These are the settings I have behind my twitter App,
And these are the settings I've tried in Amazon IAM,
Which I'm assuming doesn't work because twitter is providing oauth login only, not full OpenID Connect compatible options. Is there any way I can get twitter as one of the login options, or build some sort of middle server, or similar, to be able to make this work?
You are correct, this is because Twitter only supports OAuth 2.0 delegated access to the Twitter APIs for 3rd party clients. Twitter does not support an OAuth 2.0 based signin mechanism (like OpenID Connect), their current signin mechanism is based on OAuth 1.0, see: https://dev.twitter.com/web/sign-in/implementing and https://dev.twitter.com/rest/reference/get/account/verify_credentials
You could indeed build a middle server to bridge standard OpenID Connect to Twitter's OAuth 1.0 signin mechanism. I am not aware of the existence of such a bridge as an open source product. There are commercial products that can do this.
Related
I am using Cognito for the user management and I want to let the user authenticate with Twitter or Linkedin
Not directly as neither Twitter nor LinkedIn are OIDC IdPs. People have had some success shimming the required resources in lambda to turn non-standard identity providers into OIDC compliant ones. The most actively developed is TimothyJones/github-cognito-openid-wrapper.
It is a good starting point for you to adapt LinkedIn and Twitter for your needs.
I am writing a google drive desktop application and I am using OAuth 2 to get credentials. I can get creds for just reading, but not changing files. As it is a desktop application, there is no site. It is written in https://developers.google.com/identity/protocols/oauth2/native-app, that I need to "supply a local redirect URI to handle responses from Google's authorization server". So, should the client also be a server and listening on some port locally? If I want to have the app verified, I need to provide Authorized domains and other stuff, but it is a desktop application, again. Or maybe there is a way to allow users to use the app, but with a warning on a consent screen for example for development purposes.
Also how to hide the credentials, that I use to get the token? If I publish the app with the credentials, everybody can just steal them and use them
In order to develop a desktop application which will use the Drive API you will have to use credentials of the web app type for which you will later provide the appropriate redirect URI.
By using OAuth 2.0 in your application, you are the only one who has access to the credentials for the application - unless you share them.
According to the Google OAuth 2.0 documentation:
You start by obtaining the OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
For the login process, when the users will log-in to your application, they will use their own credentials and then they will have to authorize the application you have built in order to be able to use the Drive API.
Reference
OAuth 2.0 for Mobile & Desktop Apps;
Using OAuth 2.0 to Access Google APIs;
I am constantly get confused by OpenID Connect and Oauth2, and I read this article and get a sense that Google is using OpenID Connect https://auth0.com/docs/oauth-web-protocol (but I remember google used Oauth2 as providing auth service to 3rd parties), see the following quote
Auth0 supports the OpenID Connect / OAuth2 Login protocol. This is the protocol used by companies like Google, Facebook and Microsoft among others so there are plenty of libraries implementing it on various platforms.
Moreover, the above URL seems to say Auth0 is using OpenID (rather Oauth)? See the following quote:
GET https://YOUR_NAMESPACE/authorize/?
response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=http://YOUR_APP/callback
&state=VALUE_THAT_SURVIVES_REDIRECTS
&scope=openid
http://openid.net/specs/openid-connect-basic-1_0.html
OpenID Connect is basically authentication built on top of OAuth 2.0.
OAuth 2.0 by itself didn't standardise authentication (just authorization) and the confusion you have likely comes from the fact that each of the companies that are now switching to OIDC previously had already poured their own "authentication sauce" on over their OAuth 2.0 implementations. In practice this meant that each had their own set of scopes and their own version of what is a standard /userinfo endpoint in OIDC, but the authorization mechanism in all cases (including OIDC) is based on OAuth 2.0.
To wrap up by answering your question: Yes, both of the endpoints you mention support OpenID Connect.
I'm pretty new to OAuth and API security.
I'm building a REST API that will be accessed by my own mobile application.
I want to expose API to other developers via OAuth authorization and authentication and I'll be using my own OAuth provider.
What is the authentication strategy for my own mobile app ? After all, I don't need user to authorize my app. Can I use OAuth for authentication while having my own mobile application pre-authorized by default ?
Can I authenticate users of my mobile app with OAuth or do I need something like OpenID?
I don't think you want oauth if you are looking to step over the user authorization step. If you are determined to use oauth, however, you could mask the authorization step as a login dialog or give your application an access token. User authorization is a rather big part of oauth's functionality, so ignoring it probably means you should use some other interface to access your users' information.
Accessing my own oauth REST API - OAuth is NOTHING to deal with REST apriori: OAuth - is Authorization protocol, REST - an architecture style.
For OAuth - use version 2.0 - it's 2012 already.
What is the authentication strategy for my own mobile app? - for mobile app on Android, for example, you could use could get user's account with which one registered his phone within GooglePlay store/GMAIL (and then generate one-time password from on your server side). If one wouldn't provide them to your app - make an explicit authentication.
Nowdays probably only calculator doesn't use explicit authentication - so why should you differ? You can link you Authentication to FB or Google or any other OAuth provider - what does make you to create your proper OAuth provider?
You can Authenticate users with both OAuth and OpenID.
Is there a way to authenticate to Facebook / Twitter using basic authentication? the application I am working on requires posting to those two sites without the need to open the oAuth Dialog.
Both twitter & facebook don't support basic auth.
No, thank goodness.
Basic authentication requires that you take the user's password, which is a secret between them and Twitter/Facebook. You shouldn't be asking for it.
If your app is physically unable to display the dialog, OAuth 2.0 (not available on Twitter) offers a way (last I checked) for an independent web browser on another computer to perform the OAuth authorization process to your app running on some limited device.