Hi I want to expose API of my web application to the developers so that they can build application on top of my API.
I want to develop it same as twitter does that means I want to build Consumer key,Consumer secret,Request token URL,Authorize URL,Access token URL,Callback URL,Access token,Access token secret.
I know some basics of Oauth that is first we have to generate request token. the request token then gets autherized on successful login by user. Then we can exchange autherized request token with access token.
I want to implement all this in my rails application. But not getting how to start with. I don't have any previous exprience on building and exposing API so any guidelines will be greatly helpful.Thanks in advance
Something like this should help:
http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider
Related
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
I have been researching oauth2 for a while now and haven't come up with the perfect solution and wanted to see if anyone else has done this before. Currently I have two applications inside of one code base. The only thing these applications share is authentication. What I am looking to do is to create a third application for the oauth2 server. Then I want to separate the existing applications into two applications. Trying to follow how Google handles their oauth stuff. So the domains would be something like this.
http://accounts.domain.com
http://app1.domain.com
http://app2.domain.com
I found some good information in these two posts about doorkeeper and devise. Currently I am using devise so that makes that part easier.
https://dev.mikamai.com/2015/02/11/oauth2-on-rails/
https://dev.mikamai.com/2015/03/02/oauth2-on-rails-the-client-application/
So each of these applications app1 and app2 will have API's that the use will need to be authenticated against.
So I have the following questions.
If app1 needs to validate with accounts sub domain does that mean from an API perspective I need to call the oauth2 server application on each request? That seems like a lot of overhead. Is this the way that Google does it or do they have some trick?
Would app1 and app2 each be responsible for their own session timeout? What happens if app1 session is valid but the user deleted their accounts directly by going to the auth2 server application?
If app1 and app2 are responsible for session then would they also want to call back to accounts oauth2 server to validate the user still exists?
I'm trying to flush all of this out and haven't found a good example of how this would work when the oauth clients are actually API's plus they are web apps too. Maybe I am over thinking it too and that making the extra call for each API request is the way.
Any help or tutorial on this would be greatly appreciated.
The OAuth 2.0 Authorization Framework provides five grant techniques:
Authorization code grant
Implicit grant
Resource owner credentials grant
Client credentials grant
Refresh token grant
I believe our discussion is about Client credentials grant (I think google uses it generally).
Let's try to understand this flow chart:
So, here in the step [E]:
Steps (C) and (D) repeat until the access token expires. If the
client knows the access token expired, it skips to step (G);
otherwise, it makes another protected resource request.
It means it actually does not hits Authorization Server on each request. It only hits authorization server when client found that token is expired. So, if our deletes itself, it makes the token expired!
Maybe these document could help you more:
https://www.rfc-editor.org/rfc/rfc6749
https://alexbilbie.com/guide-to-oauth-2-grants/
Cheers!
For my current work project we're trying to use OAuth to secure a mobile API, but the app doesn't have user accounts, so authentication would take place invisibly from the user, where the app will send up some secrets to the server and receive the token to be used for subsequent web service calls. The problem is, all the libraries and tutorials I can find implementing OAuth follow this pattern:
Present a web view allowing a user to login
Receive a callback to a custom URL scheme, and parse the necessary information to authenticate future web service calls
How do I achieve this without the webview step? I should be able to make an HTTP request directly with the correct credentials which will return the necessary authentication details.
The app will use OAuth 2.0
It is not clear what do you mean by
the app doesn't have user accounts
If you want to call some API on behalf of user you should ask him for a password. Doing it in webview or not depends on provider implementation. For example, twitter doesn't force you to do that.
In other case, if you want to call service on behalf of client, take a look at this answer: https://stackoverflow.com/a/7477112/2283405
If the app doesn't require "personalised" or "user-specific" data to be manipulated, then you can probably try using "client-credentials" grant type to obtain access tokens using the application credentials granted upon the application registration process by the Authorisation Server (for e.g.: OAuth server) that's there in your environment. The idea is that, your app is what basically authenticates with the Authentication Server for you using the aforesaid credentials (i.e. Client Consumer Key and Client Secret Key).
NO, you have to do login compalsary. if you try without. it won't be possible.
I'm using Omniauth to link API with users. Currently I have my site's token and secret in the omniauth.rb file. How can I grab that data for API GET requests? If I can't, where should I store it and how should I retrieve it?
Thanks
I presume you're not familiar with OAuth itself. In order to implement your API interactions effectively, I advise you to read Beginner's Guide to OAuth.
Basically, you're going to register your consumer application in provider application. During that process, you will obtain a secret token, associated with your consumer app. Using that token to identify your consumer application, provider will generate access token for each subsequent request. These tokens are short-lived and basically allow only one requrest to API.
I am trying to do a Twitter connection using a webview in the excellent Appcelerator Titanium. I know there is a great library from David R out, but I do not want to use a popup and I feel that I need more control over the flow.
My question is: During the authentication flow I need to get an oauth_token which (in my knowledge) is a combination of the consumer key and other values. How can I do this? How can I generate this token so that I can continue the process?
I am of course using Javascript.
Thankful for all input!
It is a multi-step process based on the OAuth 1.0 specs, you can find the details at <http://oauth.net/core/1.0/>
Before doing anything, you will need to register an application with Twitter and they will provide you with a Twitter API Key and a Consumer Token (Key and Secret).
For the next steps, I highly recommend you use OAuthConsumer or some other library, but the steps include generating a proper request to get a "Request Token" from <https://api.twitter.com/oauth/request_token>
then using this Request Token, you need to request the user to authorize your application using <https://api.twitter.com/oauth/authorize?oauth_token=REQUESTTOKENKEY>.
This last step provided you with a Request Verifier allowing your application to make the final request for a permanent Access Token from <https://api.twitter.com/oauth/access_token>.
When you receive the Access Token, you should store a copy somewhere so the user does not have to re-authenticate your application every time (unless that's what you desire). This Access Token does not expire until the user specifically removes the access rights of your application from his Twitter profile. Make sure to store the entire Access Token, meaning storing both the Key and the Secret.
Good luck!