The Spotipy library supports the Authorization Code flow as given here http://spotipy.readthedocs.org/en/latest/#module-spotipy.oauth2 but I am still not able to figure out what needs to be passed for 'code' for get_access_token(). The whole oAuth flow is convoluted and hard to follow. Would greatly help if spotipy developers can document one oauth flow with an example.
You can find detailed documentation on the Spotify OAuth flows here.
Related
I am new to implicit flow using OIDC and I am looking for sample code. I could not find anything on internet. Can someone provide links to sample code anywhere.
Any help is really appreciated.
Switching from code flow to implicit flow usually just means changing response_type parameter in your authorization request to token instead of code (or id_token token if you also want the ID token). Then you read the token directly from the response from the Authorization Server (no need to exchange code for token). This should relatively simple to achieve with any OIDC client library, or even just a HTTP client.
Take any OIDC client and change the response_type parameter used by it. If you run any concrete problems I'll be glad to help.
I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.
So if we take the example stackoverflow's login page you get
Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?
Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.
See what is the request URL when you click to log in with gmail...
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier
Does that auth2 means oauth 2 ? I think so
UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.
To keep it short and easy:
If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.
On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).
If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post:
OAuth 2.0: Benefits and use cases — why?
I would like to know if One Drive supports those four ways of Authorization. Please refer to this link. https://www.rfc-editor.org/rfc/rfc6749#page-23
We are integrating our DVR and NVR with One Drive now and we need to understand which authorization method One Drive supports. We are trying to use OneDrive with embedded ARM processors, so the user does not have access to a browser as they would for a web-app.
Please kindly advise how we should proceed from here. Thanks for your time and I look forward to hearing from you.
Best Wishes,
Ted Yang
I am going to say yes, OneDrive probably supports those ways of authorization, because on their authentication documentations page they say the following:
The OneDrive API uses the standard OAuth 2.0 authentication scheme to authenticate users and generate access tokens.
That link takes us to the oauth.net site page for OAuth 2.0. On that page, we find the following:
The final version of the spec can be found at https://www.rfc-editor.org/rfc/rfc6749
which is the document you linked. The OneDrive API documentation says it supports OAuth 2.0, and your linking the definition of OAuth 2.0, so I think it's safe to say it's supported. How to use it is another question entirely, and one I am unable to answer.
I will note, however, that on the OAuth page, they have this to say about it's uses (emphasis mine):
OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
I would presume that living room devices could include DVRs, and although your DVRs are for security purposes, the development of cloud storage APIs for either would undoubtedly be similar. So I would say this is probably quite possible.
How to do it:
First things first, you'll need to register your app. This gets you a client id and a client secret which you'll need. Registration directions
There are two methods: token flow and code flow. Token flow is two steps, and code flow is three steps. However token flow uses tokens that expire, so it would require the user to reenter thigns periodically. You therefor want to use code flow. Here's some directions for that.
Basically the steps of the code flow are:
Get an authorization code
User authorization code to get an access token
User access token to make API calls
You WILL need to make HTTP requests. I'm sure you should be able to do this with ARM embedded C. However, step 1 is what gives you to the Microsoft account login page. I am note sure how to circumvent this, exactly. I'm not sure you're supposed to be ABLE to circumvent this, since Microsoft doesn't want you handling their customers' passwords.
They have an example in Javascript that might give useful details on oauth in the oauth.js file. Javascript sample project
I am using GTM OAuth2 library for authentication in my application based loosely on the following guide: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
I was able to retrieve an access code for a user, however, I am not sure how to swap this for an access token. I have searched through the documentation and have so far been unable to find any relevant examples. Is there a method in the library that supports this exchange?
Any help would be greatly appreciated. Thanks!
Not sure what you mean my "Access Code" is that password? Anyway, I've managed to get the GTM OAuth2 code working, including retrieving an accesstoken after the user has authenticated. I've made a simple project where you only need to put in your Client ID and Client Secret, maybe this can help you.
https://github.com/Christian-Hansen/simple-oauth2
Good luck.
Christian
I've seen this Two legged OAuth using DotNetOpenAuth but it doesn't provide any details on how to remove one of the legs.
I am finding the code quite hard get my head around (using DotNetOpenAuth 4.0). Can anyone give me any pointers on how to modify the samples to do a two-legged auth?
From the service provider, it is a simple matter of authorizing the request token immediately before before returning what normally is an unauthorized request token. Since the service provider already has to provide code to generate and store request tokens, this should be straightforward.
From the consumer, it's simply that you skip the redirect step. There's a sample of this in the OAuthConsumer samples' GoogleApps2Legged.aspx code-behind.
Take a look at this post, it explains how to implement a 2 Legged OAuth using DotNetOpenAuth 4 with a Google Apps consumer key + secret.
Google Calendar V3 2 Legged authentication fails
Hope it will helps you :)