i am developing an app for sending emails via gmail smtp. Authentication is done via oauth... is there a way to authorize access to sending email only? and not checking inbox? that way if the access tokens and consumer tokens are somehow compromised, the hacker won't be able to actually read the user's inbox which is more serious issue than sending spams i guess.
No, the scope allows full access to SMTP, IMAP and POP.
Refer xoauth2_protocol oauth_20_scopes
Related
I am building an API for my rails app. Through that API I will log users in and allow them to interact with their data.
On top of that users authentication, I will also like to make sure only my iOS app has access to the API, and eventually my own web app.
I want to make sure no one else will be using the API, so on top of the user authentication, I will like to protect my API with a token for each of my apps.
How do you usually solve this problem? Would I have to pass that token over on each call in order to authenticate that the call is coming from a valid client and identify which client it is (web vs iOS).
I will very much appreciate any pointers or if you know of an article explaining how to deal with this.
As you are already using jwt's to authenticate your user, why not just use the functionality of jwt to include additional information in the token, in this instance some form of hashed string that you can verify server side if it is a valid "client id".
On each request you could refresh the string.
Kind of dual authentication in each request. the user and the client.
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.
I am able to use the "hello.js" library, which implements the oauth2 protocol on the client, to obtain the email address for a user authenticated via a third-party app (Google and Facebook).
Of course it would be possible to send the email address to the server over HTTPS, but how can I prevent the exchange from being spoofed? That is, how can the server be assured that the email address being received from the browser is the one that was authenticated via the third-party app?
Perhaps the email address is somewhere in the message sent to the "redirect_uri", which passes thru the server on the way to the client, but if so, I can't find it. It's not in the GET or POST parameters.
Andrew Dodson, the author of "hello.js", has been kind enough to answer this question for me on Gitter. He wrote:
The client side web app needs to send the token (find it after login
with hello('facebook').getAuthResponse().access_token) back to your
server. This token can be used anywhere to make an API request to the
third party.
So the browser doesn't send the actual email address to the server. Instead, it sends the token, and then the server uses the token to ask the third-party app for the email address associated with that token.
I see that when connecting services to twitter/facebook, sometimes apps are storing the user access token in the server. What is the most common purpose of doing this? I've read several twitter/fb documents and just don't seem to get it. Twitter also has an xAuth which can basically provide you with the user 'access_token', so what is the purpose of doing this?
You don't want 3RD parties pretending to be users. You want signed transactions so that authenticity is validated.
What if some application just started posting shit on your wall? This has a pretty obvious purpose.
Your app has to provide the token when making API requests that have been approved by the user. That's what OAuth is made for.
Instead of the service storing your facebook/twitter username/password on the server (which the service shouldn't know) it stores the access_token. The access_token can be used to make requests to the API. This is the purpouse of Oauth. It will enable you to write services which uses an external api like facebook without the user ever telling you theire username/password
Is it possible to read the inbox of a user provided he/she gets authenticated via google oauth api?
Apparently Yes (from here) :
Gmail supports the standard IMAP and SMTP protocols for accessing and sending e-mail messages. The Gmail IMAP and SMTP servers have been extended to support authorization via the industry-standard OAuth protocol.