I am developing a web application, I have the access token and refresh token I got doing my POST requests, I do not understand and do not see in the Google Provisioning API documentation how can i use the Zend library with these tokens, the methods of the Zend library ask me the user and password, not the tokens, Is there any way to use tokens with the Zend library or only with requests to URLs that gives the api?
There's a full example of doing 3LO in the Zend library available at http://code.google.com/p/gdata-samples/source/browse/trunk/hybrid/index.php. In general, once you have an authorized access token you just need to send it as a header in your requests:
Authorization: OAuth TOKEN_GOES_HERE
The refresh token is just used to acquire a new access token when the current one expires and isn't used in the actual requests.
Related
I am having trouble understanding how to accomplish this. I have Firebase functions running on my application. I am using an external API in which I can configure Webhooks to hit an endpoint on my Firebase functions to perform an action. To make sure that the call comes from this external API, they recommend using an oauth2 flow. Mainly they ask me for:
Provide us (the external API) with an ID and an access token;
these are used to access a URL which provides a bearer token;
this bearer token is then used to access the provided webhook URL until the bearer
token expires after a pre-determined period of time.
And there are 4 input fields:
1. OAuth2 access token url
2. OAuth2 client id
3. OAuth client secret
4. OAuth2 Scope. <---- NOT SURE WHAT THIS ONE MEANS
My question is how do I generate the access token and the client id for this external API?
What value should I put for the oAuth2 scope?
Thanks!
I was able to figure this out using auth0. In one of their documentations, they cleared explained what I was trying to accomplish. Posting here to future reference in case any one needs it.
Thanks all!
reference: https://auth0.com/docs/authorization/flows/client-credentials-flow#learn-more
You can generate the client ID and client secret in the Console > Credentials.
Cloud Functions API oAuth2 scope is https://www.googleapis.com/auth/cloud-platform.
I'm having an Angular application that performs user authentication via Microsoft account. For this, I'm using the MSAL JS library which does work fine to authenticate the user. But we have the requirement where our backend server requires to call Microsoft Graph APIs. Now the issue is that the MSAL library returns access_token which has got a life span of 1 hour and so it can not be used once it is expired from our backend server.
So I'm looking for a way where I can get an authorization code, which can be exchanged from our back end server to get the access token and refresh token. And as we've got the refresh token as well, we can refresh the access token whenever it gets expired considering a refresh token is still valid.
I'm not sure if this is possible via the MSAL library or not, or if there is any other alternative available for SPA to support the case, I've described above.
It is possible with MSAL.js 2.0 which is a drop-in replacement for MSAL.js 1.x and supports the authorization code flow for Single page applications. With MSAL.js 2.0 you can use the authorization flow with PKCE and refresh tokens in the Microsoft identity platform to keep users signed in while third-party cookies are blocked.
Read more here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
A newbie question about API security:
When I applied API service from some API providers, usually I just login and generate an api key or token in their api management site. After that I can embed this api key or token in the request to access the API.
I was told that the this is OAuth 2. But, after reading a few articles about OAuth 2, it seems the OAuth-2 token issued from OAuth server will expire and a refresh-token is required to fetch a new token.
But the API keys I got from those API providers does not mention about the expiration, instead, I can manually revoke the API Key on their API management site.
So, if I have some APIs which I want to use the similar way (let the user manage their own api key on my site) to protect, how can I achieve that by using the OAuth 2 server?
I think what you explained above are 2 different ways to authorize a request:
A. Using API Keys
These API keys are usually a long string that you generate inside a dashboard
You as a developer would usually have 1 API key throughout your app, and you append this API key to requests to the API provider
B. Using OAuth 2.0
OAuth 2.0 uses a different kind of token to authorize requests, it usually involves a short-lived access token and long-lived refresh token.
These tokens are usually for Users, each user will have a different token that expires every X days.
To acquire a token, the user has to "log in" to your site or an Identity Provider's site (like Google Accounts) and enter their credentials every time the token expires.
Here's a picture to show the difference:
If you want to provide an API service for other developers:
Use OAuth 2.0 to log in the developers to their dashboard (this means your server routes that interact with the dashboard would be protected by the OAuth 2.0 tokens, requiring the developer to log in to update some settings)
Use API Keys to access your provided API routes. Developers have to log in and generate API keys from the dashboard. Then they can use this API key to fetch resources from your API.
Here's a more thorough explanation about OAuth 2.0, access tokens, and how to implement it on your site.
A client has requested implementation of the new Google Photos API as a feed of their photos on the website.
The issue arises whereas the library only supports OAuth 2.0 to authorise the library requests. Meaning that each visitor needs to authenticate themselves prior to seeing the photos.
Authorization
Like other Google REST APIs, the Library API uses OAuth 2.0 to handle authentication and authorization. Your app can request access to the user's Google Photos library via the various authorization scopes provided by the API.
Note that the Library API does not support service accounts; to use
this API, users must be signed in to a valid Google Account.
Does anyone know a way that I can authenticate the library for all web traffic? I want to use Google Photos as a CMS for images and have a constant feed on the site.
Since the Google Photo APIs requires OAuth 2.0 User Credentials, you will not be able to use this API as a CMS for you website.
Each API request requires an OAuth Token and this token can only be obtained by a person authenticating with Google Accounts. The OAuth Flow requires the user to authenticate and grant permission to their personal Google Account.
In addition this API requires that you create OAuth Client Secrets which is used to track your app.
I am trying to use Vimeo services on a web application where users need to be able to upload and list/watch videos. I have created a Vimeo App and they have given an Access token and an Access token secret using which I can access my own account.
Could someone tell me how do I do that from .NET C#
Instantiate an OAuthConsumer from DotNetOpenAuth, passing in an InMemoryTokenManager which you can find from the samples. Add your access token and secret to that token manager. You will also need your consumer key and secret. Then use the OAuthConsumer instance to make authorized outbound calls.
Hint: You won't need to do any of the OAuth authorization flows, since you already have the access token.