Do I need HTTPS on my server with some SHA-2 certificate for Twitter OAuth integration?
Or may I simply send HTTPS requests to the Twitter API after receiving OAuth access token?
Related
Have an app running in GCP using App Engine and secured by IAP. To the best of my knowledge IAP uses OAuth, but when I open the app in the browser and inspect the outgoing XHR requests I don't see the HTTP Authorization header on any of them. There does appear to be a token in the cookies though, something named GCP_IAAP_AUTH_TOKEN.
Just wondering if this is still considered OAuth or is it some other form of authentication?
Cloud IAP can use either the cookie GCP_IAAP_AUTH_TOKEN or Authorization: Bearer. Both are derived from OAuth2.
The credential that Cloud IAP relies on is an OpenID Connect (OIDC)
token. That token can come from either a cookie GCP_IAAP_AUTH_TOKEN
or an Authorization: bearer header.
Authenticating with OpenID Connect
I am creating web and mobile apps that reimplement an existing desktop app via the desktop apps publicly available API. This API only provides the Authorization Code Grant path for authentication, which would require me to either:
somehow securely store the client secret in the app
Implement PKCE & Implicit auth endpoints in my webserver as a pass-through to the API
Have my own auth system (via auth0 or equivalent), which the user then links to their API account
Is 2 possible, or is 3 my only real option?
Yes, 2 is possible, and is much more simple than I imagined. In the following examples Client is the web or mobile app, Server is your server, and API is the api you are trying to reach that only supports Auth Codes
for web (Implicit):
Client sends a standard Implicit request to Server
Server parses this request, then restructures it as an Auth Code request and forwards to API
API validates user login, and sends Auth Code to Server
Server sends Auth Code back to API
API returns access token and refresh
Server returns only access token to Client
for mobile (PKCE):
Client sends a standard PKCE request to Server
Server parses this request, then restructures it as an Auth Code request and forwards to API
API validates user login, and sends Auth Code to Server
Sever sends Auth Code to Client
Client sends Auth Code and Verifier to Client
Server verifies sends Auth Code back to API
API returns access token and refresh
We have a coldfusion API which we want to be accessible with OAuth2.0 Access Token Functionality with ADFS.
I am unable to find any library related to OAuth Access Token Validation against a certificate or expiry status.
The Google Developer Consoles (even the old version) no longer lists the Mail API in the list of available APIs.
I'm trying to develop a web application which acts on behalf of users to manage their Gmail, like Mailbox. This requires using the Gmail IMAP API with XOAUTH2 authentication with an OAuth 2.0 access token. The documentation instructs provisioning OAuth 2.0 token with a https://mail.google.com/ scope. Provisioning credentials for a web application then requesting a token with this scope yields a 403 response with an accessNotConfigured error. There are options in the developer console for configuring other APIs, but there is no option to configure access for the Mail API.
Attempting to provision the mail scope in the Google OAuth Playground using their client credentials works correctly and the resulting access token can be used to access Gmail IMAP with XOAUTH2.
Have Google disabled OAuth 2.0 authentication for Mail using new credentials, or is it just hidden? I can't find a way to contact them and ask for Mail API access.
Just create any client id it doesn't matter what API you select. When you make the authentication request send the scope of https://mail.google.com/. That will get you the access token you need to login to the imap server.
I am using DotNetOpenAuth libraries to implement OAuth 2.0 client side to communicate with SalesForce authorization server. I have finished first two steps of OAuth 2.0 communication that ends with obtaining of access token from SalesForce authorization server.
Now I want to get some resource form SF. Is that possible only over REST service infrastructure ? Can I can send http request with access token and specified parameter to be retrieved to SF ?
Thank you,
Rastko