I am trying to do a Twitter connection using a webview in the excellent Appcelerator Titanium. I know there is a great library from David R out, but I do not want to use a popup and I feel that I need more control over the flow.
My question is: During the authentication flow I need to get an oauth_token which (in my knowledge) is a combination of the consumer key and other values. How can I do this? How can I generate this token so that I can continue the process?
I am of course using Javascript.
Thankful for all input!
It is a multi-step process based on the OAuth 1.0 specs, you can find the details at <http://oauth.net/core/1.0/>
Before doing anything, you will need to register an application with Twitter and they will provide you with a Twitter API Key and a Consumer Token (Key and Secret).
For the next steps, I highly recommend you use OAuthConsumer or some other library, but the steps include generating a proper request to get a "Request Token" from <https://api.twitter.com/oauth/request_token>
then using this Request Token, you need to request the user to authorize your application using <https://api.twitter.com/oauth/authorize?oauth_token=REQUESTTOKENKEY>.
This last step provided you with a Request Verifier allowing your application to make the final request for a permanent Access Token from <https://api.twitter.com/oauth/access_token>.
When you receive the Access Token, you should store a copy somewhere so the user does not have to re-authenticate your application every time (unless that's what you desire). This Access Token does not expire until the user specifically removes the access rights of your application from his Twitter profile. Make sure to store the entire Access Token, meaning storing both the Key and the Secret.
Good luck!
Related
As I am planning to have OAuth or OWIN JWT Bearer token for my authentication, I have following requirements for which I dont know the solution or grant type to suggest. I would appreciate a small example code especially how a payload will look like and claims will look like AND the Grant Type I should have for this below:
I have angular 8 UI which asks for Username/password (Azure AD Authenticated)
User logs in, then should have facility to copy paste the URL (In session) to another tab or new browser.
User when working (Its a call center case manager and so uses session for long time), the token shouldn't expire while he/she works. I studied that token will expire on time we set and no way to control this. Now, unless we have "Refresh" token, we can't achieve this, i.e user should have seamless experience to continue task even if token expires as refresh token should be used (Or whatever the mechanism).
If I use refresh token, then only authorization code grant type is possible where userID/password not safer. If I choose "Impliit" grant type, no refresh tokens available in this.
I am not sure how to achieve all points above. Please guide
In case of implicit grant flow , the SPA has to send a request in hidden iframe to get the token refreshed. Base on valid browser session the application request for refreshed token access.
For Azure AD, You should be using microsoft-authentication-library-for-js , and this library provide this feature out of box using acquireTokenSilent method.
I would highly recommend going through implicit grant flow document and you will get very good understanding. Implicit Grant Flow
I am not sure you can find complete example but i can give you few links with code samples and all of them would make up complete example. Also i can't see any Angular 8 Library , the given library is for Angular 6,7 but probably same can be used for Angular 8 as well.
For Angular you might have to use this library microsoft-adal-angular , and Example How to use microsoft-adal-angular
In the given link you can find how to refresh the token as above example is missing that part. Refresh Token Code
I am building an API for my rails app. Through that API I will log users in and allow them to interact with their data.
On top of that users authentication, I will also like to make sure only my iOS app has access to the API, and eventually my own web app.
I want to make sure no one else will be using the API, so on top of the user authentication, I will like to protect my API with a token for each of my apps.
How do you usually solve this problem? Would I have to pass that token over on each call in order to authenticate that the call is coming from a valid client and identify which client it is (web vs iOS).
I will very much appreciate any pointers or if you know of an article explaining how to deal with this.
As you are already using jwt's to authenticate your user, why not just use the functionality of jwt to include additional information in the token, in this instance some form of hashed string that you can verify server side if it is a valid "client id".
On each request you could refresh the string.
Kind of dual authentication in each request. the user and the client.
So I have an application that currently logs the user using linkedin. We are using several oauth services to register and login the user into our application, however we do need to validate the authentication in our own server to make sure any requests to our API are valid.
Currently the linkedIn SDK is not functional in our application due to minimum API level restrictions, so we are using a different library (LinkedIn-J), I am able to retrieve the user access token and secret, I cannot find any reference as to validate them in the server.
How can we go around to making this work? Is it even possible to achieve such a thing?
Thank you very much.
LinkedIn does not have a token validation endpoint. Your best bet is to make a simple non-destructive call like https://api.linkedin.com/v1/people/~ and watch the response to determine whether the token is still valid.
Goal
Fetch a company's updates save them locally in a background task
Problem
This should be done as a backend service without any real user interaction. We could provide a user account to use, but the authentication is a problem: There is literally no one to answer the OAuth redirect and there is no public redirect URL to configure, since it's a background service.
Is there any way to access the API without having a redirect URL or a real user?
You can get an initial access token in a regular front end flow, for you as the app developer i.e yourself as the LinkedIn user. Once you've got that, you can store it in the backend and use it for 60 days to get access to the LinkedIn APIs.
After 60 days you need to refresh the token as documented in:
https://developer.linkedin.com/documents/handling-errors-invalid-tokens
Unfortunately LinkedIn does not (yet) support an autonomous refresh flow where your app can get a new access token by presenting a refresh token on a backchannel. So the developer will have to refresh the access token by a manual login every 2 months.
Well, it is still all HTTP and HTML, so in fact there is no real reason to show the OAuth dialog to a user, as long you can strip out the necessary parts in the HTML authentication dialog and send a valid response back to the server, using the username and password from the user (which you can obtain from him, or save it yourself in a config file if it is you).
Note that there might be a legal issue if LinkedIn demands you to actually show the dialog, beside that, there is no technical need.
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.