I'm using intridea/oauth2 for oauth2 functionality. Everything is working fine with authentication and making requests with an access token.
But what i can not find out is how to make a request without an access token. I thought it would simply work with
client = OAuth2::Client.new(key, secret, :site => site)
client.request(:post, "/api/users", {params: {param1: "val1"}})
but that does not seem to work. It is not setting any oauth header in the request.
How do i make a request like that?
Leave out oAuth completely then. Use simple Net::HTTP requests or use a library like REST Client for example.
It seems like the library isn't capable of something like that. So i now have two ways of authentication. You can find some information on this page: http://railscasts.com/episodes/352-securing-an-api?view=asciicast
Related
I have 2 internal Rails services, which need to speak to each other.
I need an advice how to make it secure enough and with minimum effort.
Currently service A sends Authorization HTTP header to service B, which contains secret token. Simple HTTP Token-based method, nothing special. But I also need somehow to communicate a user token, so service B will know, which user is talking to it.
My current solution is following:
send Authorization Token token=blabla user_token=blabla2
use existing in Rails methods to parse it
identify user by provided user_token
inspired by this StackOverflow post
Alternatives:
Amazon way with something like: Authorization: MY-APP-V1 Token=blabla Credential=user_token, but I need custom parser for it.
Custom HTTP header like X-USER-TOKEN, but seems like RFC is not in favor of this idea.
Your proposal or suggestion
Thank you very much for any help.
I'm curious as to why the user token is not enough, can you elaborate on this?
But assuming you want to continue with the double-token approach, something like JWT could be used to encode the user token with the secret token. That way you will just have 1 token and can send it simply as Authorization: Bearer xxxxxx.
When using OAuth in the Google Cloud Endpoints JavaScript client, how do you preserve the secrecy of the client ID?
How to implement 0Auth in the Google Cloud Endpoints JavaScript client is detailed here. In the code snippet below the client ID is passed as a parameter to the OAuth method.
gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES,
immediate: mode}, callback);
Since the end user will receive the script file in clear text, regardless of the use of HTTPS, how would you avoid handing the client ID over to every user you serve? After all, it would be rather simple to comb the JavaScript code to find the client ID.
You don't. Anyone can see and intercept it (as you stated), which is the root of the confused deputy problem.
That's why you validate your tokens. For a simple explanation of token validation and the confused deputy problem, check out this great SO question and answer on How and why is Google OAuth token validation performed.
I want to send authorize request to twitter API in order to get followers ids, i got access token and access token secret by creating a new application as shown here. I have no idea how to send authorize request in pharo smalltalk.
I want to get followers ids by performing this in pharo smalltalk .
I wanna know if there is any documentation or packages that can help me with this.
Here is the code i tried to work with.
|client|
client:= ZnClient new.
client https;
host: 'www.api.twitter.com/1.1/followers/ids.json';
queryAt: 'q' put: 'cursor=-1&screen_name=my name'.
client request headers at: 'Authorization' put:' OAuth oauth_consumer_key="Hp6FpBU7Bbqv89RqrHJzHw", oauth_nonce="9677be3a12e128702b06348677319e75", oauth_signature="GUQR%2FI%2Bd0XhQLJP5B0IHtDfiiLE%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1387729271", oauth_token=" my acess token", oauth_version="1.0" '.
client get.
Welcome to Pharo community, Irfan.
You should take a look at Zinc framework. Here is a very nice documentation, you should be able to solve your problem after reading it.
Also as far as I know there is work in progress on the OAuth protocol, you can take a look here: https://github.com/svenvc/docs/blob/master/zinc/zinc-sso-paper.md. You definitely want to take a look at it because there are also 2 demos where you can interact with twitter
I am trying to make a GET request with AFNetworking to facebook's graph api. For various reasons, I'd rather not use the facebook SDK's native objects and would prefer to make those requests via AFNetworking. However, I'm a bit new to the networking side of things and I am unsure how to include the access token along with my GET request. Can anyone point me in the right direction?
I've tried setting the http header field to include this:
Authentication : {my access token}
but that doesn't seem to be working.
You need to add access_token as a URL query parameter for GET requests. See the docs here.
I used to do the following to get user timelines:
https://api.twitter.com/1/statuses/user_timeline.json?screen_name=twitterapi&count=2
Now that I'm switching to Twitter API 1.1, I thought all I would have to do is this:
https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=twitterapi&count=2
but I'm getting the bad authentication data error from Twitter. I had no authentication setup previously with twitter, does API version 1.1 require authentication?
I guess I can use the Twitter gem, looks like it makes things pretty simple. But I just want to know whether I can use the above URL like I used to!
Take a read of this. Your initial assumption is correct, authentication is now required for all endpoints in v1.1. So to answer your question your request is correct you just need to pass an OAuth token or use application-only authentication.