I am trying to access Salesforce through my Mule flows using "sfdc:config-with-oauth". Is there any way I can achieve this without redirecting the user to a Login page? I know there is a SSO login dance which I have to do manually, but was hoping it was simpler than that. I found this documentation http://mulesoft.github.io/salesforce-connector/mule/sfdc-config-with-oauth.html. It shows "sfdc:authorize/", but that is not accurate. sfdc:authorize has DISPLAY as a required attribute. What is the meaning of "IMMEDIATE" attribute? Is it possible, somehow, to give Username/Password along with Consumer Key/Secret to "sfdc:config-with-oauth"?
My Mule flow already has User credentials.
I am using Mule Studio 3.5.0
I have also asked the question on salesforce.stacktrace but no response. https://salesforce.stackexchange.com/questions/34693/mule-sfdc-connector-without-user-interaction-using-sfdcconfig-with-oauth
Use the SFDC connector without OAuth:
http://mulesoft.github.io/salesforce-connector/6.1.0/mule/sfdc-config.html
You can then configure username and password in the connector's config.
Related
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
Here is I have a small problem of architecture, first of all, I have two applications:
An api writes symfony 3.3
A front writes too it symfony 3.3
Then, I would like have two manner to sign in:
the first one by using of third application such as Facebook, Google or Twitter. For this part I thought of using hwiOauthBundle
Or simply by login / password. Here I thought of using FOSUerbundle
Finally I would like to have secure api, that a not connected user cannot reach the resources of the api.
What do I have to install or to develop to have all the expressed criteria higher?
In advance, thank you of your answer.
You have to setup some kind of login proxy endpoint that has the oauth client_id and secret.
Then with the username and password given by the user you have to query the backend oauth token endpoint to get an accesss token.
After that you just need to sign your request to the backend with that token.
In my case I'm using FosUserBundle for user management, FosOauthServerBundle for the Open Auth management. Both are installed in the backend.
Once installed you have to register a aAuth client. This tutorial was really helpful for me OAuth2 Explained
I am prototyping HipChat client and I'm stuck at building good authentication experience. I would like to implement similar authentication dialog as HipChat clients built by Atlassian provide. There is no need to generate auth tokens/etc, you just type email/password and client is able to obtain oauth token.
How do they do? Clients use com.atlassian.hipchat.win-clients as client_name in request to https://www.hipchat.com/users/authorize.
Question that I have: how do I register my own client? If I use any random name I get "Named OAuthClient not found ".
How to register client name that will work with any HipChat server, including hipchat.com?
Updated:
I made an example. Please take a look.
https://github.com/chenghuang-mdsol/StandupCat
#VitaliyGanzha
There's a way I used: Build an auth provider based on the integration token.
Make an integration, take down the auth_token.
Use this auth_token on the api here: https://www.hipchat.com/docs/apiv2/method/generate_token
use grant_type 'password', and fill username and password in your post request.
It will return the user info.
Based on the user info it returned, you do your membership provider.
Note that this auth_token has very limited permission. If you want to do more than authentication, you need another personal auth_token which can be generated in your account center.
Tested in C# WCF
Here I've got an answer that it is not possible right now:
This is currently not possible. The flow you described with the
com.atlassian.hipchat.win-clients oauth id is used internally inside
our new desktop and mobile clients. The only other way to obtain an
access token via a 3-legged oauth flow is to create an add-on that you
have to require a HipChat customer to install. Our OAuth tokens are
scoped by group. We don't have allow global tokens. Sorry about that.
https://answers.atlassian.com/questions/32989448/writing-hipchat-client-hipchat-authentication
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.
Is it possible to authorize twitter console application without visiting authentication web page?
I need it because I'm developing app that grab direct messages from our corporate twitter. This console application is scheduled on web server and is not driven by human.
Regards,
Alexey Zakharov
You can ask Twitter for an access token by supplying a username and password using XAuth. This circumvents the need to redirect to OAuth webpages to get valid access without asking the user for username and password. Applications do need to ask permission from Twitter by email to be able to use this web service method. You should only use it to get a valid access token and then save that, and not persist the username/password in any way. It might be a suitable scenario for your console application?
Check out TWURL. It's command-line CURL with Twitter OAuth built in: http://github.com/marcel/twurl
Its possible to authorize any oAuth based API via Console.
if you have some sample code that your working with please share.
Also: http://p2p.wrox.com/content/articles/twitter-development-using-oauth-authenticate-against-twitter-api-walkthroughs