I'm using OAuth to get a user to grant me access to their Gmail IMAP account. I can successfully get an access token, and need to know what endpoint I can access to get the authenticated user's e-mail address.
And you can test this feed using Google's OAuth Playground, as I just did.
In step one, paste the scope:
https://www.googleapis.com/auth/userinfo#email
And in step six, paste the feed URI:
https://www.googleapis.com/userinfo/email
This should help in adapting the feed for use in your own application.
You can get user's username and email with endpoint: https://www.googleapis.com/userinfo/email with scope: https://www.googleapis.com/auth/userinfo#email.
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I need to generate or make url-link with inline token, that i can send to user email for only once login.
I found how get access_token for user for redirect to my endpoint (How do I obtain an OAuth token from WSO2 using the Consumer Key/Secret?), but I don't understand what to do next. I found how validate token, refresh it, but nothing about logon by token.
I need something like https://my_wso2is/auth_token?token=37133621-f099-33c4-b686-c017ed229fc0
You can use OIDC in order to get the user authenticated and then allow access to your application. You can find more information from [1] about how WSO2 IS works with OIDC using one of the sample applications named playground.
[1] https://docs.wso2.com/display/IS500/OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground
I use OAuth2 authentication to gain access to the user's mail to Gmail (and Hotmail) using IMAP.
For this purpose I implemented the following steps:
Prompts the user email address.
Generate authorize url and open it in the embedded browser.
Gmail asks for email address and password from the user, and the rights required for my application.
Get access token, and the refresh token.
Form bearer token, using the email address, obtained in step 1, and access token, obtained in step 4.
Then I use AUTHENTICATE XOAUTH2% bearer_token% to get access to user's mail.
This works fine. But I do not like that the user has to enter email address twice - on 1 and 3 steps. In fact, the user can enter different email addresses on step 1 and 3 so I receive "Invalid credentials" on step 6.
So the question is: is it possible to get an email address of user whose account is being accessed? Then I can skip the step 1.
With the Google Identity Plateform, you can authenticate the user by adding the "openid" and "email" scopes to your authorization request (see this page).
When you will receive your access token, you will also receive an ID Token that contains the email of the user.
Using those scopes, you can get rid of the step 1. and retrieve the email at step 4 "Get access token, ID token, and the refresh token."
Details to validate the ID token are on this page
As #Spomky wrote, for Google we can use the additional scope "email" to get id token and extract an email address from it.
For Hotmail(Live.com) we can make an additional request after step 4:
GET https://apis.live.net/v5.0/me?access_token=ACCESS_TOKEN
So after a user has logged in with his twitter account on my website, and I got the token and secret, when he moves to other page, do I have to generate the new token and secret in order to do something e.g. get his twitter username or I can just make a simple request to api.twitter.com/1/account/verify_credentials.json appending all the data I got on the page before, and it will work?
When you got the token and secret of the user, you can make requests to twitter on behalf of that user.
So to use these token and secret for future use you should save it in some datastore along with the user's credentials. As long as you append these information to the request header you will able to make requests on behalf of twitter user without asking anymore permission from the user itself.
Reference: https://dev.twitter.com/docs/auth/authorizing-request
Cheers
I modified google consumer to use in my application scenario.
My scenario is to authenticate user on our client's website and then log them into our system. I am able to do the following:
1) Get Request Token
2) Redirect them to the client's site. User enters username and password and they come back to our URL.
After this step I cannot get the access token.
var accessTokenResponse = google.ProcessUserAuthorization(); is always null.
Our client told me that when they return back to us they don't include the verifier and signed request token. I am not sure if that is the reason why I can't get this working.
Can someone please help? I am new to this.
Thanks
If you're doing authentication then your use of OAuth is probably inappropriate. You should be using OpenID of you're authenticating via Google.
As long as you're using OAuth, yes, the verifier string is mandatory.