As now we have OAuth and OAuth2 protocol for the various services like Facebook, Twitter, etc. I would to know if it is possible to detect which Service uses which OAuth from the backend programming and hence proceed to use the best suited OAuth 1 or OAuth 2 class library for the OAuth?
Thanks.
You have to read each service provider's(facebook, twitter, etc) API documentation and decide based on that
Related
I read this article.
Gmail can't be use in third-party component without using OAuth 2.0?
Should a personal account also use the OAuth 2.0 when using a third-party library?
If you are using Gmail or any other Google API you should be using OAuth 2 flow to ensure a more security scenario.
For your actual questions, yes you need to use OAuth flow to authenticate to any Google API as required, the link you posted about Less Secure Apps already says that they will be deprecated anytime soon and are pretty much discouraged.
My question is quite simple, if you want to integrate social media oauth 2.0 you have to add the callbacks to an application for that specific social media platform such as FB/LinkedIn. Afaik, there's no way to add these callbacks through an API of some sort, correct? Meaning that if I want to add say a 100 callback links to fb, I'd have to add them manually?
To my knowledge, you're correct; it would be a manual process. There are a few specifications that would allow a more programmatic control of this registration information, but the specific provider you wanted to use would have to support them or a custom approach and again I don't think Facebook does it. For reference purposes:
OAuth 2.0 Dynamic Client Registration Protocol
OAuth 2.0 Dynamic Client Registration Management Protocol
Another possibility would be to go through a mediator that integrates with the providers you need to support and that can act as a provider on his own and at the same time allows you to configure the redirects in a programmatic way.
Diclosure: I'm an Auth0 engineer.
An example of this, would be Auth0; it integrates with Facebook and LinkedIn, but then allows your custom application to talk directly with Auth0. The benefit is that you configure Facebook and LinkedIn integration once with a single redirect URL and then can use that configuration acroos multiple applications.
Since Auth0 exposes OAuth2/OIDC endpoints you would still talk the same protocols but could now leverage Auth0 Management API to perform programmatic administration of the OAuth2 client application registration information; including the dynamic registration of redirect URL's. If you use FB or LinkedIn purely from an authentication standpoint this is a real straightforward approach to achieve your requirements. If your required the access tokens from FB to then make calls to their API on behalf of the user, although still possible with Auth0, you have a bit of overhead as these tokens would not be automatically available to your custom applications.
I am constantly get confused by OpenID Connect and Oauth2, and I read this article and get a sense that Google is using OpenID Connect https://auth0.com/docs/oauth-web-protocol (but I remember google used Oauth2 as providing auth service to 3rd parties), see the following quote
Auth0 supports the OpenID Connect / OAuth2 Login protocol. This is the protocol used by companies like Google, Facebook and Microsoft among others so there are plenty of libraries implementing it on various platforms.
Moreover, the above URL seems to say Auth0 is using OpenID (rather Oauth)? See the following quote:
GET https://YOUR_NAMESPACE/authorize/?
response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=http://YOUR_APP/callback
&state=VALUE_THAT_SURVIVES_REDIRECTS
&scope=openid
http://openid.net/specs/openid-connect-basic-1_0.html
OpenID Connect is basically authentication built on top of OAuth 2.0.
OAuth 2.0 by itself didn't standardise authentication (just authorization) and the confusion you have likely comes from the fact that each of the companies that are now switching to OIDC previously had already poured their own "authentication sauce" on over their OAuth 2.0 implementations. In practice this meant that each had their own set of scopes and their own version of what is a standard /userinfo endpoint in OIDC, but the authorization mechanism in all cases (including OIDC) is based on OAuth 2.0.
To wrap up by answering your question: Yes, both of the endpoints you mention support OpenID Connect.
I am building restful API and want to protect my Api's. i am thinking to implement Oauth but as per my knowledge Oauth is suitable only when we are exposing our API to third party application. i am not exposing my Api to third party application.
I want to know implementing Oauth is suitable for this or not??
Thanks,
Sanjay Salunkhe
I would like to use OpenID to unify logins across projects that my group is working on. One of the projects may need to be an OAuth provider in the future so that users can sync data with other sites as well. Is it possible to setup an OAuth Provider that uses OpenID for authentication?
Yes.
Not sure which version of OAuth your are talking about here. But basically it would entail making the OAuth authorization step into an OpenID process which when successfully completed, resumes the OAuth process.
NB: OAuth is primarily for authorization of third party applications, OpenID is for user authentication. There is nothing impossible about mashing up the two, they are in essence dealing with different problem domains.
Basic Authentication(OpenID) or OAuth both require your permission, but there is an important difference. With Basic Authentication, you provide your username and password for the app to access application, and the application has to store and send this information over the Internet each time you use the app. OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials).
It doesn’t mean to say we cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.
Here is an example(OpenID+OAuth Hybrid protocol) lets aware you, how to use hybrid protocol.
Twitter, Facebook are working on now OAuth only while
Google, Yahoo work on OpenID as well as OAuth.