I have created a Twitter application and specified the following url as the callback url:
http://www.myapp.com/login
However, when a user comes to my site from the url myapp.com (missing the www prefix) the authentication fails.
Apparently, I cannot have multiple urls. So what can be a workaround?
You can either
Feed the correct OAuth URL by changing it based on the hostname the user uses to access your app.
Implement a canonical domain name, making sure visitors are redirected to the www version (or vice versa).
No, you cannot feed multiple URLs to the OAuth service.
Related
I'm trying to configure a new Okta application with a callback URL that will depend on the tenant's subdomain. Meaning I need the same Okta app to accept redirection (using the redirect_uri parameter) to https://0001.my.domain.com/oauth2/callback, https://0002.my.domain.com/oauth2/callback and so on. Notice the 0001 and 0002 subdomains. This may seem strange, but it's for demo purposes. The point is to avoid having to set up a different Okta app per tenant.
Okta's own docs on the subject read:
Does your Initiate Login URI vary by tenant? — If Yes, enter which part of the Initiate Login URI is customizable. For example, the subdomain in https://<subdomain>.example.com/signin/.
However, when I try to do this I run into an error complaining that:
The redirect URIs must be absolute URIs.
Maybe I'm just reading this wrong, but I take it to mean that variables/placeholders are supported.
I've searched the rest of the Okta docs but found no additional information on the subject.
If Okta let you do this, it would not be OAuth 2.0 compliant.
See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-16#section-2.1:
When comparing client redirect URIs against pre-registered URIs, authorization servers MUST utilize exact string matching except for port numbers in "localhost" redirection URIs of native apps.
I need the following information for my app to work:
1) Client ID
2) Redirect URL
Setting up the app and creating an ID + secret code was easy. But I have no idea what to put as my redirect URL. I used localhost as my URL and I was able to sign into my google account but after I signed in I received Error: redirect_uri_mismatch
Screenshot
What can I do? How do I even create a redirect URL?
In the Developer Console credentials page (the one in your screenshot), add your redirect URI to the "Authorized redirect URIs" text field.
Ensure you're supplying the correct port and correct route your server is listening on too.
For example, in the Google API Console, the working redirect URI for me is
Your port and route all depend on your server setup (ie. look in your index.js if you're using Node). This working sample with port 5000 is from the example server code in the YouTube API NPM module readme.
I'm trying to implement login with google to my web site.
The users can visit my site in 3 domains
1) regular link (HTTP and WWW...)
2) http://example.com - no www
3) apps.facebook.com/example - facebook app
We want to allow the user connect google in those three options.
We're using gapi (google javascript library) in order to authenticate the user.
My code looks like:
var config = {
'client_id': 'my_client_id',
'scope': 'my_scopes',
**'redirect_uri' : "https://www.example.com/oauth/",**
'immediate': immediate
};
**gapi.auth.authorize(config, function(){});**
As you can see I'm setting my redirect uri as part of the config of gapi.
We've created some popup in order to give the same uri for the three domains.
My problem is that in case I'm login to my site from the domain without the WWW, the authorize isn't working and the user isn't redirect to the redirect_uri link - which means, we don't have his token.
In case I'm removing the WWW in the redirect_uri (so it will looks like https://example.com/oauth/)
the facebook domain isn't working...
It's so frustrated..
Is anyone familiar with this kind of problem?
Any idea?
We've spent on it too many hours....
Thanks
Z
You can register multiple redirect URIs for a single client in the Google API Console so you would register one for each domain and pass the one for the currently accessed domain in the redirect_uri parameter of the authorization request. You don't need to use the same redirect URI across your domains so that should solve your state/token restoration problems.
I'm trying to set up a mirror API service for Google Glass. I turned on Mirror API in the google dashboard per the instructions in the glass developer website for Mirror API.
But when I go to create a Client ID for Oauth2, I get "Invalid web origin".
I'm putting in www.myserver.com/foldercreated, which exists in my server.
Use your url's domain name as Authorized JavaScript origins such as:
http://www.myserver.com
And your callback urls as Authorized redirect URI such as:
http://www.myserver.com/foldercreated
Don't forget to set http:// (or https://) prefix.
I'm creating a viewer app for Windows Phone 7. The app already handles the OAuth2 stuff and succesfully browses Google Doc's folder structure.
I use Google Documents List API 3. BTW browsing works perfectly without using request headers, instead I append the access_token to the request Uri.
Now the app needs to show files to the user, if possible without downloading them first. This means that I want to set the UI's Image.Source to the Uri of an image, the UI's MediaElement.Source to the Uri of a video and the BackgroundAudioPlayer.Track.Source to the Uri of an audio file. Obviously I can't use request headers in this scenario.
However it seems that simply appending the access_token to the download Uri doesn't work. The UI elements fail with generic error messages, and if I manually try with a web browser (which isn't logged in to Google) it shows an empty screen, a 401 error or it redirects to Google's login page.
Is it possible to download/stream a Google Data entry just by defining the Uri? If yes, what does the Uri need to look like?
Support for authorization using the access_token URL parameter has not been allowed on purpose for security reasons. Basically if a user would be to open a malicious file on a browser (e.g html containing some Javascript would suffice) the malicious code on the file could steal the access token in the URL and send it to a third party bad guy.
To access the file you need to authorize using "Authorization" HTTP header. Simply add an HTTP header to the request which is like:
Authorization: Bearer access_token_here