How to add new provider for django-allauth? - django-allauth

I'd like to extend django-allauth to include other third party OAuth providers (e.g., SurveyMonkey, Qualtrics, etc). I haven't been able to find a good tutorial on how to extend django-allauth. Does anyone have any recommendations for how to get started, which classes to write, and how to format/customize URLs for the OAuth flow?
I am already using it to authenticate using Google and Twitter, but I'm finding that many of my users already have accounts on other services that would be more compelling for our use case. Any pointers here would be greatly appreciated!

You can take a look at this PR, it is adding slack as an OAuth provider.
https://github.com/pennersr/django-allauth/pull/1410/files

Related

How to delegate authorisation to external Auth 2.0 services

I'm working on a service that provides smart (hopefully) integration of different services supporting OAuth 2.0. The focus of our tool is on team work flow improvement, so we're combining Slack, GitHub, Asana (issue tracker), Cezanne (hr tool), etc.
We have ui and backend that work with all those tools (user is authorised to all of them, so I have required access and refresh tokens). We need to be able to hide different parts of the ui depending on person's role in a specific tool. Let's take GitHub as an example. The user can be a repository owner, contributor, company owner (for business account), etc, so those user might need different ui based on their rights.
Originally I was hesitant implementing authorisation on my own (another custom authorisation system is the last thing this world needs), I wanted to take advantage of other services' authorisation mechanisms and just create a lightweight wrapper around them. It seemed like a reasonable idea at first, but I can't figure out how to implement it and Google doesn't give valuable advice which means: 99.99% I'm trying to do something stupid, 00.01% I'm trying to do something rare/innovative.
I hoped to take advantage of OAuth 2.0 but it doesn't seem to support what we need. The closest thing is scopes but it doesn't look very relevant to our scenario.
The only idea I have for now is to create our own authorisation system and integrate other services using kind of reverse engineering. So I would request user's GitHub account details using API and apply him roles in our system appropriately: Owner for repository A, contributor for repository B, owner of company C, etc. I will have to reverse-engineer the permission for each role (i. e. repository owner can not change company name). And we would have to keep user roles for each service: so instead of typical Admin/User/Manager/etc. we will get: OwnerOfGitHubRepository (for repositoryA), ManagerOfAsanaTeam (for team B), etc.
It would be awesome if OAuth 2.0 services had an endpoint that would return the permissions available for a current user.
I'm not a security engineer, so I might be missing something obvious. So wanted to ask you guys for advice before investing into the implementation mentioned above.
The word, "authorization", is used in two different contexts.
In one context, authorization means "who has what permissions". Solutions for this authorization is "identity management".
In the other context, authorization means "who grants what permissions to whom". Solutions for this authorization is "OAuth".
In some cases, you may have to handle these two authorizations simultaneously. See this question and this answer for details.
You tagged your question with identityserver4.
This Issue for identityserver3 from last year may interest you.
But I'm afraid most providers don't support this oauth2 profile (yet).
UMA seems to be an oauth2 way to enable fine grained authorization, but may not be the best solution.

Google account linking existing example

I implemented a simple API.ai bot and I wanted to add it to google home platform but I really need help for the linking account part.
I don't understand if I need to implement an oauth2 protocol for my service or not. Is there any exemple or framework that allow implement this linking account step (any language is ok, it's just for a simple POC).
My goal is to ask my bot some informations and send him some orders to achieve simple processing on a server.
Hope that someone can help me, add a simple bot to google home to access and modify some informations in a server isn't really easy for me ^^
As #Leon noted, you will need to implement the OAuth2 server yourself. The Actions on Google documentation give details about what they are expecting and what steps you can do to implement it yourself. The Authorization Code flow is slightly preferred (additional features from the Assistant will require it in the future), but you're also allowed to use the https://developers.google.com/actions/identity/oauth2-implicit-flow if you wish since it is slightly easier.
There are several packages that are out there that allow you to provide OAuth2, but require you to build the connection to your own account database. I've seen packages for .NET and JavaScript, but it shouldn't be too difficult to find one that meets your needs or to write one yourself.
If you need to authenticate the user, then you will need your own OAuth server. How to hook that up to an action is described in the docs: https://developers.google.com/actions/develop/identity/account-linking
If however, this is just a personal project and you want to test it on your own device, then account linking is not necessary for you to get the action to work. You simply need to hook up your server logic to the action fulfillment. We recommend that you use the API.AI Actions integration. The docs cover how to do that: https://developers.google.com/actions/develop/apiai/dialogs-and-fulfillment

