So I know it is bad to store the client_secret in a client side app (in my case a mobile app); however, the below link is the only link which describes how to use your refresh token for Google OAuth 2.0 and it requires the client_secret.
https://developers.google.com/accounts/docs/OAuth2Login#refresh-tokens
My question: Is it possible to use Google OAuth 2.0 in a client side app without using/storing the client_secret? I know that Windows Live Connect's flavor of OAuth 2.0 allows you to refresh your token without specifying the client_secret, but I have not yet discovered a way to do this with Google's API.
Any thoughts?
There is a separate workflow for using OAuth2 on installed applications or devices.
See link below to relevant google documentation
Using OAuth 2.0 for Devices
Related
I'm having an Angular application that performs user authentication via Microsoft account. For this, I'm using the MSAL JS library which does work fine to authenticate the user. But we have the requirement where our backend server requires to call Microsoft Graph APIs. Now the issue is that the MSAL library returns access_token which has got a life span of 1 hour and so it can not be used once it is expired from our backend server.
So I'm looking for a way where I can get an authorization code, which can be exchanged from our back end server to get the access token and refresh token. And as we've got the refresh token as well, we can refresh the access token whenever it gets expired considering a refresh token is still valid.
I'm not sure if this is possible via the MSAL library or not, or if there is any other alternative available for SPA to support the case, I've described above.
It is possible with MSAL.js 2.0 which is a drop-in replacement for MSAL.js 1.x and supports the authorization code flow for Single page applications. With MSAL.js 2.0 you can use the authorization flow with PKCE and refresh tokens in the Microsoft identity platform to keep users signed in while third-party cookies are blocked.
Read more here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.
I have been playing with the new Admin SDK in conjunction with the "upgraded authorisation experience" and wondered if someone has and experience/examples on how to use it. From what I have read, if you upgrade the authorisation experience you shouldn't need to use OAuth 2.0 and get a client ID and secret from the API console.
When you upgrade the authorisation, the API console entry is automatically created so you just have to turn on Admin SDK. Your app should then run simply using your own admin credentials.
Have I misunderstood this and if so, what is the benefit of the new authorisation experience?
I can use the Admin SDK just fine if I create a client ID and secret in the API console but this is using OAuth 2.0 then.
If someone has an example of how to use the admin sdk with OAuth 1.0 i could have a look at it would be much appreciated.
You will still need get your tokens and API key...
Take from the Directory API documentation:
If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key. You can find your application's API key in the Google APIs Console, in the Simple API Access section of the API Access pane.
If you are looking for an oAuth2 example with GAS, Arun has a nice example he posted on GitHub, see the SO posting: How to authorize with oauth 2.0 from appscript to Google APIs?
Sorry, I don't have any oAuth1 example to interface with the new APIs.
Is it possible to get a Twitter access token with OAuth 2.0? I came along this thread but I don't understand it. Do they support OAuth 2.0 or are they still using OAuth 1.0A?
Quoting from this page:
Twitter offers applications the ability to issue authenticated
requests on behalf of the application itself (as opposed to on behalf
of a specific user). Twitter's implementation is based on the Client
Credentials Grant flow of the OAuth 2 specification. Note that OAuth
1.0a is still required to issue requests on behalf of users.
Therefore, no they do not fully support OAuth 2.
For working with Google using 1.0 protocol, applications were required to be registered using https://accounts.google.com/ManageDomains which provided a ConsumerKey and a ConsumerSecret to access feeds.
Newer application registrations are instead done using https://code.google.com/apis/ which provides ClientID, RedirectURL etc. (but not consumer key) as it is based on OAuth 2.0
Question: Is it possible to run an application created with Google APIs (OAuth 2.0) to work with an 1.0a OAuth flow? If yes, what field should be considered as a ConsumerKey?
It is not recommended that you use OAuth2 Registration for OAuth1 flows. The OAuth1 approval page will not look very nice to your users. Google's consumer_key and client_id are roughly equivalent, However, Google's OAuth1 approval page shows the raw value of consumer_key (client_id). The Application brand info will not be shown and instead you'll see the client_id value. 12345.apps.googleusercontent.com.
If you want to do the OAuth1 hybrid protocol, OAuth2 is a naturally 'hybrid' protocol and can do identity as well as data access control.