I am attempting to use Google's OAuth services for iOS and am passing the following scopes into the auth mechanism:
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
As far as I can tell the login is working correctly (I am prompted for my Google credentials); I can parse out my email from the GTMOAuth2Authentication object, but my question is, how do I get the data from "userinfo.profile", i.e., Name, Gender, etc.
Thanks
You may use the access token to acquire the user's basic profile information by calling the UserInfo endpoint.
See https://developers.google.com/accounts/docs/OAuth2Login#userinfocall
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I am using Cognito and ADFS integration for one of my web app. After the integration, I get the tokens correctly from Cognito. However, when I try to retrieve user's attributes using Auth.userAttributes(), I get a 400 error code with following error:
{__type: "NotAuthorizedException", message: "Access Token does not
have required scopes"} message: "Access Token does not have required
scopes"
__type: "NotAuthorizedException"
I decoded the received access token on jwt.io and it correctly has the openid and profile scopes
"scope": "openid profile email"
As per the Auth standards, I expect that these scopes should be enough to READ a basic user profile. Is this not a correct expectation ?
P.S: I tried asking for a token with aws.cognito.signin.user.admin scope and this seems to make the user attribute call without error. However, why is this required. I don't want to expose to the user any access token to modify any information
In my own experience with Cognito access tokens, you are unable to add custom claims to them. This has some good and bad points:
Pros
Tokens used by web and mobile apps do not reveal sensitive data
Cons
Tokens alone do not enable APIs to do their authorization properly
You can get the details you need by sending the access token to the User Info endpoint though. It is possible to do this when an access token is first received, then cache custom claims for future requests with the same access token:
Getting user info claims
Creating a custom claims principal
You can run the above code sample by following its README. The main point of the API security code is to form a useful claims principal that the API can use for its business authorization.
I believe you are using aws amplify for this task.
As you are using federated sign in to authenticate user, you will get user attributes in the following way:
const user = await Auth.currentAuthenticatedUser();
const {yourAttributeName} = user.signInUserSession.idToken.payload;
Though you are not using cognito user pool user for this task, but you can access their user attributes like the following way:
const {yourAttributeName} = (await Auth.currentAuthenticatedUser()).attributes;
If the above solution doesn't work, Make sure your Scopes are properly setup in your userpool app and Identify Provider have a proper attribute mapping setup and have read-write permission on the attributes that you are expecting to read.
Couple of questions about firebase functions.
I have a function that needs to verify that the current user is authenticated, and then use their userId to store some data and associate it to them.
How do i access userId and validate auth in the functions?
Where can i get the token that needs to be sent to server through http header?
To get started, look at the official sample code available in GitHub that shows how to protect an endpoint. You'll see that it takes a token from Firebase Authentication for the currently authenticated user using getIdTokenWithCompletion. The function uses the Firebase Admin SDK to verify the token. The result of verification is a DecodedIdToken object, which contains various properties, including the user's uid.
I need to access several YouTube channels for my job to pull analytical data and export it to a database. The problem, is that this requires using OAuth, which would be fine except I don't know the controlling person's username/password. She probably won't give me her credentials since it's personal.
Is there a way to do this without explicitly using her username/pass? Like, she tried making me a content owner, but I still can't authorize this level of information.
This is exactly the reason why OAuth was created, to make requests on behalf of a user without their username and password.
Have that user generate an access token. Here are the Google Docs. In a nutshell:
Have your user send a post request to https://accounts.google.com/o/oauth2/token with your app key. The response should look something like:
{
type: "oauth",
token: "XXXXXXX"
}
Then, make an API request on behalf of that user with their token by passing in the token returned from the previous step as value for the Bearer filed for any web request to the YouTube API. This will allow you to perform an authenticated request without explicitly knowing the user's username and password.
How can I grab the Instagram feed (message, pictures and videos) by using generated access token without login?
I have read the Instagram Developers documentation and found out that users really need to login in order to retrieve someone's public contents/feed.
Facebook and Twitter have their own clientId and clientSecret and both of them have full filled their own purposes, to get access token and the feed without user's login.
But since Instagram has its own clientID and client Secret too, and strangers can view one's public photos/feed without login on web browser, why the hell we still need to login to get the access token, in order to get the feed in json format??
Am I missing something?
Please help, thank you.
this is not possible, the only way to get an access token if you log in, but, you can do a hack to not request an access token
well, you need request an access token with your account, when you get it, set this access token in your app and do all request with that access token, but when that access token expire request a new one.
here a framework when i use this hack, and request a new access token when the old one is expired
https://github.com/Busta117/SBInstagram