The authorization method of One Drive

I would like to know if One Drive supports those four ways of Authorization. Please refer to this link. https://www.rfc-editor.org/rfc/rfc6749#page-23
We are integrating our DVR and NVR with One Drive now and we need to understand which authorization method One Drive supports. We are trying to use OneDrive with embedded ARM processors, so the user does not have access to a browser as they would for a web-app.
Please kindly advise how we should proceed from here. Thanks for your time and I look forward to hearing from you.
Best Wishes,
Ted Yang
I am going to say yes, OneDrive probably supports those ways of authorization, because on their authentication documentations page they say the following:
The OneDrive API uses the standard OAuth 2.0 authentication scheme to authenticate users and generate access tokens.
That link takes us to the oauth.net site page for OAuth 2.0. On that page, we find the following:
The final version of the spec can be found at https://www.rfc-editor.org/rfc/rfc6749
which is the document you linked. The OneDrive API documentation says it supports OAuth 2.0, and your linking the definition of OAuth 2.0, so I think it's safe to say it's supported. How to use it is another question entirely, and one I am unable to answer.
I will note, however, that on the OAuth page, they have this to say about it's uses (emphasis mine):
OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
I would presume that living room devices could include DVRs, and although your DVRs are for security purposes, the development of cloud storage APIs for either would undoubtedly be similar. So I would say this is probably quite possible.
How to do it:
First things first, you'll need to register your app. This gets you a client id and a client secret which you'll need. Registration directions
There are two methods: token flow and code flow. Token flow is two steps, and code flow is three steps. However token flow uses tokens that expire, so it would require the user to reenter thigns periodically. You therefor want to use code flow. Here's some directions for that.
Basically the steps of the code flow are:
Get an authorization code
User authorization code to get an access token
User access token to make API calls
You WILL need to make HTTP requests. I'm sure you should be able to do this with ARM embedded C. However, step 1 is what gives you to the Microsoft account login page. I am note sure how to circumvent this, exactly. I'm not sure you're supposed to be ABLE to circumvent this, since Microsoft doesn't want you handling their customers' passwords.
They have an example in Javascript that might give useful details on oauth in the oauth.js file. Javascript sample project

Create Meteor Account based on Oauth token and Service (Facebook, Google, etc)

Is there an easy method call one can do to create a user on Meteor using an oauth token provided by a registered service such as Facebook or Google? Intuition says that such a method should exist, where it automatically pulls in details about the user, and adds it to the services field. However, I've poked around the codebase, and am so far unable to find this method.
Thanks for your help.
EDIT: To clarify, I don't want to use the built in Oauth flow, but my own flow - but still end up with a user account the same way as the built in system.
Try meteor add accounts-base accounts-google accounts-facebook accounts-ui. Those packages will do most of the work for you, and then you just need to add the `{{loginButtons}} to your template, and fill in your API information when the easy form asks you to.
EDIT: to roll your own, you might want to check out Arunoda's post on extending Meteor accounts, or maybe a community-contributed oauth package for inspiration.

Can you use Google's oAuth to just authenticate?

Can you use oAuth to only authenticate like you can with Twitter?
If you check Google's docs at http://code.google.com/apis/accounts/docs/OAuth2.html you'll find that the scope (meaning, the service you're supposed to ask permission to) is a required field.
It may be a turn off for many users if you ask them to access their contact list when the most you really do is authenticate, so I rather stick with OpenID which is designed just to retrieve the UID.
So, the answer is really NO, unless you're planning on using an additional API with Google.
OAuth is an authorization protocol and can't be used for authentication only unless the provider defines a dummy scope which, in effect, authorizes you to access "nothing", or "basic user info" (name, e-mail, etc.).
AFAIK, Google provides no such "dummy" scope. However, they do implement OpenID for such authentication purposes, as the protocol is better suited for that task, anyways.
Yes you can there are many options it depens on your platform advice you to check
oauth.net
You can find there options for Java, .NET, Cold Fusion,PHP,etc.
There are many Frameworks that have OAuth capabilities, on Spring you can use this
Sounds like there is some plans afoot on this...
http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html?showComment=1300267218233#c6336940633709651714
some chap:
"Can someone help by pointing to the documentation for the API of "just get basic information for a user"
other chap:
"The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.
Will Google support login for basic user informations with OAuth 2.0 for Google APIs?"
google dude:
"Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)"
Seems to me, as OAuth2 covers authentication and authorization, it would make sense to allow basic info and make it easy on the integrator using one method for all
I'm plumping for this possibility anyway, hopefully by the time I'm ready to put my app live it will be available from Google - Facebook has this anyway and in my case that's a big enough draw

Resources