I have used OOB callbacks with desktop and mobile applications for twitter oAuth. But now I am moving onto the web based authentication for my web application consuming twitter api.
I have the following flow of events:
User fills a registration form(with say n fields+) entering his email id and twitter handle.
This generates the(short-lived) twitter request token and the url for obtaining twitter Access Token and secret.
That url is sent to the user's email id, so that it serves the dual purpose of verifying the twitter handle and email id.
Now my question is:
Can I specify the callback URL with parameters so that when the user is redirected back to the application controller, the database receives the entries of the n form fields?
And also once the user is redirected back to the application, is it that the access token is appended to the callback URL (along with the parameters)? If yes, then how do I get the access token (token key and secret)?
To further clarify, consider the callback url:
http://www.someurl.com/controller?param1=val1¶m2=val2
and on redirect to this url, I think(is it?) that twitter appends some params to this url, like
http://www.someurl.com/controller?param1=val1¶m2=val2&someParamsAppendedByTwitter=someValue
I just want to know what this someParamsAppendedByTwitter is/are.
The biggest issue with this question is that in almost all languages, twitter authentication is being dealt with some sort of plugins/libraries and there are very less resources on the same if you want to do it all by yourself.
Related
I'm building a Landing Page in React where a visitor submits some data (including name and phone) and this data is sent over HTTP to a Rails 4.2 Backend.
Now, in order for the Landing Page to be able to POST data to the backend, there needs to be some sort of authentication, as only a registered staff member should have access to the data. The Rails backend currently uses regular Devise user/password login to the backend.
I thought about making a dummy account and hardcode an authorization token on the POST header from the landing page, but this is obviously a big security flaw as anyone can see the hardcoded token when they submit the form.
How can I secure the Landing Page to send / receive data to the backend server in a user-agnostic way (since visitors don't make accounts, they just fill a form with their details)?
I am not rails user. But as for your API, like almost all the RESTful API backend, I would assume that rails has the concept of public/private API. I would make the API for getting data from the user public, so that people can send their information without authentication and the other API routes private.
In java spring framework, I can allow an API route to accessible by everyone, like login and generic(no private info) API routes and every other API routes are private which requires Authentication(like an auth-token).
When, you do the login flow and the user has entered the password and hit send, Once your backend authenticates the details, you would have to create an signed authorization token using maybe JWT** ( Json web token ) and send this authorization token to the front-end.
Then, Whenever the front-end makes a call to the backend, it has to attach this token in the header before making the API call. And the back-end should de-code the token to find out which user is requesting it and if the ttl* is within the limits as the issuing token.
If both the cases pass, the back-end should send the requested data or it should send a HTTP CODE - 403/Forbidden, which should then be handled in the front-end to logout the user and open up the login page again.
*(Time to live calculated based on the hours this token is valid from the time of issuing/login)
** JWTs are basically base-64 encoded data ( and signed with a unique key by your backend ) of the user's data. A decoded JWT token of a user would most likely look like this :
{
userIs : "0000-aa12-bb43-cd18",
userName : "Some name",
ttl : "Time to live of this token"
}
I am by no means an oauth2 expert and am open to suggestions.Ok, I have setup an Oauth2 server and I am having a problem deciding on the flow when registering a new user from an application.
The user registration form sits on the client and not on the oauth2 server.
1.user goes to example.com/register
2.user fills in the form and clicks send
3.I send a request to my oauth 2 server with the client_credentials grant and scope to receive an token on behalf of the client/app.
I send a request to POST /users/register with the form values using the token from the previous request.
If registration has failed I list the validation rules in a json array.
6.If registration was successful i use the scope originally used to generate the new access token for the user.This is then returned.The user is also flagged as inactive in the db.
7.I have to activate the user somehow and send a request to GET /users/activate using my user token ftom the previous requst.
My question is,does this flow sound right and what should i send as the link in for the activation email?
Your response would be appreciated.
After point 6. When new user is created, back-end should create some unique string or code or (token or hash) which is used to activate the user. Then in email could be like link with /users/activate/(token or hash) after the URL (as pathparameter). Now when the user clicks it, it makes GET request to your endpoint with the unique hash or token and now the back-end can identify the hash or token and activate the user whom the unique hash or token belongs to. So the token or hash is one-to-one relation with user and can be used only once, when it is used it is deleted from DB.
I am trying to build an application where a user can specify a URL for a website and my page will go to that URL and grab information. If the URL requires user authentication to access the information, then I want to use OAuth 1.0 to be able to do that.
The problem is, and I see this skimped over in OAuth tutorials, as far as I can tell my application has to already, somehow, be registered with the page I am requesting information from. My understanding is that for any page I want my users to be able to use, I have to go to the page individually by myself and register my application. Once that's done, it will give me a consumer key and secret that I hardcode into my page, and then use those when I am accessing the request URL, authorization URL, and access URL. This is, of course, no good for me because I want my users to be able to specify arbitrary pages to access information on and then provide their credentials to those pages in order to give my app access to the information on them.
