I'm working with a company that is using the Google Apps free subscription. This company has a web site. They want to let users who have Google Apps accounts in their domain to authenticate into the web site via OAuth.
My question is, where do I find the ClientId and ClientSecret needed to do OAuth?
Thank you!
OAuth 2.0 for Client-side Web Applications will allow you to authenticate users using Oauth2. This will allow the users to grant your application access to their private data.
You will need to go to Google Developer console and create credentials on this page Credentials
Open the Credentials page in the API Console.
Click Create credentials > OAuth client ID.
Complete the form. Set the application type to Web application. Applications that use JavaScript to make authorized Google API requests must specify authorized JavaScript origins. The origins identify the domains from which your application can send API requests.
Related
I have a .Net core web Api calling google drive api. The google drive api should authenticate the api call with Okta and authorize. How can this be achieved?
Should i setup the auth application in Okta dashboard and generate client id and authentication token?
Which before calling google api will be used to get bearer token from Okta and shared with the google api?
Will be registered with google admin console and generate the tokens?
The domain of the api will be google.api.com ... so no where it is going to Okta for authentication
What you do with your Okta site will be after you have gained access to the google api on behalf of your users. a bearer token from Okta will not grant you access to a google api you need to go though googles authorization server to get that.
In order to access the Google Drive api and access private user data. The owner of that data will need to authorize your access.
To do this we use something called Oauth2. The issue you will have is begin that you say you are using a web api to call Google you will need to create a web application on the side where your users can authorize your application to access their data. You will need to register your application with google on Google Developer console. Create a web client credentials. Then when the user has authorized your application to access their data you will will need to store the refresh token in your system associated with the user.
Then your web api will be able to access the users data by loading the refresh token and requesting a new access token.
There is currently only one sample web-applications-asp.net-core-3 for .net core web applications it doesn't show how to store the refresh token you will need to work that out.
I do have a video on setting up asp .net core with the google people api it might give you a starting point How to get a Google users profile information, with C#. as well as one on how to create a How to create Google Oauth2 web application credentials in 2021.
I am writing a google drive desktop application and I am using OAuth 2 to get credentials. I can get creds for just reading, but not changing files. As it is a desktop application, there is no site. It is written in https://developers.google.com/identity/protocols/oauth2/native-app, that I need to "supply a local redirect URI to handle responses from Google's authorization server". So, should the client also be a server and listening on some port locally? If I want to have the app verified, I need to provide Authorized domains and other stuff, but it is a desktop application, again. Or maybe there is a way to allow users to use the app, but with a warning on a consent screen for example for development purposes.
Also how to hide the credentials, that I use to get the token? If I publish the app with the credentials, everybody can just steal them and use them
In order to develop a desktop application which will use the Drive API you will have to use credentials of the web app type for which you will later provide the appropriate redirect URI.
By using OAuth 2.0 in your application, you are the only one who has access to the credentials for the application - unless you share them.
According to the Google OAuth 2.0 documentation:
You start by obtaining the OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
For the login process, when the users will log-in to your application, they will use their own credentials and then they will have to authorize the application you have built in order to be able to use the Drive API.
Reference
OAuth 2.0 for Mobile & Desktop Apps;
Using OAuth 2.0 to Access Google APIs;
I am using laravel passport for authorization from mobile app.
But I'm not sure where to place the client credentials i.e client_id/client_secret and redirect_uri.
Will it be placed at mobile app end and they will pass these to an API while authenticating to get tokens or these details be kept at server side in some env variables for security purpose?
And will the every user be having different client_id and secret or it will be same for all users throughout the application.
The client credentials grant type is for when you want your application to contact the server with out a user. For example a weather app will contact the server to get the latest weather data. It does not need to user to login to do this. You want to client credentials because you do not want everyone using your api. It is a way to protect your api and only allow your approved apps to access the api information.
Yes you will pass the client_id/client_secret from your mobile/desktop application to the /oauth/token url on your server so it will return an access token for you to use when getting all the information through the api.
The client_id and client secret do not need a user. It is for the client (Mobile/Desktop application). But it will be the same for every user since they all will be using the same mobile/Desktop application.
I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)
How do I secure my API when I want an app to be able to retrieve app-specific information without a user logged in and when I have an OAuth provider for another section of my API? Can I use the client app's OAuth credentials to hit the API without a user logged in?
I have create an OAuth provider and client using doorkeeper following railscasts 353. I can successfully authenticate a user to my provider app and make requests on behalf of the user to my provider API.
However, a portion of the API is user independent, meaning that the information returned from the API is not specific for a user and therefore a user should not have to be logged in. For example, assume an ecommerce site and items and prices are stored on the provider for multiple clients. I want a client app to be able to securely retrieve the items/prices associated the retrieving app without a user having to be logged in. So if you went to example.com the items would be displayed even if a user is logged in via OAuth.
I have only be able to retrieve this information via OAuth when a user has logged in through OAuth (creating an access_token). Is there a way to use OAuth without having a user present (I've been trying to read about 2-legged OAuth and if that is an appropriate solution)? Or do I need to use Api keys (or Http Basic Auth) for the application to retrieve the application specific data?
If OAuth is not the right solution because I do not have a user present, could/should I use HTTP Basic Auth over SSL and use the client site's OAuth secret key as the API key for the basic auth username?
If you need to authenticate your client apps in you API (without requiring a user specifically) use the Client Credentials flow