I would like to people to log in on our Wireless Network by their Facebook or Twitter account. So I will use Oauth..
If the user authorized our App succesfully, he must me redirected to a our website. What is the most efficient way to do this?
In the case of Twitter (OAuth 1) you do this by supplying an oauth_callback parameter in the first request or by specifying a callback URL when registering your application with Twitter.
In OAuth2 (which Facebook uses) the flow is different but the parameter name is redirect_uri.
These are your only options.
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I created an app on one twitter account. I would like to authorise that same app on a different account.
FAQ on how to authorise apps says On the website of the application you want to connect, find the button/link asking you to connect your Twitter account. But I haven't built said site/page.
How can I auth this app on the second account?
You have to use the OAuth Authentication Flow process.
To do so, you first need to request an authentication link from your Consumer Key and Consumer Secret using https://api.twitter.com/oauth/request_token (doc : https://dev.twitter.com/oauth/reference/post/oauth/request_token).
When you receive a callback or a code, you can use them to execute a second query that is https://api.twitter.com/oauth/access_token as described at https://dev.twitter.com/oauth/reference/post/oauth/access_token. You will want to use the oauth_verifier parameter.
Remember that authentication in Twitter is not an easy process and you should read more about it on Twitter (https://dev.twitter.com/oauth/3-legged) or use a library that will do that for you.
We have an application with its own authentication, for which we recently added OAuth2 support. A corporate customer can specify the data for his ADFS or Google domain, and we use that to automatically sign up and log in their users.
Now, the problem is switching credentials. When we log out from our application, clicking the login button (which redirects to the configured ADFS OAuth2 authorize endpoint) will immediately validate the user and send him back to our app, with a valid code for his current credentials.
The Google endpoint has a special parameter, approval_prompt, which we can use to force an intermediate step, at which the user can switch his credentials. I don't think ADFS has that.
What other solutions do we have? Is it possible to configure something on the ADFS server that would prompt the user to enter his credentials for every authorize request?
Here's how those url parameters work, as best as I understand them:
wa is the operation we're requesting. So far, I've only seen two values: wsignin1.0 and wsignout1.0
wfresh has something to do with the max age of cached credentials, but I don't entirely understand it. 0 means don't use cached credentials.
wtrealm is the AppID configured in ADFS. This tells the ADFS server which app is trying to authenticate. For us, this is the base url of the app.
wctx is some app-specific data returned to the app from the ADFS server after the request. Since we're using the standard System.IdentityModel setup, it handles parsing and reacting to this value, not our code. There's an ru parameter encoded inside it. This is the return url. This is how we get back to the page we came from.
wct is the timestamp of the authentication request
For us adding the parameter prompt=login to que authorization request URL is working with OAuth2 :
/adfs/oauth2/authorize?response_type=code&client_id=XXX&resource=YYY&redirect_uri=ZZZZ&prompt=login
I am using Scribe (OAuth1.0) as a mechanism so that users can use their Twitter account to authenticate to my GWT/GAE application.
According https://dev.twitter.com/docs/auth/implementing-sign-twitter, there are 3 possible scenarios:
a/ User is Signed in and approved. In this case, Twitter should redirect the user transparantly back to my application url,
b/ user is Signed in but not authorize, or
c/ user is Not signed in
When Twitter comes back to my application (the callback), I use the verifier parameter to read the user data from twitter, which I use to determine the user in my application.
All of this works fine except for the following:
Scenario a/ is not working for me. Eventhough the user has already authorized my application to read his user data, Twitter seems not to remember this, and asks again to authorize access. (scenario b/).
There are two URLs twitter offers for applications requesting an OAuth token:
/oauth/authenticate and /oauth/authorize. When an application directs users to the authorize endpoint - Twitter will request the user to authorize the application EVERY time they log-in. The authenticate endpoint will request authorization once and then any subsequent log-ins to Twitter will seamlessly pass-through to the application callback. This is more traditionally known as "signing in with your Twitter account".
In Scribe, the default is authorize - to change this to authenticate you need 2 things:
Ensure the Allow this application to be used to Sign in with Twitter setting is checked in your Twitter application settings page.
In your application - when you specify the Scribe API class to use - instead of using org.scribe.builder.api.TwitterApi.class change this to org.scribe.builder.api.TwitterApi.Authenticate.class
Now your application will direct users to sign-in to the /oauth/authenticate endpoint and, if they have authorized your application at least once, they will just get passed through.
Edit:
Additional documentation - https://dev.twitter.com/docs/api/1.1#102
Been following this tutorial.
Is there a way to "allow access" without having to browse to the url: http://api.twitter.com/oauth/authorize?oauth_token=your_request_token_from_above?
Is there a way I can authorize a user via the oauth gem in console?
The way oauth is implements demands that you send the user to twitter, so that the user could give the authentication details to twitter and then authorize your access request (for your application).
if you want to skip the callback url and all that. You should look at xAuth. With xAuth the you could provide the username and the password and get a token through the API, with no callback URLs or what so ever.
Here some example of how to use xAuth with ruby.