Additionally, from what I can tell, there are three URLs that I need to know:
The request URL, which I send my consumer key/secret pair to in order to receive a new, unauthorized request token.
The authorization URL, which I direct the user to with query arguments for the request token and the oauth_callback. The user will be redirected out of my webpage, log in to the foreign site, grant me access, and then be redirected back to the URL specified in oauth_callback with information regarding whether or not they authorized my request.
The access URL, which I send the authorized request token to, expecting to get an access token in return.
And then, once I have all those, I can use the access key/secret pair as a username and password. I store them in a cookie related to the user, and use them henceforth whenever I am access information on the website. On the website's end of the deal, it will look for that information in my request, and if I include it properly then I will be allowed to access whatever of the user's data I please.
Is what I am trying to do - give generic OAuth access to websites - possible, or is it required that I, as the application owner, register my application with the server in order to get OAuth access to it? If it is possible, then how do I get that request URL, authorization URL, and access URL?
It's not really possible. Here's the short list of problems you will encounter:
You need to have application tokens (e.g. your application registered with the resource owner) for all websites. It's not something you can do on the fly
Inconsistent OAuth URL schemes from different resource owners. Twitter has a different URL structure for OAuth than Google does which is different than Foursquare. It's not really possible to figure out the URLs without hardcoding it
Scopes. When you do OAuth registration for many resource owners, you need to specify a scope. How will you know what the scope should be
I'm developing a YouTube application that needs to have a User table with the usual data associated with it in the database. I've decided to go the OAuth route for this application and have 2 tables, one of the AccessToken and one of the RequestToken.
I'm not sure what is to be linked up to a User table of some sort, would it be the access token or the request token?
If the token expires would I just lookup which user has that token then update it?
To sign the user out do I just delete the token for the user and clear the token from the session?
EDIT: In other words, I basically want a user to not have to register to my site but to just login via OAuth and have my application create a user entry in the User table so all of my other data can be linked up to that.
There are two parts to this: login and resources.
If you only want to use YouTube for login, you don't need to store the access token at all. When the user comes back from YouTube with the access token, you make one call to get their YouTube id (not sure if YouTube supports an extension parameter with the id in the token response) and discard the access token. If you also want to make other calls to access the user's YouTube data, you need to keep the access token.
A common way to implement this is:
When the user visits your site you set a session cookie with some random string we call state.
The user clicks on 'Sign In with YouTube'
You go and get a request token from YouTube, then either store it in some local cache (can be a database, redis, memory if this is a small scale app, memcache, etc.) or encrypt it and store it in another cookie on the client. When you make the request token call, include a 'state' parameter in the callback with the value set as cookie in #1. This is a critical security defense against CSRF. Also, your redirection endpoint should use SSL.
You redirect the user to YouTube with the request token (and optionally the encrypted request token secret cookie)
The user logs into YouTube, approves the application, then gets redirected back
You check that the user coming back to the redirection endpoint matches the user you originally sent over by comparing the value of the incoming state parameter with that of the session cookie from the user.
Fetch the request token secret from local cache or by decrypting the token secret cookie used earlier (which ever method you decided to use) and request an access token
Using the access token, make a YouTube API call to get the user information
Lookup in your database to see if you already have a user with that YouTube id. If you do, this is just a login, and if not, this is a new user registration so create a new record for them in your users table.
I have a Twitter web app that allows users to submit tweets from my site. However they have to re-login every time they submit a new tweet. Is there a way to save the OAuth session and don't prompt the login screen until users clear their browser cache?
When you get the callback from Twitter after the user has validated you, you'll receive an auth_token in the headers of the request; you're meant to cache that token, and supply it every time the user makes a request.
It sounds like you're not caching that token and supplying it when the user makes a request.
You need to store the oauth_token, you can use the same for all requests.
On the FAQ of Twitter API
How long does an access token last?
We do not currently expire access
tokens. Your access token will be
invalid if a user explicitly rejects
your application from their settings
or if a Twitter admin suspends your
application. If your application is
suspended there will be a note on your
application page saying that it has
been suspended.
you need a db tables called user and user_tokens. Inside the user you have: id, user_oauth_secret, user_oauth_token. Inside the the user_token you need this columns: id, user_id, token, created, expires. make sure this token is unique (and long) with some random hash. now you can save this token to the user's cookie and find the right oauth data later.
You need to store two tokens.
When you make the OAuth request the first time, it will show the Twitter auth screen. After auth, your OAuth callback page will get two query string parameters, "oauth_token" and "oauth_token_secret" for the user. You need to store these (probably in a database) somewhere.
Then, when you request OAuth permission again from Twitter, send the two tokens, and the user will automatically be authorized.
You shouldn't have to code this yourself. There are plenty of OAuth libraries out there.
You have to maintain a long session with the user and save the access tokens. Cookies are commonly used to recognize users.