Trouble with Yahoo OAuth Authorization with Google / Facebook OpenID - oauth

Im having a bit of trouble figuring out how to get an OAuth access token for a Yahoo user who has created an account with Google or Facebook Sign-in. I've followed the OAuth flow described in the documentation, however this seems to only apply to users who have created a Yahoo account directly.
Has anyone else had trouble getting an access token for a user who has used Google or Facebook to sign into Yahoo?
I've looked at the OAuth + OpenID flow but I'm having trouble at the point where I should perform discovery. How would one receive an request_token for yahoo with a user who signs in via a Google OpenID?
Anyone else experienced this issue?

The only way I can see this happening is if Yahoo at some point allows Facebook and Google authentication in the OAuth authorization step. That would at least be the simplest way forward for an API consumer application.
The OAuth + OpenID flow will not help you I am afraid, it only works for Yahoo OpenIDs. I guess it could at least theoretically work for Google OpenIDs (if Yahoo implemented that), but Facebook is not even an OpenID provider.
I think Yahoo's stance on this is sound. They provide API access to users that they themselves have provisioned. I don't think you will find many API providers out there who will have a different strategy.

Related

Secure micronaut rest api with social login such as Google and Facebook login

Given that I have mobile app which integrated with Google and Facebook login, how do I use Google and Facebook authentication in the Micronaut REST API? In the future, the mobile app will allow user to register (create new account) besides social login.
Thanks for writing the following articles:
https://guides.micronaut.io/micronaut-oauth2-oidc-google/guide/index.html
https://guides.micronaut.io/micronaut-oauth2-cognito/guide/index.html
Both articles above mentioned "Micronaut extracts the JWT from the Cookie and validates the JWT signature with the remote Json Web Key Set..."
Currently, the mobile apps has the access token return from Facebook OAuth2 and Google OAuth2, can't I simply pass the access token as bearer token for authentication?
I believe I'm missing some dots here, please advise.
Appreciate if you could point me to the right direction.
Thank you very much.

Authenticate against Yammer API using Microsoft OAuth2

I have recently implemented Microsoft OAuth2 to retrieve data from the Graph API (and more). Now I wan't to integrate with some of the social functions in the Yammer API but I can't find any info whether this is possible.
It seems unnecessary for me to have to force the user to auth against two different OAuth endpoints when judging from Yammer Embed, the Microsoft SSO is enough to authenticate in (Microsoft-owned!) Yammer as well.
Maybe I'm just not understanding OAuth enough, but it does mean that I will have to authenticate first against MS OAuth2, then to Yammer OAuth2.
EDIT: Just after I posted this, I found the "Yammer impersonation" page which I missed earlier: https://developer.yammer.com/docs/impersonation
It is very short on details, is this a viable way to avoid the user actively having to sign in to Yammer?
We have a paid Microsoft service including most applications, btw.
Further EDIT: I mainly want to use the API to get some statistics on nr of likes on a post etc., not really any personal info at this point.
If you register your app with AzureAD you can require scopes for the Graph API and the Yammer API at the same time. There will be then only one OAuth flow and one consent screen.

