I am building an OAuth server and understand the concept of the "Resource Owner Password Credentials" grant method. The user supplies a username and password and the grant_type is set to "password".
However, when the users authenticates using a social network such as Facebook, what grant_type should be specified and what is the suggested flow for handling this type of authentication?
The grant_type would be similar to password, but instead checking the username and password I would be checking the user_id returned from the social network.
I have checked the standard but it does not mention this type of flow.
How should an OAuth server authorize against another OAuth server?
There are different implementations about this. Most of the websites doesn't need any grant_type however, some of them are still using grant_type as password. When the user connects to facebook (installs your facebook app), if the user needs to be registered you can assign him/her a random password or you can still ask the user to register with password. So, the grant_type will be password still.
Related
This FreeRadius module authenticates an Azure AD user using his/her username & password based on OAuth2:
free-radius-oauth2-perl
I would like to achieve the same process but authenticating Google accounts instead. Specifically, Google accounts managed through GSuite (now: Workspace). For Azure, there is a "token_endpoint" URI which you can use to send the user's name and password and it will return a token if the user is valid and the password is correct.
For Google, I found this: Google OAuth OpenID
But it states that the only implemented grant_type is authorization_code which is not what I need (I need password)
I also looked at the Admin SDK for Workspace but I only found a signOut method, not a signIn or similar.
Any idea how to validate that a Google account exists and its password is correct?
I want to fetch token from on-premisis ADFS Server how can i get the token by passing client credentials rather than redirecting to ADFS Login Page and getting token.
Depending on #SamuelsD's answer, you can either use the OAuth "client credentials" flow (refer this) or the OAuth "resource owner password" flow (refer this).
The resource owner password flow is deprecated these days as it is not considered to be secure.
I'm struggling with OAuth2 authorization, authentication and user linking.
What I've done so far:
I've created a client and it's secret.
All redirects and so on are working. Grant type password works for own native app (e.g. Android and iOS)
But for access token, user_id is NULL if grant type is Authorization code.
How can I assign a user to access token or authorization code?
Is there a module for Apigility to provide login screen? I only get asked for "allow" or "disallow" application but I'm never asked for a username and password.
Update:
Question is related to provide OAuth2 access third party pages, e.g. IFTTT. They open /oauth/authorize page and somewhere I have guide user to a login?! to determine related user? Is there an existing module for this?
Third party sites, e.g. IFTTT do not use password grant type for security reasons. And compared to other pages the workflow is: Is user authenticated? Yes: Show Accept/Decline button. No: User has to login and will be redirected afterwards to /oauth/authorize page. So is there a common way in apigility to check if user is logged in and if not, redirect to a login mask?
To authenticate with username and password using OAuth2 you should use the grant_type=password.
I'm not sure if there is a login screen in Apigility. But I don't think it should have it, because Apigility already allow this by one or more endpoints through OAuth2, more specifically by OAuth2 Server Library for PHP.
How to do
Add the grant type to client:
On your client table (oauth_clients.grant_types column) set "password".
Create a new authentication adapter type=oauth2.
Create a post to the authetication url like below.
url=localhost:8080/oauth, where localhost:8080 is where the apigility is running and /oauth is the configured auth adapter url.
payload:
{
"username": "USERNAME",
"password": "PASSWORD",
"grant_type": "password",
"client_id": "CLIENT_ID"
}
When login successfully it will return the access token.
I'm developing an application with OAuth 2 feature. But my case is special. I only want to use my own account to login. Let me take the Facebook as an example to explain the flow of my application:
User start the application
Normally the OAuth will request the user login to his/her own FB account to authorize. But in my application, I want to login to my FB account. Because I know the my own user id and password. Is it a method to login to my account silently?
User is able to post message. In this case, they will post to my FB account.
Is this possible? Do you have any suggestion? Thanks
OAuth 2.0 allows for this type of flow, as defined in the so-called Resource Owner Password Credentials (ROPC) grant. However this flow is less preferred and for backwards compatibility only because it defeats OAuth's primary goal of not having to enter end-user credentials in the client.
FB does not support the ROPC grant so you'll have to go through the regular Authorization Code flow. Once you get a refresh_token through that initial flow, you can use that as a long-lived credential to get new access tokens in the same way that you would use the FB username/password.
We want to use the Doorkeeper gem to implement an OAuth provider in our app. However, we use 2-factor auth in the login process, so we need a way to modify the password grant to accept email, password, and a 2fa token (and respond with an appropriate error if the 2fa token is required and missing). We also allow Google social login, so we also need to use a password-like grant which accepts an OAuth 2 code from Google to issue an access token, rather than username/password.
Will this be possible with the Doorkeeper?