google app engine, allowing the user to authenticate to the resource server via OpenId and also adding Google Authentication for the web client app (just so it can give a "hello" message). All seems fine.
I am trying to support "Hybrid" Federated Login and oAuth2 (using logic from this document) for a webservice which will:
support Sign in using your Google account on my site. That is, from the documentation: You can also choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.
Access the user's Google Analytics.
Here are the steps I have done.
I form my request to https://accounts.google.com/o/oauth2/auth with the scopes (Google Analytics) I want access to.
I Get redirected to google where it has my icon and which scopes I am requesting access to. I grant access.
I get redirected back to the callback page.
I get the tokens (access and refresh), as well as a huge id_token string (which I don't know) and store all of this information in my database.
I then make a call to https://www.googleapis.com/oauth2/v1/userinfo?access_token=xxxyyyzzz to get the user's email and name and store this information in my database too. I also notice it returns a id field which to my knowledge never changes and I presume is some sort of unique identifier. I store this too.
Question: If I go to Authorized Access to your Google Account section in my Google account, it shows that my site has access to "Google Analytics. BUT, it does not say Sign in using your Google account. This is what I am trying to accomplish. I would have thought using the logic would enable Sign in using your Google account. What am I doing wrong? And what would be the applicable call to google so that users can sign in to my site?
If your site has access to something like your Contacts or Analytics using OAuth, you'll never see "Sign in using your Google account". I'm pretty sure that's only if you use OpenID (not OAuth) only for sign-in.
Specifically, OAuth is used for giving you access to APIs to create/update/delete data, while OpenID is for signing in.
If you are asking how to identify user for future logins, you have two options:
Mix OAuth with OpenID, that is called Hybrid. I have described it on this answer.
Use userinfo scope and request userinfo (email, etc.) after successful OAuth authorization. It is described on Google OAuth 2 documentation.
If you mean automatically login to your web site in future visits you can use OpenID "immediate mode" (openid.mode parameter).
When the user is redirected back, you call the second request from your own (server-side?) code, and get their email address. When you successfully get it, that means that the user is logged on. You can add it to the session (e.g. as cookie), and as long as you have it, the user is logged on. You make the user log out by forgetting the email address, so by clearing the session/cookies.
Add this paramter to the https://accounts.google.com/o/oauth2/auth URL call: approval_prompt=force and then the Sign in using your Google account will always show regardless of whether the user was already signed into that or any other account.
So the call would be like this https://accounts.google.com/o/oauth2/auth?client_id=<client id>&redirect_uri=<uri>&scope=<scope>&access_type=<online or offline>&response_type=code&approval_prompt=force