Google OpenId and Google APIs

I was trying to achieve an openID login with google and then get an acces token to access google apis (such google plus, or drive)
The first attemp was successful but with a big problem:
Make the openId stuff, and the user is redirected to google to identify himself, then return to my app identified.
Make the oAuth stuff with google apis, redirect the user again to identify himself and cameback with a code, then exchange the code for the access token needed to call google apis.
The user needs to identify twice. That's not good.
I read and tryed the google hybrid openId and oAuth. All links there points to the deprecated oAuth1 interface, and i cant make it work, i get the user identified but not request_token to continue the oAuth stuff.
So i have a couple of questions:
Is there a way to identify the user agains google openId and at the same time get the users consent to access google apis?
Is the hybrid protocol still working with oAuth2 and new google apis?
I'm on the good way or im missing something?
I need both openId and oAuth beacouse the application needs to be in the google marketplace and is a must to login users with openId, and i need to hit some APIs that need oAuth2 access_token.
Thanks!
Why do you need to work on both OpenID and OAuth side by side, and have two login screens? If you simply use OAuth 2.0 workflow, the user needs to key in his credentials just once and you can do anything that you want to.
Once the user consents to the login/permissions screen in the OAuth workflow, your app will get an access token. If you need any client info for, say, a welcome user screen - you just need to hit the https://www.googleapis.com/oauth2/v1/userinfo endpoint with the access token and it will give you the user's public information. So, in short you can do pretty much most of the things with the OAuth flow, and with the user logging in just once.
Good luck! Feel free to follow up with more questions.
OK, finally i have a working solution, and this is the "magic" url that make the trick for me:
String url = "https://accounts.google.com/o/oauth2/auth?"
+ "client_id="+ GoogleapiAuthHelper.CLIENT_ID +"&"
+ "response_type=code&"
+ "scope=openid%20profile%20https://www.googleapis.com/auth/plus.me&"
+ "redirect_uri="+GoogleapiAuthHelper.REDIRECT_URI+ "&"
+ "state=security_token%3Dasdalskjqwo91231029";
if( userService.getCurrentUser() != null ){
url += "&login_hint=" + userService.getCurrentUser().getEmail();
}
Steps:
First of all, identify the user with openId, the users go to login screen and type his credentials.
User return idenfied to the application
Redirect the user to the URL above. The param login_hint makes that the user dosen't need to idenfity again and the response to this url is a redirection with an oAuth code, wich you can easily exchange for the desirec access token.
After reading all Google Plus API, Google Drive API, oAuth2 and openId documentation, the doc that point me to the rigth direction was https://developers.google.com/accounts/docs/OAuth2Login?hl=es
I don't know if this is the best way to achieve openId + oAuth, but it works and i cant make it work in any other way. Hope this can help someone.

Google Openid and Oauth

we have users who authenticated via the google hybrid Openid (OpenId+OAuth1 [0]) protocol. To use the newer APIs from google we have to change to oauth2 based authentication. Is there a way to know after an oauth2 login if he is one of our openid users?
the ids look very different. A userid in google_oauth2 looks like this:
12345678901234567890
and a userid in google hybrid looks like this:
https://www.google.com/accounts/o8/id?id=AItOawnlIGFin5I0F059UdqSYbK9JmA99e99ms
Is there some way to fit this together? Is there an oauth based call i could make to retrieve such an openid userid? Since we use it for login purposes i would not want to put 2 google login buttons on the login page. I can hardly imagine our users to understand this.
Is there a common strategy to resolve such issues?
[0] https://developers.google.com/accounts/docs/OpenID#oauth
Google talks about a combination OpenId/OAuth call that should do what you need. However, all the links in the document are to OAuth 1.0. So you will need to investigate to make sure it works with OAuth 2.0, since Google's deprecated the OAuth 1.0 interface.
Ok, it seems i have a way to do it. Have to implement and check but theoretically it should work like this:
send user to oauth2 login
-> if known, log him in
-> if unknown send him to openid with immediate mode
-> if successfull log him in, associate the former oauth connection
-> if error the user is unknown and will be created with his oauth token
Immediate mode could also fail if the user was not logged in with google, but since he just came back from the oauth2 dance he would have to have logged out in between which is very unlikely since he gets redirected immediately.

alternatives to accessing google reader with oauth?

I'm really new to this oauth stuff. I want to access a user's google reader liked items feed.
This blog says that oauth doesn't work (yet) with google reader. The working way seems to be to get the user's google credentials (email, password) directly, and login directly to google. This also gives me access to the rest of their services.
Is there a better way? I sure hope so, because ClientLogin is captchad. Not to mention I don't want the user to have to trust me with their google credentials.
Yes, there is a way ... but you still need the user's Google credentials to access the API. On the server-side, you can GET a secure token and authentication key ... these are then passed along with GET and POST requests to the Google Reader API to do whatever you want.
Here's a fairly robust C# tutorial (read the comments to make sure you're doing authentication right).
Here's an open-source PHP library that partially implements the Google Reader API without oAuth.
Authentication to Google Reader with Oauth is now available.

Resources