I am using GTM OAuth2 library for authentication in my application based loosely on the following guide: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
I was able to retrieve an access code for a user, however, I am not sure how to swap this for an access token. I have searched through the documentation and have so far been unable to find any relevant examples. Is there a method in the library that supports this exchange?
Any help would be greatly appreciated. Thanks!
Not sure what you mean my "Access Code" is that password? Anyway, I've managed to get the GTM OAuth2 code working, including retrieving an accesstoken after the user has authenticated. I've made a simple project where you only need to put in your Client ID and Client Secret, maybe this can help you.
https://github.com/Christian-Hansen/simple-oauth2
Good luck.
Christian
Related
I am creating new product. for that I have to use available security features. should I use Oauth2 or Json web token? which is better and in which situation these should be used?
I think you may find your answer in using org.apache.oltu.oauth2.
https://www.programcreek.com/java-api-examples/?api=org.apache.oltu.oauth2.client.request.OAuthClientRequest.AuthenticationRequestBuilder
You can see an implementation for oauth and openID here oauth server and resource server
Just to explain what they are,
oauth server creates the tokens
resource server uses that token and processes it to give you the requested data
You can also go through the following docs to understand what they mean and how to implement them,
sample implementation in java , oracle tutorial on the concept of tokens
If you want to do google API auth then you can go through this
I also found this stackoverflow link which is sort of similar question and has shared few of similar links. You should check that out as well.
I would like to access my Google Drive account via their API inside of a Rails application. The idea is that I will store files, but I don't believe I need to implement any authorisation for it (like with Oauth2, for example), since I only want to access my account.
I have been researching for 2 days, but the Google documentation seems very confused and not very clear.
I started in vain with this guide https://developers.google.com/drive/api/v3/quickstart/ruby and tried to co-opt it for use inside of Rails, but since it relies on storing a token file returned upon authentication, I figured this wasn't really the right approach.
I don't have any code to share, just looking for some clarity on how I can achieve what I'm trying to do, or indeed if it's even possible.
Additional Info:
I'm using Devise for my own authentication, so implementing omniauth through that would be an option if it's necessary. I looked through some documentation around that which Devise has on their side, but I didn't want to go through that (it seemed like a lot) before knowing it was the correct course of action.
You need OAuth 2.0 to authorize requests on the Drive API as described on the documentation. In that link, you can find: «All requests to the Drive API must be authorized by an authenticated user».
To complete that authorization process, you should follow the instructions on the Drive API Ruby Quickstart linked on your question. Generating and saving a credentials.json for later use is the normal approach in this situation. Here you can read about using OAuth 2.0 over different scenarios.
I hope to have cleared your doubts on this topic, but feel free to ask further questions.
I've already looked at dedicated Rails casts here and
there, as well some Rails API tutorials with JWT here and there and here. Unfortunately, most of them are too outdated (2011-2015).
Nevertheless, I'm a still a little bit lost what to choose between oauth2, omniauth-oauth2, ruby-jwt
and in which situation and how to glue all these bricks together.
To be short, I need to authenticate Users via an external corporate API, get JWT token and be able to decode it to extract User information
before let him enter the Rails application.
What should I do:
create a custom strategy ?
will this custom strategy work with the corporate authentication API
if it does not use Doorkeeper ?
Some recent links would be really appreciated.
I see that you want to use Open Id Connect mechanism, which Identity Provider (IdP) will return id_token (JWT format) to client. That mechanism is already implemented here: https://github.com/doorkeeper-gem/doorkeeper-openid_connect. Check it out!
I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.
So if we take the example stackoverflow's login page you get
Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?
Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.
See what is the request URL when you click to log in with gmail...
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier
Does that auth2 means oauth 2 ? I think so
UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.
To keep it short and easy:
If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.
On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).
If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post:
OAuth 2.0: Benefits and use cases — why?
I've got a rails app I want to start enabling some iOS integration with. I have a basic authentication system built mostly from scratch with a little help from Sorcery.
My understanding is there's basically two options for mobile integration: HTTP Basic Auth or Token Auth. From what I've been able to find so far it looks like Token Authentication is the preferred method.
I am not familiar with what token authentication is or how it is supposed to work, and I have not really been able to find any decent guides on this, except for a few tutorials on how to use the relevant module in the Devise library.
So, my question is, what is the basic theory of Token Authentication, and what would a from-scratch token auth system in rails look like? I understand that sharing the code for the entire system might be overkill for an SO answer, but I would be very grateful if anyone can help me understand a basic schematic of how such a system is supposed to work. I'd also happily accept links to any good existing materials on how to do this from scratch, as the main problem is I haven't been able to find anything like that.
Thanks!
Devise and Authlogic have a nice Token Authentication solution. You can either use one of these gems or to implement your own check their source code for inspiration.
Below is my understanding of how token authentication works:
The user signs in using a username/password combination through a
post request.
You authenticate the user and generate a unique token and
store it in the db.
You send this token back to the iOS device.
The device stores this token in memory.
Any subsequent call to the api need this token passed in as an
additional param to auth the user.
For this process to be secure this token needs to have an expiration
date and the communication between the iOS device and the server
must be encrypted through SSL.
For convenience you can store the user credentials on the device
using the iOS keychain.
I hope this helps.
I think there are three difficulties here.
There are very few books focused on authentication technique
The key word "token authentication" is confusing to use in security/authentication field.
Rails related documentation tend to be "how to."
So, Googling won't reveal good resources for this purpose. I know this field well, but it's difficult, especially due to reason 2.
In my understanding, "token" here work as an authenticated identity in the system, and provide bridge between authentication system and authorization system. But to understand this, you must understand overall system.
Let me provide few pointer with regard to authentication technique books and some papers here.
Butler Lampson did many work related authentication, and some of the articles are very good material to understand authentication/authorization framework. that might be helpful. One of the example is Computer security in the real world(2004).
Book written for Public Key Infrastructure(PKI) might be helpful. there are several of such. Such as Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd edition
Hope this helps.
ember-auth has a nice tutorial for token authentication for rails with devise and ember. However, it could also be applied to sorcery or to a custom authentication system. I think this is the best approach to authentication for an ember.js App.
https://github.com/heartsentwined/ember-auth-rails-demo