I have had a search around stackoverflow, but was unable to find an answer to my question, so I thought I'd ask.
I'm currently working on an iOS app where I would like to get a feed of a public timeline without the user of the app being required to have a twitter account.
I am successfully able to do this using twitters v1.0 of the API and all works perfectly. Simply making a request to http://api.twitter.com/1/statuses/user_timeline.json?screen_name=username retrieves all the information that I require.
However, since v1.0 has been deprecated and V1.1 requires authentication for each request, I get a bad authorization error using this API. Having looked at the Twitter documentation and how to generate OAuth request headers, I don't fully understand the "Getting a signing key" section of the documentation in the link below. (this is my first time working with Twitter's API and OAuth, I'm trying to gain a good understanding, before I start the implementation)
https://dev.twitter.com/docs/auth/creating-signature
As I understand it, the consumer secret can be found when logging into twitter.com/apps but I'm not sure where I would get the "OAuth Token Secret" in order to generate a valid signing key.
Since this is an iOS app, I know I could use the TWRequest class, but to my understanding, this would require the user to have twitter setup on their device.
I hope the above makes sense and any help would be appreciated.
Thanks
If you go to the Twitter application you have set up https://dev.twitter.com/apps
You should see your Access token secret under the heading Your access token. If you don't see this then you probably haven't generated an access token yet.
Related
i am currently searching for a way to login into the Twitch-API using an already given id-token (oauth or even better oidc) with or without a NodeJS backend.
Background: I am using firebase connecting to various services next to Twitch-API such as Youtube (Google API), Twitter and Co. I want to use my id-token for each service.
The official documentation doesn't tell if that is possible or maybe i just couldn't find it.
Hopefully there is a solution just not yet documented.
I will struggle with the same problem using the other services aswell.
Thanks alot
You absolutely would need to create your own OAuth token as it is tied to the same Client-ID as the account that generates it.
https://dev.twitch.tv/console
Authentication has it's own flow and endpoints with the way kraken v5 and helix work.
https://dev.twitch.tv/docs/authentication
With the latest changes to the API everything now requires both the Client-ID and OAuth before it will return the requested values.
https://discuss.dev.twitch.tv/t/requiring-oauth-for-helix-twitch-api-endpoints/23916
I'm not sure exactly what "id-token" is but i'm going with "twitch-user-id and access-token".
If you have a valid access token, you have access to whatever the scopes were defined when that token was generated, you can update the token with the refresh token if you need to.
You would need to supply the Client-ID of the application the token was generated for aswell.
Unless "id-token" is meant for a different system.
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
I'm trying to set up Google OAuth with my iOS app and Rails web app. I have 2 separate clients (with of course different client IDs, but with the same prefix) set up in the API Console. One for the iOS app, and the other for the web app (which also has a client_secret. I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
My first try was to just take the auth code and perform the exchange, but that failed with the missing_code_verifier invalid_grant error, so I also passed the same code_verifier that AppAuth used to get the auth code to my server, and that fixed that error. First of all, is it necessary to pass this code verifier to the server? Seems a little strange.
Now though, it fails with the unauthorized_client error. My web app is making a request like this:
{
"grant_type"=>"authorization_code",
"code"=>"4/XYZ...",
"client_id"=>"WEB_APP_CLIENT_ID_HERE.apps.googleusercontent.com",
"client_secret"=>"WEB_APP_CLIENT_SECRET_HERE",
"redirect_uri"=>"https://www.myapp.com/oauth_callback",
"parse"=>"json",
"code_verifier"=>"CODE_VERIFIER_STRING_HERE"
}
Looking at posts like:
Unable to exchange authorization code for access token and refresh token in Cross Client google oauth2.0
Google+ Sign-in for server-side apps, exchanging auth code for access token
it looks like the redirect_uri might be an issue here. My AppAuth config on iOS has the redirect URI set as com.googleusercontent.apps.iOS_CLIENT_ID_HERE, and the Info.plist URL scheme too. The web app's "Authorized redirect URIs" section in the API Console has a bunch of web URLs, and I added the com.google... to it as well. Is this config incorrect? Is the redirect_uri important when doing cross-client auth?
Any help is greatly appreciated! All my trial-and-error have had no fruition so far :(
I am the lead maintainer of AppAuth, and work on the Google Identity Platform; hopefully I can help.
I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
Exchanging the code on your server sounds reasonable, however I think the configuration you are using is possibly incorrect. If you are requesting a code for exchange on your server, use the server's client id in the request to the authorization server. From your description it sounds like your authorization server request is sending your iOS client ID, and you are then doing the exchange with your server client ID, and I believe this is why you are seeing an "unauthorized_client" error.
This is not terribly well documented, apologies for that. It is alluded to in this section of the documentation on "offline access", though it talks about it purely in terms of Android usage via GoogleApiClient.
is it necessary to pass this code verifier to the server? Seems a little strange.
The intention behind PKCE is to ensure that the entity making the authorization request is the same as the entity making the code exchange request. The code_verifier should not leave the device under normal circumstances.
However, it is not necessary to use PKCE if you are exchanging your code using a client secret controlled by your backend; you can disable PKCE in AppAuth for this scenario.
I'm developing a mobile app that will interact with a rails app that's essentialy a json api. Is it possible to use an external identity provider such as facebook or googleplus to secure the access to my API?
Users will upload a photo to a json rest service but the rails app would only allow the upload if the uses is authenticated with one of those providers.
I've checked omniauth gem but I don't know if that's the path to do it. I don't understand very well how oauth works so I'm trying to know if this would be possible to do.
Regards
Fak
The answer, in part depends on how you're going to provide Identity via the mobile app. The user's authentication, and their identity are de-coupled.
My guess is you're wanting the user to authenticate to the mobile app using the Google/Facebook sdk app side. To do so, you'll need to use that sdk to generate a token, which can then be saved to Rails. The token can then be required as part of each API request - which rails will validate.
The topic is a bit complex to fully describe the flow....but in essence: 1) Create the token on the mobile app using the mobile sdk, 2) save the user and token to Rails/database, 3) as part of every request check the access_token provided.
Since the topic of Oauth and request/identity providers takes some time to understand, I would first watch he following railscasts on securing an API. Once you're done with that one (and understand the concept), you can also watch this railscast.
Hope this helps.
Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.