I'm faced with problem to auth in google web authentication broker. i think something wronge with this scope https://www.google.com/accounts/OAuthLogin. Yesterday it work good but now Google change something or not support this scope. What new scope for auth by web authentication broker.
Thanks!
Related
I have an application set up as follows:
Angular UI -> Spring Cloud Gateway -> Spring Boot-based Service
I am attempting to authenticate my application against a limited Oauth SSO server with ONLY the following endpoints:
/authorize
/token
/userdata
The SSO does not provide an /introspect endpoint, nor does it issue JWTs.
What I would like to do is have Spring Cloud Gateway handle the authentication, but based on the result from /userdata, I would like to generate my own JWT to relay to the service.
My questions:
Is this possible?
If so, can someone give pointers or guide me to the resources that will get me started?
Spring Security OAuth2.0 Client and Spring Cloud Gateway combination works well in this case.
Client(Angular UI) requests to the Gateway service with OAuth2.0 login URL
The Gateway redirects the request to Identity Provider(Such as Google) login page.
After user login successful Identity Provider redirects the request to the Gateway with user info.
On Authentication success handler(Gateway service)
Parse user info and save it to somewhere
Create access token and refresh tokens. Set them to request cookies
Redirect to client(Angular UI)
I don't know the reason to pass the token downstream services at this point. If there is no specific requirement then I would implement all the security related operations on the Gateway service. Such as token generation, validation etc. This way new services can be easily added without concerning about authentication and authorization.
Here is a sample project.
I have an on-premise client-server application, which uses Google API. Until now we were happy with out-of-band flow (redirect_uri=urn:ietf:wg:oauth:2.0:oob), with manual copy-paste of authentication code, but Google is going to block it soon.
The problem is that Google requires a fixed list of allowed redirect URIs, but I do not know internal addresses of application server inside the intranets. For desktop client I just use http://localhost/xxx, but I do not know what to do with web clients.
The only solution I see is to set up a public authentication server. The client will pre-register the state token and the actual redirect uri on the authentication server before calling Google authentication. But I am not sure this is a good idea.
I have recently inherited a rails api application that uses devise_token_auth for authenticating users from a react frontend. The scope of the project has grown and now we have multiple other services that need to make API requests from Lambdas and other applications that don't require the user to be logged in or authenticated. Is there a way to configure devise_token_auth so that we can still authenticate these services without using a user profile? Essentially just looking for a way to authenticate an application similar to how you would when connecting to any other companies API to pull data and such.
We have tested Basic Token Authentication as laid out in this article: https://www.joshqn.com/rails-api-token-authentication/, but the lack of expiration dates and the static token instead of generated access tokens after an authorization request seems less than ideal.
I've spent way more time than I would like to admit googling rails authentication methods but it seems all the resources out there are only for authenticating users. Am I just missing something? Do we just need to set up a "Service User" to authenticate these services to the API? Any suggestions would be much appreciated.
I'm helping a client use OAuth for JIRA that is linked to a Crowd user DB. Whenever the user tries to oauth against the JIRA authorisation endpoint they are redirected to their dashboard.
How do you do OAuth with JIRA when there is a Crowd User DB?
So after much hair pulling, I worked out what was going on here. The fact that Crowd was being used was a red herring. The problem was with the OAuth Redirects when you have different DNS details for the JIRA server externally to the network and externally to the network.
During the Oauth process the server which is external to a network requests a token from a JIRA server. It then goes to exchange that token for an authorised one by redirecting the browser to the JIRA Oauth authorisation endpoint.
However, in this case the endpoint is using the external host for the JIRA server and not the internal one so the browser can't find the server or cannot access the server due to the firewall.
There are several possible fixes for this:
Update the computer host file so the external DNS points to the right server internally
Use split horizon DNS
Update the server to support both external and internal URLs for the JIRA server
I'm confused about this...
If a website is an oauth consumer (facebook), and then builds a web API with some restricted access... and implements oauth on that end, how would that work?
Wouldn't it just be adding an extra layer of trying to login to facebook? How do others normally approach something like this?