I'm playing around with omniauth in a rails/ember app, and I'm hitting a bit of a wall with google sign in. I get presented the pop-up to allow the site to authenticate me, but after clicking accept the request bombs out:
Uncaught SecurityError: Blocked a frame with origin "https://localhost:3001" from
accessing a frame with origin "https://accounts.google.com". Protocols, domains,
and ports must match.
I'm using a self-signed cert to get HTTPS in local development, but how do I test this auth logic locally?
Coffeescript attempting to do the sign in:
$ ->
$.ajax
url: '//apis.google.com/js/client:plus.js?onload=gpAsyncInit'
dataType: 'script'
cache: true
window.gpAsyncInit = ->
$(".google-login").click (e) ->
e.preventDefault()
gapi.auth.authorize
immediate: false
response_type: "code"
client_id: "<%= ENV["GOOGLE_CLIENT_ID"] %>"
scope: "email profile"
, (response) ->
if response and not response.error
jQuery.ajax
type: "POST"
url: "/auth/google_oauth2/callback"
dataType: "json"
data: response
success: (json) ->
alert 'success!'
else
alert response.error
Try replacing localhost with a valid domain, eg. mydevserver.me.com. You can point mydevserver.me.com to 127.0.0.1 in your /etc/hosts. You will also need to add http://mydevserver.me.com/mycallback as a callback url to the Google API console
Related
I'm following this: https://developer.chrome.com/apps/tut_oauth
But it doesn't work. When I invoke Cloud Function, I get 401 error. The Authorization: Bearer "access-token" is added in the request header. Although another question here[1] states that ID_TOKEN should be used. Which I tried via curl but have the same 401 error.
chrome.identity.getAuthToken({interactive: true}, function(token) {
var dat = {
"user_email":email_id,
"user_id":user_id
};
$.ajax({
type: "POST",
data:dat,
dataType: 'json',
url:str,
contentType: "application/json",
error: function (xhr, status, error) {
console.log(xhr)
}, success: function (data, status, xhr) {
console.log('Success!' +data + status);
},
headers:{
'x-goog-project-id': 'xxxxxxxxxxxxx',
'Authorization': 'Bearer ' + token,
'Content-Type':'application/json',
'Accept': 'application/json'
}
});
});
[1] Why doesn't granting 'allAuthenticatedUsers' member the 'Cloud Functions Invoker' role work for google cloud functions?
The tutorial that you mentioned used "access-token" to accesses a user's Google contacts using the Google People API and the Chrome Identity API.
If you want to access a Google Cloud Function which does not Allow unauthenticated invocations you have to use an ID_TOKEN.
For testing you can create a service account with --role="roles/cloudfunctions.invoker", then create a key.json file and export the GOOGLE_APPLICATION_CREDENTIALS env variable link
Finaly you can use:
curl "https://us-central1-your-project.cloudfunctions.net/yourfunction"
# Error 403 (Forbidden)
curl "https://us-central1-your-project.cloudfunctions.net/yourfunction" -H "Authorization: bearer $(gcloud auth print-identity-token)"
#Success
I gave up on this as there is no direct solution to invoke Cloud function using oauth in Chrome Apps. The alternative solution that worked is to authenticate via API key. That is using Cloud Function with Cloud Endpoints.
I followed the logic here: https://medium.com/#akash.mahale/triggering-google-cloud-functions-with-cloud-endpoints-and-api-key-857e94a8a3aa
But just need to take note that rotation of API keys should be done regularly and automatically..
I have a Rails API with a React client side. I have had everything in the app setup for a long time now and today while I was working on it I suddenly started getting the error:
Access to XMLHttpRequest at 'http://localhost:3000/api/v1/user/authed'
from origin 'http://localhost:8000' has been blocked by CORS policy:
The value of the 'Access-Control-Allow-Origin' header in the response
must not be the wildcard '*' when the request's credentials mode is
'include'. The credentials mode of requests initiated by the
XMLHttpRequest is controlled by the withCredentials attribute.
Now none of the requests in my application work at all.
The request does go through from the React app to the Rails API and the Rails API responds properly as well (I can see this in the terminal) but nothing actually happens on the Client side because I am assuming it gets blocked for the CORS reason.
Is there something I can do to fix this? Could it be that some package is somehow updated on my system and different from the project so now it breaks?
URL to make request to:
const ENDPOINT = '/api/v1',
PORT = 3000,
URL = window.location.protocol + '//' + window.location.hostname + ':' + PORT + ENDPOINT;
The request
$.ajax({
url: URL + '/' + resource,
type: verb,
data: params,
xhrFields: { withCredentials: true }
})
.done(callback)
.fail(errcallback);
Request functions have the format:
static get(resource, params, callback, errcallback) {
API.send('GET', resource, params, callback, errcallback);
}
If your API doesn't require credentials you should remove withCredentials: true.
More about withCredentials:
The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
Getting CORS error when I am making Ajax request to https://login.microsoftonline.com/common/oauth2/v2.0/token from my application.
Below is the code sample that I am using:
var inputData = {
'grant_type': 'authorization_code',
'code': '<codeValue>',
'redirect_uri': '<returnUrl>',
'client_id': '<client_id>',
'client_secret': '<client_secret>'
};
$.ajax({
url: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
type: 'post',
contentType: 'application/x-www-form-urlencoded',
dataType: 'application/json',
data: inputData,
success: function (data, text) {
console.log(data.access_token);
},
error: function (data, status, error) {
console.log('failed');
}
});
Browser console is showing below error:
Cross-Origin Request Blocked:
The Same Origin Policy disallows reading the remote resource at https://login.microsoftonline.com/common/oauth2/v2.0/token. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I would like to know how to get ride of CORS error.
You shouldn't use the Authorization Code Flow to do client-size authentication. It would require that you provide the Client Secret as you're doing here and that is a big no-no.
If you need to handle authentication entirely on the client-size, you need to use the Implicit Flow (aka Client-Side Flow). This allows you to authenticate without passing a client secret and doesn't use a second-stage POST to obtain the token.
I wrote a walk through for how Implicit works that you might find helpful as well: v2 Endpoint and Implicit Grant
I have a few api's that require http access (non https. They don't work!)
In my rails application how would i go about changing this to make it work?
Here is what i've done so far. In my production.rb is
config.force_ssl = false
Is there anything else i can do?
Sam
Edit
Heres my ajax code, (part of it)
type: 'GET',
crossDomain: true,
dataType: 'jsonp',
url: 'URL HERE',
success: function(json) {
The url is a http, however heroku changes it to https.
Sam
I'm making an ajax request to an API which requires an auth token to be sent in the HTTP headers. Here's what I've got:
$.ajax({
type: 'GET',
url: 'http://foo.com/bar.json',
headers: { "Authorization": 'Token token=' + SECRET_KEY },
dataType: 'json',
...
}
Thing is I don't want SECRET_KEY to be publicly visible if someone were to view the javascript file. Can't seem to find a good workaround, but can't imagine no one else has encountered this... This request is being sent to a Rails app FWIW.