I've seen this Two legged OAuth using DotNetOpenAuth but it doesn't provide any details on how to remove one of the legs.
I am finding the code quite hard get my head around (using DotNetOpenAuth 4.0). Can anyone give me any pointers on how to modify the samples to do a two-legged auth?
From the service provider, it is a simple matter of authorizing the request token immediately before before returning what normally is an unauthorized request token. Since the service provider already has to provide code to generate and store request tokens, this should be straightforward.
From the consumer, it's simply that you skip the redirect step. There's a sample of this in the OAuthConsumer samples' GoogleApps2Legged.aspx code-behind.
Take a look at this post, it explains how to implement a 2 Legged OAuth using DotNetOpenAuth 4 with a Google Apps consumer key + secret.
Google Calendar V3 2 Legged authentication fails
Hope it will helps you :)
Related
I am creating new product. for that I have to use available security features. should I use Oauth2 or Json web token? which is better and in which situation these should be used?
I think you may find your answer in using org.apache.oltu.oauth2.
https://www.programcreek.com/java-api-examples/?api=org.apache.oltu.oauth2.client.request.OAuthClientRequest.AuthenticationRequestBuilder
You can see an implementation for oauth and openID here oauth server and resource server
Just to explain what they are,
oauth server creates the tokens
resource server uses that token and processes it to give you the requested data
You can also go through the following docs to understand what they mean and how to implement them,
sample implementation in java , oracle tutorial on the concept of tokens
If you want to do google API auth then you can go through this
I also found this stackoverflow link which is sort of similar question and has shared few of similar links. You should check that out as well.
When I am trying to understand OAuth2 client, I am confused about why we have two different filters
I attempted to integrate with Github. Here are my observations
OAuth2AuthorizationCodeGrantFilter sound like a filter that exchanges authorization code for access token, but when I keep debug point it does not do that
OAuth2LoginAuthenticationFilter sounds somewhat like it does login somehow, but this filter exchanges auth code to access token instead of above
I'm not sure why this is the case, as the first class name implies some strong correlation to authorization code
Also, Whats is the difference between OAuth2LoginConfigurer & OAuth2ClientConfigurer
Looks like OAuth2LoginConfigurer configures OAuth2LoginAuthenticationFilter, while OAuth2ClientConfigurer configures OAuth2AuthorizationCodeGrantFilter
Can someone explain what each of them does & in which scenarios they are applicable?
Thanks
This is well documented in the Spring Security reference.
OAuth 2.0 Login
OAuth 2.0 Client
As well, in the javadoc:
OAuth2LoginAuthenticationFilter
OAuth2AuthorizationCodeGrantFilter
At a high level:
http.oauth2Login() is an implementation of OpenID Connect Authentication using the Authorization Code Flow
http.oauth2Client().authorizationCodeGrant() is an implementation of OAuth 2.0 Authorization Code grant
I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.
So if we take the example stackoverflow's login page you get
Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?
Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.
See what is the request URL when you click to log in with gmail...
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier
Does that auth2 means oauth 2 ? I think so
UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.
To keep it short and easy:
If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.
On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).
If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post:
OAuth 2.0: Benefits and use cases — why?
Lately I have been reading lots regarding the OAuth (Open Authorization) protocol. I have come to understand following points:
OAuth 1.0A :
It uses digital Signature (mitigates the phising) and recommends the use of TLS/SSL (mitigates the man-in-middle-attack) and practically all those Service Providers using OAuth 1.0A are using TLS/SSL. Due to implementation of digital signature and TLS/SSL, OAuth 1.0A is more secure, forgiving the hard times of getting digital signature correct. Yet many had implemented OAuth 1.0A -the paradox.
OAuth 2.0:
This is relatively new, but entirely non-compatible with the earlier one (i.e OAuth 1.0 (A) ), does not use digital signature due to the hard times faced in getting it correct 100% instead it uses SSL/TLS and bearers token (i.e the holder of the token can do anything). Best thing about OAuth 2.0 is that it has differentiated the different grant flows which in OAuth 1.0 is all merged together. And non-interoperability is yet another issue with the OAuth 2.0 (i guess it will lead to more division..just my guess).
In many ways I find OAuth 1.0A is better than OAuth 2.0, from what I have learnt so far. Now can anyone shed some light on this, why OAuth 2.0 is encouraged when OAuth 1.0A is better (better in the sense that it is more secure).
Thanks.
There's a funny thing about your last statement. "Better in the sense that it is more secure"
That was exactly the OAuth problem. They made it so complex and secure that many people/apps cant just use it. OAuth 2.0 is not as secure but it was made to be easily handled.
I'm building a web app which will have an api and an authorization service using DotNetOpenAuth. I found this example on how you can authorize using a service provider that already exists but I would like an example on how to implement a service provider that can create tokens, persist them and do evaluation. Is there any great articles or sample providers that I can download?
Update
DotNetOpenAuth has moved on since this was initially posted. I strongly suggest you follow Ashish's advise and take a look at the samples. It contains code to write Authorization Servers, Resource Servers and Clients for all the major flows.
If you wanted a pre built solution, with opensource code
Thinktecture Identity Server is an Open Source .NET security token service. It supports a number of endpoints for authentication including OAuth 2.0 Bearer tokens.
Update this Thinktecture Identity Server is now on version 2 and supports these OAuth 2.0 flows
Resource Owner Password Credential Flow
Implict Flow & JavaScript
Authorization Code Flow
again take a look at the code to see how it was all done and there are samples here to show how to plumb it in.
I hope this helps - these library's and examples have hugely helped us over the past few months.
Update
There is also another example warning, it looks dated of a simple OAuth provider for MVC here Sample code here
There are complete working example for DotNetOpenAuth can be found here - https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples
I tried a number of times with DNOA....had to give up, but documented my findings (used Thinktecture in the end)...http://tb-it.blogspot.co.nz/2015/06/oauth-20-frameworks-and-platforms.html