I have authentication working well with mongoose-auth in node.js. Would like to connect to Google REST Api that requires OAuth2.0 authentication. Does mongoose-auth support OAuth2?
(added everyauth as tag as mongoose-auth doesn't exist yet)
mongoose-auth extends everyauth which does implement OAuth2.0ds
Related
I am constantly get confused by OpenID Connect and Oauth2, and I read this article and get a sense that Google is using OpenID Connect https://auth0.com/docs/oauth-web-protocol (but I remember google used Oauth2 as providing auth service to 3rd parties), see the following quote
Auth0 supports the OpenID Connect / OAuth2 Login protocol. This is the protocol used by companies like Google, Facebook and Microsoft among others so there are plenty of libraries implementing it on various platforms.
Moreover, the above URL seems to say Auth0 is using OpenID (rather Oauth)? See the following quote:
GET https://YOUR_NAMESPACE/authorize/?
response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=http://YOUR_APP/callback
&state=VALUE_THAT_SURVIVES_REDIRECTS
&scope=openid
http://openid.net/specs/openid-connect-basic-1_0.html
OpenID Connect is basically authentication built on top of OAuth 2.0.
OAuth 2.0 by itself didn't standardise authentication (just authorization) and the confusion you have likely comes from the fact that each of the companies that are now switching to OIDC previously had already poured their own "authentication sauce" on over their OAuth 2.0 implementations. In practice this meant that each had their own set of scopes and their own version of what is a standard /userinfo endpoint in OIDC, but the authorization mechanism in all cases (including OIDC) is based on OAuth 2.0.
To wrap up by answering your question: Yes, both of the endpoints you mention support OpenID Connect.
I'm looking for a way to secure my own api with OAuth, but all I find is how to create client that connects to Twitter or Facebook. In the ZF2 docs site there is only example how to use ZendOAuth to connect to Twitter service. Is there any tutorial/documentation or anything ?
Which version about Oauth you are looking for ?
Just add one of these modules to create an Oauth provider. Take care! you have to know how oauth works, to integrate into your application.
For oauth 1.0a
https://github.com/bgallagher/BgOauthProvider
For oauth 2.0
https://github.com/php-loep/oauth2-server
see https://stackoverflow.com/a/23302428/389976
Essentially check out Apigility http://www.apigility.org/
I have been playing with the new Admin SDK in conjunction with the "upgraded authorisation experience" and wondered if someone has and experience/examples on how to use it. From what I have read, if you upgrade the authorisation experience you shouldn't need to use OAuth 2.0 and get a client ID and secret from the API console.
When you upgrade the authorisation, the API console entry is automatically created so you just have to turn on Admin SDK. Your app should then run simply using your own admin credentials.
Have I misunderstood this and if so, what is the benefit of the new authorisation experience?
I can use the Admin SDK just fine if I create a client ID and secret in the API console but this is using OAuth 2.0 then.
If someone has an example of how to use the admin sdk with OAuth 1.0 i could have a look at it would be much appreciated.
You will still need get your tokens and API key...
Take from the Directory API documentation:
If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key. You can find your application's API key in the Google APIs Console, in the Simple API Access section of the API Access pane.
If you are looking for an oAuth2 example with GAS, Arun has a nice example he posted on GitHub, see the SO posting: How to authorize with oauth 2.0 from appscript to Google APIs?
Sorry, I don't have any oAuth1 example to interface with the new APIs.
For working with Google using 1.0 protocol, applications were required to be registered using https://accounts.google.com/ManageDomains which provided a ConsumerKey and a ConsumerSecret to access feeds.
Newer application registrations are instead done using https://code.google.com/apis/ which provides ClientID, RedirectURL etc. (but not consumer key) as it is based on OAuth 2.0
Question: Is it possible to run an application created with Google APIs (OAuth 2.0) to work with an 1.0a OAuth flow? If yes, what field should be considered as a ConsumerKey?
It is not recommended that you use OAuth2 Registration for OAuth1 flows. The OAuth1 approval page will not look very nice to your users. Google's consumer_key and client_id are roughly equivalent, However, Google's OAuth1 approval page shows the raw value of consumer_key (client_id). The Application brand info will not be shown and instead you'll see the client_id value. 12345.apps.googleusercontent.com.
If you want to do the OAuth1 hybrid protocol, OAuth2 is a naturally 'hybrid' protocol and can do identity as well as data access control.
I'm pretty new to OAuth and API security.
I'm building a REST API that will be accessed by my own mobile application.
I want to expose API to other developers via OAuth authorization and authentication and I'll be using my own OAuth provider.
What is the authentication strategy for my own mobile app ? After all, I don't need user to authorize my app. Can I use OAuth for authentication while having my own mobile application pre-authorized by default ?
Can I authenticate users of my mobile app with OAuth or do I need something like OpenID?
I don't think you want oauth if you are looking to step over the user authorization step. If you are determined to use oauth, however, you could mask the authorization step as a login dialog or give your application an access token. User authorization is a rather big part of oauth's functionality, so ignoring it probably means you should use some other interface to access your users' information.
Accessing my own oauth REST API - OAuth is NOTHING to deal with REST apriori: OAuth - is Authorization protocol, REST - an architecture style.
For OAuth - use version 2.0 - it's 2012 already.
What is the authentication strategy for my own mobile app? - for mobile app on Android, for example, you could use could get user's account with which one registered his phone within GooglePlay store/GMAIL (and then generate one-time password from on your server side). If one wouldn't provide them to your app - make an explicit authentication.
Nowdays probably only calculator doesn't use explicit authentication - so why should you differ? You can link you Authentication to FB or Google or any other OAuth provider - what does make you to create your proper OAuth provider?
You can Authenticate users with both OAuth and OpenID.