I want to use BaseCamp API in my ipad application. I will ask user to enter username and password but each request requires authentication token. Please tell me how to get user token having username and password of user.
Please help.
Related
This FreeRadius module authenticates an Azure AD user using his/her username & password based on OAuth2:
free-radius-oauth2-perl
I would like to achieve the same process but authenticating Google accounts instead. Specifically, Google accounts managed through GSuite (now: Workspace). For Azure, there is a "token_endpoint" URI which you can use to send the user's name and password and it will return a token if the user is valid and the password is correct.
For Google, I found this: Google OAuth OpenID
But it states that the only implemented grant_type is authorization_code which is not what I need (I need password)
I also looked at the Admin SDK for Workspace but I only found a signOut method, not a signIn or similar.
Any idea how to validate that a Google account exists and its password is correct?
I implement an authentication following OAuth 2.0(Resource Owner Password Credentials Grant). Should I invoke user when the user changes the password?
In this Resource Owner Password Credential Grant, you need not to revoke the user when he changes the password. The reason is whenever the user changes the password the authorization server will get updated with the new password and when the user logs in the next time after changing the password the new password will be matched for the user and the token will be granted only if the password matches. I think the token provided while changing the password need not get revoked as well as it was granted with the correct client credentials.
The only thing is when the user logs out the next time we need to make sure that the password is updated in the authorization server and token is granted against the new password.
I use OAuth2 authentication to gain access to the user's mail to Gmail (and Hotmail) using IMAP.
For this purpose I implemented the following steps:
Prompts the user email address.
Generate authorize url and open it in the embedded browser.
Gmail asks for email address and password from the user, and the rights required for my application.
Get access token, and the refresh token.
Form bearer token, using the email address, obtained in step 1, and access token, obtained in step 4.
Then I use AUTHENTICATE XOAUTH2% bearer_token% to get access to user's mail.
This works fine. But I do not like that the user has to enter email address twice - on 1 and 3 steps. In fact, the user can enter different email addresses on step 1 and 3 so I receive "Invalid credentials" on step 6.
So the question is: is it possible to get an email address of user whose account is being accessed? Then I can skip the step 1.
With the Google Identity Plateform, you can authenticate the user by adding the "openid" and "email" scopes to your authorization request (see this page).
When you will receive your access token, you will also receive an ID Token that contains the email of the user.
Using those scopes, you can get rid of the step 1. and retrieve the email at step 4 "Get access token, ID token, and the refresh token."
Details to validate the ID token are on this page
As #Spomky wrote, for Google we can use the additional scope "email" to get id token and extract an email address from it.
For Hotmail(Live.com) we can make an additional request after step 4:
GET https://apis.live.net/v5.0/me?access_token=ACCESS_TOKEN
I am building an OAuth server and understand the concept of the "Resource Owner Password Credentials" grant method. The user supplies a username and password and the grant_type is set to "password".
However, when the users authenticates using a social network such as Facebook, what grant_type should be specified and what is the suggested flow for handling this type of authentication?
The grant_type would be similar to password, but instead checking the username and password I would be checking the user_id returned from the social network.
I have checked the standard but it does not mention this type of flow.
How should an OAuth server authorize against another OAuth server?
There are different implementations about this. Most of the websites doesn't need any grant_type however, some of them are still using grant_type as password. When the user connects to facebook (installs your facebook app), if the user needs to be registered you can assign him/her a random password or you can still ask the user to register with password. So, the grant_type will be password still.
I have an API and a Web app working with Rails and Devise gem for authentication.
With Devise and Omniauth I can make the Signup with facebook and Login with Facebook through the web site.
I have my API protected with token_authenticable and a TokensController, so when you want to interact with my API first you have to pass to the TokensController your username and password and it will give you a valid token, my problem is what happen when the user is sign up with facebook, Shall I pass to the TokensController the username and the facebook token to generate the token? are there some standard way to do this?
Thanks for the comments.
In my opinion you can pick whatever you want, as long as it fits your criteria:
it's secret
it's retrievable for you
it has a minimum security (not just '123pw')
So you have two similar options:
Use the Facebook Token as 'password'
Use the password generated by Devise
Normally you generate a password when creating a Facebook user with Devise. I guess you have code like :password => Devise.friendly_token[0,20] in your User.create-call?
The encrypted password is normally 60 characters, the Facebook token can have up to 255 characters. So I personally would pick the Devise generated password. It's long enough to be safe and you don't depend on an API to retrieve it.
Thanks for the comments; After thinking which one would be the best option, Here is what I finally did:
Note: I separate the code in client and server side(API)
Client Side:
Get the Facebook token and the Facebook user ID for a certain user.
Call the API method Create method from TokensController, with the parameters I got above.
Server side:
I receive the Facebook token and the Facebook User ID.
Using the Facebook Token I get the Facebook User ID from the API.
I validate that the receive UID from the request and the Facebook UID are the same.
If the UID are the same I generate a random token for my app and I return it in the response.
Note: All the communication is done via HTTPS.