Is it possible to get a Twitter access token with OAuth 2.0? I came along this thread but I don't understand it. Do they support OAuth 2.0 or are they still using OAuth 1.0A?
Quoting from this page:
Twitter offers applications the ability to issue authenticated
requests on behalf of the application itself (as opposed to on behalf
of a specific user). Twitter's implementation is based on the Client
Credentials Grant flow of the OAuth 2 specification. Note that OAuth
1.0a is still required to issue requests on behalf of users.
Therefore, no they do not fully support OAuth 2.
Related
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
In OAuth 1.0, 2-legged is pretty easily: Simply send the request as usual and omit the access_token header.
Things seems to have changed in OAuth 2.0 (drastically, as I found out today :)). In OAuth 2.0, the request no longer has headers such as the nonce, consumer key, timestamp etc. This is just replaced by:
Authorization: OAuth ya29.4fgasdfafasdfdsaf3waffghfhfgh
I understand how 3 legged authorizations work in OAuth 2.0 and the application flows. But how does 2-legged work in 2.0? Is it possible to design an API that can support both 2-legged and 3-legged OAuth 2.0?
I have been searching for information regarding this, but I have been finding a lot of stuff on 2-legged for 1.0 and almost nothing for 2.0.
After lots of research, I discovered that client_credentials grant type is for this scenario. Once you punch this term into google, you can find loads of very helpful resources.
This is the normal flow for 3-legged OAuth 2.0 (we want the user to sign in):
Assume we have the following endpoints in our app for authentication:
/oauth/auth
/oauth/token
Normally (for authorization code grant), we direct the user to /oauth/auth?state=blah&client_id=myid&redirecturl=mysite.com/blah
Then upon authentication, the user is redirected to mysite.com/blah?code=somecode
We then get somecode and exchange it for a token using /oauth/token?code=somecode&client_id=myid&client_secret=mysecret
We can then use the token to make calls.
This is the application flow for client_credentials to implement 2-legged OAuth 2.0, which is markedly simplier:
In this approach, we do not need to perform any authentication.
We simply POST to /oauth/token with the following form data:
grant_type=client_credentials&scope=view_friends
Note that scope is optional. The endpoint then directly returns an access token for us to use (no refresh token is provided). Since no refresh token is provided, when the token expires, you will need to reauthenticate and ask for a new one.
This leads to the following caveats:
Use this only for (very very) trusted applications such as internal applications.
You need to devise your own way to authenticate. For instance, the RFC's example uses basic auth.
Another solution is to use JWT (JSON web tokens) like the google OAuth API. It is a very complicated process, but there exists numerous libraries for generating your JWT. You then post the following form data (url encoded of course):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=generated_jwt
This is posted to /oauth/token to get your token.
As for the question of whether you can create an API that supports 2-legged and 3-legged OAuth 2.0, Yes, it is possible.
Then /auth endpoint is only used when users need to authenticate against the service.
In the /token endpoint, simply check the value of grant_type in the GET parameters for urn:ietf:params:oauth:grant-type:jwt-bearer if using JWT or client_credentials for client_credentials.
Note that when generating the client_id and client_secret to give to the user, if you are supporting multiple grant_types, ensure that you have a database column to store what type of grant type the id and secret was generated for. If required to have multiple grant types per user, generate a different set of credentials for each grant type.
You can also check out Google's implementation of 2-legged OAuth2 (I believe this documentation has been published only recently).
The Google Drive SDK delegation docs should also help understanding Google's 2-legged OAuth2 implementation.
I'm pretty new to OAuth and API security.
I'm building a REST API that will be accessed by my own mobile application.
I want to expose API to other developers via OAuth authorization and authentication and I'll be using my own OAuth provider.
What is the authentication strategy for my own mobile app ? After all, I don't need user to authorize my app. Can I use OAuth for authentication while having my own mobile application pre-authorized by default ?
Can I authenticate users of my mobile app with OAuth or do I need something like OpenID?
I don't think you want oauth if you are looking to step over the user authorization step. If you are determined to use oauth, however, you could mask the authorization step as a login dialog or give your application an access token. User authorization is a rather big part of oauth's functionality, so ignoring it probably means you should use some other interface to access your users' information.
Accessing my own oauth REST API - OAuth is NOTHING to deal with REST apriori: OAuth - is Authorization protocol, REST - an architecture style.
For OAuth - use version 2.0 - it's 2012 already.
What is the authentication strategy for my own mobile app? - for mobile app on Android, for example, you could use could get user's account with which one registered his phone within GooglePlay store/GMAIL (and then generate one-time password from on your server side). If one wouldn't provide them to your app - make an explicit authentication.
Nowdays probably only calculator doesn't use explicit authentication - so why should you differ? You can link you Authentication to FB or Google or any other OAuth provider - what does make you to create your proper OAuth provider?
You can Authenticate users with both OAuth and OpenID.
SalesForce.com Rest API Authentication. Will it allow 2-legged oauth transaction
Yes it does allow 2-legged authentication, although Salesforce docs say that it isn't recommended. It's described in detail here:
https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&type=5
From using it I know it always redirects you to salesforce to login and authorise the application, which if I have my terminology right is 3-legged oAuth, so at this point in time I'd say it doesn't support that.
THere's some good information on oAuth and Salesforce here.
Here is the actual support page for Salesforce 2 legged Oauth:
https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5
Contrary to another answer it is recommended and supported as long as you use the above method.
aka:
OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
The oAuth protocol comes in two flavors, 3-legged and 2-legged protocols. The 3-legged one is about delegating user access rights to an application and is the one that gets the most attention on the web. The 2-legged version is used to authenticate an application against a service provider (Twitter in my case) with no specific user involved.
In my application I need read only access to publicly available information, but at higher rate than the one available to unauthenticated request. There is no need for me to authenticate as a specific Twitter user.
Does Twitter support the 2-legged version of oAuth?
Boaz
PS. The whitelisting alternative is an overkill for me and I rather not wait for the approval process.
You can get an access token for a single user following these instructions: http://dev.twitter.com/pages/oauth_single_token