Google Openid and Oauth - oauth

we have users who authenticated via the google hybrid Openid (OpenId+OAuth1 [0]) protocol. To use the newer APIs from google we have to change to oauth2 based authentication. Is there a way to know after an oauth2 login if he is one of our openid users?
the ids look very different. A userid in google_oauth2 looks like this:
12345678901234567890
and a userid in google hybrid looks like this:
https://www.google.com/accounts/o8/id?id=AItOawnlIGFin5I0F059UdqSYbK9JmA99e99ms
Is there some way to fit this together? Is there an oauth based call i could make to retrieve such an openid userid? Since we use it for login purposes i would not want to put 2 google login buttons on the login page. I can hardly imagine our users to understand this.
Is there a common strategy to resolve such issues?
[0] https://developers.google.com/accounts/docs/OpenID#oauth

Google talks about a combination OpenId/OAuth call that should do what you need. However, all the links in the document are to OAuth 1.0. So you will need to investigate to make sure it works with OAuth 2.0, since Google's deprecated the OAuth 1.0 interface.

Ok, it seems i have a way to do it. Have to implement and check but theoretically it should work like this:
send user to oauth2 login
-> if known, log him in
-> if unknown send him to openid with immediate mode
-> if successfull log him in, associate the former oauth connection
-> if error the user is unknown and will be created with his oauth token
Immediate mode could also fail if the user was not logged in with google, but since he just came back from the oauth2 dance he would have to have logged out in between which is very unlikely since he gets redirected immediately.

Related

Retaining Forms Authentication with IdentityServer3

We currently have a typical forms authentication setup in our organisation; with a login page located at something like account/login. We want to retain this but also want to start securing some of our APIs with OAUTH2 ; essentially we are the provider.
From reading a fair bit about the subject Microsoft's OWIN OAUTH implementation moving forward isn't supported (e.g. vNext) and doesnt support all the flows with OAUTH2. Thinktecture's identityserver3 seems to be the "standard" and most complete solution there is currently.
I cant seem to find an example of using identityserver3 with an existing app that requires forms authentication.
We would be looking at using it in two different ways; one using the implicit flow using javascript where we allow a third party site to call our API once the user has logged in to us (using the forms auth) and the user has allowed the client to access specific scopes.
The other use case, I think , would use the authorisation code flow ; the client would be requesting this so it can auto login (much like a login with Facebook - but login with X company) or be already logged in if logged in our site.
Any help with these scenarios would be most appreciated.
I think it will not be possible to switch your app to OAuth without changing your existing login.
I would suggest you use Identity server with custom user store(https://identityserver.github.io/Documentation/docsv2/advanced/userService.html) to use your current user database. That way your existing login accounts will be used by the identity server.
You can then secure your APIs with OAuth using the Identity server. You might need to change the way your current app call the APIs too. This means users of the current app will be redirected to identity server's login page. You can brand your login pages using custom views to make it appear similar to the curent login page (https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html)

Login with password and facebook

I am in the process of designing an app that is supposed to let you login using either a username/password combination or facebook login. We have a custom OAuth server that uses user credentials to authenticate users. Now, the question is how to add facebook into this.
As I see it now, when the user wants to login with facebook, the client does all the work and gets the access token in the end. But how do we let our server know that this access token is a good one (and corresponds to a user in the database)? To me it seems like our OAuth server should be able to handle this as well, and I'm just missing the how.
OAuth supports different scenarios (flows). Client-does-all-the-work is so called "implicit" flow.
In your case it would be better to use authorization-code flow and extend your OAuth server. You put a "Facebook" button on your login page and instruct Facebook to redirect to a new special page on your OAuth server. Delivered authorization code then can be exchanged to the access token inside of your OAuth server and the server may issue its own session and tokens based on this.

Google OpenId and Google APIs

I was trying to achieve an openID login with google and then get an acces token to access google apis (such google plus, or drive)
The first attemp was successful but with a big problem:
Make the openId stuff, and the user is redirected to google to identify himself, then return to my app identified.
Make the oAuth stuff with google apis, redirect the user again to identify himself and cameback with a code, then exchange the code for the access token needed to call google apis.
The user needs to identify twice. That's not good.
I read and tryed the google hybrid openId and oAuth. All links there points to the deprecated oAuth1 interface, and i cant make it work, i get the user identified but not request_token to continue the oAuth stuff.
So i have a couple of questions:
Is there a way to identify the user agains google openId and at the same time get the users consent to access google apis?
Is the hybrid protocol still working with oAuth2 and new google apis?
I'm on the good way or im missing something?
I need both openId and oAuth beacouse the application needs to be in the google marketplace and is a must to login users with openId, and i need to hit some APIs that need oAuth2 access_token.
Thanks!
Why do you need to work on both OpenID and OAuth side by side, and have two login screens? If you simply use OAuth 2.0 workflow, the user needs to key in his credentials just once and you can do anything that you want to.
Once the user consents to the login/permissions screen in the OAuth workflow, your app will get an access token. If you need any client info for, say, a welcome user screen - you just need to hit the https://www.googleapis.com/oauth2/v1/userinfo endpoint with the access token and it will give you the user's public information. So, in short you can do pretty much most of the things with the OAuth flow, and with the user logging in just once.
Good luck! Feel free to follow up with more questions.
OK, finally i have a working solution, and this is the "magic" url that make the trick for me:
String url = "https://accounts.google.com/o/oauth2/auth?"
+ "client_id="+ GoogleapiAuthHelper.CLIENT_ID +"&"
+ "response_type=code&"
+ "scope=openid%20profile%20https://www.googleapis.com/auth/plus.me&"
+ "redirect_uri="+GoogleapiAuthHelper.REDIRECT_URI+ "&"
+ "state=security_token%3Dasdalskjqwo91231029";
if( userService.getCurrentUser() != null ){
url += "&login_hint=" + userService.getCurrentUser().getEmail();
}
Steps:
First of all, identify the user with openId, the users go to login screen and type his credentials.
User return idenfied to the application
Redirect the user to the URL above. The param login_hint makes that the user dosen't need to idenfity again and the response to this url is a redirection with an oAuth code, wich you can easily exchange for the desirec access token.
After reading all Google Plus API, Google Drive API, oAuth2 and openId documentation, the doc that point me to the rigth direction was https://developers.google.com/accounts/docs/OAuth2Login?hl=es
I don't know if this is the best way to achieve openId + oAuth, but it works and i cant make it work in any other way. Hope this can help someone.

Getting started with OAuth

I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.

Different Access token every time - using Google OAuth and Authlogic

Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.

Resources