I've been googling around trying to find some good documentation on how to implement OAuth2 with Google, closest I've gotten is this
It works somewhat, but it doesn't tell me much about how I would go about if I wish to provide multiple authentication providers (e.g. having a username / password, Google and facebook providers). What do I do with refresh tokens? Store them? How are they used in Spring OAuth2/Security?
Anyone know of a guide/example/tutorial/book that would explain this?
Related
I would like to access my Google Drive account via their API inside of a Rails application. The idea is that I will store files, but I don't believe I need to implement any authorisation for it (like with Oauth2, for example), since I only want to access my account.
I have been researching for 2 days, but the Google documentation seems very confused and not very clear.
I started in vain with this guide https://developers.google.com/drive/api/v3/quickstart/ruby and tried to co-opt it for use inside of Rails, but since it relies on storing a token file returned upon authentication, I figured this wasn't really the right approach.
I don't have any code to share, just looking for some clarity on how I can achieve what I'm trying to do, or indeed if it's even possible.
Additional Info:
I'm using Devise for my own authentication, so implementing omniauth through that would be an option if it's necessary. I looked through some documentation around that which Devise has on their side, but I didn't want to go through that (it seemed like a lot) before knowing it was the correct course of action.
You need OAuth 2.0 to authorize requests on the Drive API as described on the documentation. In that link, you can find: «All requests to the Drive API must be authorized by an authenticated user».
To complete that authorization process, you should follow the instructions on the Drive API Ruby Quickstart linked on your question. Generating and saving a credentials.json for later use is the normal approach in this situation. Here you can read about using OAuth 2.0 over different scenarios.
I hope to have cleared your doubts on this topic, but feel free to ask further questions.
I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.
So if we take the example stackoverflow's login page you get
Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?
Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.
See what is the request URL when you click to log in with gmail...
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier
Does that auth2 means oauth 2 ? I think so
UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.
To keep it short and easy:
If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.
On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).
If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post:
OAuth 2.0: Benefits and use cases — why?
I'm trying to access Google spreadsheets using gdata-python-2.0.17 library. In every tutorial, programmaticLogin(uname,pwd) is used but I feel it is not a good practice. I'm trying to overcome this by using OAuth 2.0 authentication(oauth2client.client).
I've managed up to granting access to a Google account by getting user consent.
I'm not sure whether the standard gdata.spreadsheet.service.SpreadsheetsService() can be used in this scenario.
According to this, it is not possible/easy to combine OAuth 2.0 and gdata-python library.
It's highly appreciated if someone know how to handle this with the said APIs or using later versions of Google API which can be used.
Thanks
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.
Can you use oAuth to only authenticate like you can with Twitter?
If you check Google's docs at http://code.google.com/apis/accounts/docs/OAuth2.html you'll find that the scope (meaning, the service you're supposed to ask permission to) is a required field.
It may be a turn off for many users if you ask them to access their contact list when the most you really do is authenticate, so I rather stick with OpenID which is designed just to retrieve the UID.
So, the answer is really NO, unless you're planning on using an additional API with Google.
OAuth is an authorization protocol and can't be used for authentication only unless the provider defines a dummy scope which, in effect, authorizes you to access "nothing", or "basic user info" (name, e-mail, etc.).
AFAIK, Google provides no such "dummy" scope. However, they do implement OpenID for such authentication purposes, as the protocol is better suited for that task, anyways.
Yes you can there are many options it depens on your platform advice you to check
oauth.net
You can find there options for Java, .NET, Cold Fusion,PHP,etc.
There are many Frameworks that have OAuth capabilities, on Spring you can use this
Sounds like there is some plans afoot on this...
http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html?showComment=1300267218233#c6336940633709651714
some chap:
"Can someone help by pointing to the documentation for the API of "just get basic information for a user"
other chap:
"The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.
Will Google support login for basic user informations with OAuth 2.0 for Google APIs?"
google dude:
"Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)"
Seems to me, as OAuth2 covers authentication and authorization, it would make sense to allow basic info and make it easy on the integrator using one method for all
I'm plumping for this possibility anyway, hopefully by the time I'm ready to put my app live it will be available from Google - Facebook has this anyway and in my case that's a big enough draw