We have 1 google app with 2 separate sets of credentials.
One for a web app, the other for an iOS app.
We're trying to have users authenticate on mobile and send the "code" parameter to our api where we turn that into an access_token and refresh_token(for use with background processing). The issue that we're getting is "unauthorized_client".
We've been following the portion for "enable server-side api access for your app" https://developers.google.com/+/mobile/ios/sign-in
The api is using the same credentials as the iOS app for these type of exchanges.
Related
I am writing a google drive desktop application and I am using OAuth 2 to get credentials. I can get creds for just reading, but not changing files. As it is a desktop application, there is no site. It is written in https://developers.google.com/identity/protocols/oauth2/native-app, that I need to "supply a local redirect URI to handle responses from Google's authorization server". So, should the client also be a server and listening on some port locally? If I want to have the app verified, I need to provide Authorized domains and other stuff, but it is a desktop application, again. Or maybe there is a way to allow users to use the app, but with a warning on a consent screen for example for development purposes.
Also how to hide the credentials, that I use to get the token? If I publish the app with the credentials, everybody can just steal them and use them
In order to develop a desktop application which will use the Drive API you will have to use credentials of the web app type for which you will later provide the appropriate redirect URI.
By using OAuth 2.0 in your application, you are the only one who has access to the credentials for the application - unless you share them.
According to the Google OAuth 2.0 documentation:
You start by obtaining the OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
For the login process, when the users will log-in to your application, they will use their own credentials and then they will have to authorize the application you have built in order to be able to use the Drive API.
Reference
OAuth 2.0 for Mobile & Desktop Apps;
Using OAuth 2.0 to Access Google APIs;
I'm currently working on a mobile application in which we make donations.
Apple guidelines does not allow payment directly in application for donations.
I would like to redirect my users from my mobile application to their web browser on their devices.
How can i authenticate the user without force him to enter his credentials ?
What i've done so far is that i created a "ActionToken" in my database. When the user click on pay on the mobile application, a call to the database is done to generate a token (a simple GUID), and save it in database.
After that, the application redirect to the web page who read the token and retreive the associated user.
What i would like is to eliminate the generation of the token before redirecting to the browser.
Thank you !
When using the authentication in Azure App Service, a JSON web token (JWT) would be presented in the x-zumo-auth request header when the mobile client interacts with the azure mobile app. More details you could refer to Authentication and authorization in Azure App Service.
Per my understanding, you could leverage the authenticationToken generated by your mobile app backend and pass it as the query string with your payment url, then you could send ajax request against your mobile app endpoint (e.g. custom Web API,etc.) with the x-zumo-auth header. For the payment Web API in your mobile app backend, you could refer to adrian hall's book Custom HTTP Endpoints and How to: Retrieve authenticated user information.
For retrieving the value for x-zumo-auth header, you could access MobileServiceClient.CurrentUser.MobileServiceAuthenticationToken after you invoked MobileServiceClient.LoginAsync in your mobile client. More details about adding authentication to the iOS app, you could refer to here.
We have an iOS app that uses Google oAuth to ask a users permission for Google calendar using embedded browser. User logs in via the app and grants permission to their calendar(s), the oAuth authorization's refresh token and calendar id's are stored in an encrypted database.
Using this refresh token and calendar id's - their calendar items would then be displayed on a separate web application (without having to request for clients credentials again). This worked great until Google authorization requests in embedded browsers were blocked on April 20 this year. Until this time we used a single oAuth client id and used the client id & secret in both the iOS and the Web app. However, after April 20th, we had to create a separate iOS client key. The issue now is that although within the iOS app we are able to ask for users calendar permissions using this code:
OIDAuthorizationRequest *request = [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
clientId:GoogleCustomKey
scopes:#[OIDScopeOpenID,
OIDScopeProfile, OIDScopeEmail, #"https://www.googleapis.com/auth/calendar",
#"https://www.googleapis.com/auth/calendar.readonly",
#"https://www.googleapis.com/auth/tasks",
#"https://www.googleapis.com/auth/tasks.readonly"]
redirectURL:[NSURL URLWithString:GoogleRedirectUri]
responseType:OIDResponseTypeCode
additionalParameters:nil];
However now we are no longer able to display the users calendars using the refresh token on the web application. Within the web application, we get "Unauthorized access" error when we debug the web application code. But according to Google's documentation cross client authorization is permitted https://developers.google.com/identity/protocols/CrossClientAuth.
We are not sure what we are missing? Thanks.
Right now, I have a native azure app that my iOS app uses ADAL to authenticate to with no issues. I've added a Web API in azure and it's being managed by the Azure API Management resource. I have this API using an oAuth server that uses Azure AD for authentication (all created within the Azure API Management).
The issue I'm having is the oAuth token I'm receiving from my iOS App is not being accepted by my Web API. They are both using oAuth to the same Azure Active Directory. I tried changing in my iOS app, to use the Web API app client ID instead of the native app client ID. The issue then becomes during authentication, it needs a "client_secret" in the request. Looking at the ADAL iOS library, I'm not seeing a method to get a token that passes in a client secret as a parameter.
Scroll down to the Keys section, you will see the key as the client secret. They are used for calling the web api.
These two methods of authenticating the applications are referred to as interactive (user signs in) and non-interactive (app provides its own credentials). In the non-interactive mode, you must assign the service principal to a role with the correct permission. About the AAD authentication's more information, you could refer to: https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
I'm building a system with a web and a iOS app. The web part require authentication that can be used on the mobile part and vice versa.
I want to add support for google sign in on the web and on the mobile part. For test i've used the code from
https://developers.google.com/identity/sign-in/ios/start-integrating
for iOS and
https://developers.google.com/identity/sign-in/web/
for the web part.
scope are the same on Application and web (email, profile)
Expected flow
User sign in with google and grant access from mobile (or web)
user go to web site (or application)
user sign in with google
no need to grant permission again
What i got
User sign in with google and grant access from mobile
user go to web site
user sign in with google
same permission are asked again
How can i avoid asking permission again? from the documentation (https://developers.google.com/identity/sign-in/web/cross-platform-sign-in)
seems to be possible to obtain the expected flow but in practice i am unable to obtain it. iOS and Web are in the same google developer project.
I've made this work as expected following this guides: https://developers.google.com/identity/protocols/CrossClientAuth
https://developers.google.com/identity/sign-in/ios/offline-access
what you have to do is the following:
first add
[GIDSignIn sharedInstance].serverClientID = #"SERVER_CLIENT_ID";
in your iOS appDelegate. When the user authenticate through the app you can now retrive a token valid for your server_client_id via serverAuthCode attribute of your GIDGoogleUser object.
Send the token to the server and validate it on the token endpoint (/oauth2/v3/token) redirect_uri must be empty while grant_type must be authorization_codeotherwise you will have a 400 response.
Your server is now authenthicate and when the user will log on the website permission will not be asked again.