Different Access token every time - using Google OAuth and Authlogic - oauth

Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels

The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html

Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.

Related

Using OAuth to secure my own API and getting confused over Authorisation

I'm trying to get my head around OAuth from the context of having an API that I want to secure and a javascript based single page app made in Vue.js that will consume this API. I've been told that OAuth is the industry standard for this type of thing.
I want to let other clients like a mobile app also use the same API.
From what I can gather the right flow is Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/
The bit I am confused over is how I seem to need to get users to approve access. For example you don't have Twitter saying "Would you like Twitter to use Twitter". If I was in the position of people using the account to create another account I wouldn't have any confusion but when the client is your own website what is supposed to happen?
I can sort of imagine that I could automatically approve the website or just bypass the part where the user approves but then I feel like I'm going off script. Then I think to myself, have I completely got the wrong end of the stick- is OAuth not designed for this?
If anyone can see where my ignorance is I'd be more than happy to be corrected!
Thanks!
OAuth and OpenID Connect enable you to authenticate users in many ways, for web and mobile clients. Each app implements a code flow and redirects to an authorization server (AS).
Each client is configured with an entry in the AS, and consent can be disabled when required. It is typically only enabled when personal assets are involved. Eg to grant a security code scanning service access to my GitHub repositories.
From asking around a bit and reading a bunch more found searching for "first party" providers: it is okay to just have the main website bypass the bit where they approve access and just send over the token.

Authenticate into Twitch API using a given token

i am currently searching for a way to login into the Twitch-API using an already given id-token (oauth or even better oidc) with or without a NodeJS backend.
Background: I am using firebase connecting to various services next to Twitch-API such as Youtube (Google API), Twitter and Co. I want to use my id-token for each service.
The official documentation doesn't tell if that is possible or maybe i just couldn't find it.
Hopefully there is a solution just not yet documented.
I will struggle with the same problem using the other services aswell.
Thanks alot
You absolutely would need to create your own OAuth token as it is tied to the same Client-ID as the account that generates it.
https://dev.twitch.tv/console
Authentication has it's own flow and endpoints with the way kraken v5 and helix work.
https://dev.twitch.tv/docs/authentication
With the latest changes to the API everything now requires both the Client-ID and OAuth before it will return the requested values.
https://discuss.dev.twitch.tv/t/requiring-oauth-for-helix-twitch-api-endpoints/23916
I'm not sure exactly what "id-token" is but i'm going with "twitch-user-id and access-token".
If you have a valid access token, you have access to whatever the scopes were defined when that token was generated, you can update the token with the refresh token if you need to.
You would need to supply the Client-ID of the application the token was generated for aswell.
Unless "id-token" is meant for a different system.

oauth2 strategy with ruby on rails with many clients that have an API

I have been researching oauth2 for a while now and haven't come up with the perfect solution and wanted to see if anyone else has done this before. Currently I have two applications inside of one code base. The only thing these applications share is authentication. What I am looking to do is to create a third application for the oauth2 server. Then I want to separate the existing applications into two applications. Trying to follow how Google handles their oauth stuff. So the domains would be something like this.
http://accounts.domain.com
http://app1.domain.com
http://app2.domain.com
I found some good information in these two posts about doorkeeper and devise. Currently I am using devise so that makes that part easier.
https://dev.mikamai.com/2015/02/11/oauth2-on-rails/
https://dev.mikamai.com/2015/03/02/oauth2-on-rails-the-client-application/
So each of these applications app1 and app2 will have API's that the use will need to be authenticated against.
So I have the following questions.
If app1 needs to validate with accounts sub domain does that mean from an API perspective I need to call the oauth2 server application on each request? That seems like a lot of overhead. Is this the way that Google does it or do they have some trick?
Would app1 and app2 each be responsible for their own session timeout? What happens if app1 session is valid but the user deleted their accounts directly by going to the auth2 server application?
If app1 and app2 are responsible for session then would they also want to call back to accounts oauth2 server to validate the user still exists?
I'm trying to flush all of this out and haven't found a good example of how this would work when the oauth clients are actually API's plus they are web apps too. Maybe I am over thinking it too and that making the extra call for each API request is the way.
Any help or tutorial on this would be greatly appreciated.
The OAuth 2.0 Authorization Framework provides five grant techniques:
Authorization code grant
Implicit grant
Resource owner credentials grant
Client credentials grant
Refresh token grant
I believe our discussion is about Client credentials grant (I think google uses it generally).
Let's try to understand this flow chart:
So, here in the step [E]:
Steps (C) and (D) repeat until the access token expires. If the
client knows the access token expired, it skips to step (G);
otherwise, it makes another protected resource request.
It means it actually does not hits Authorization Server on each request. It only hits authorization server when client found that token is expired. So, if our deletes itself, it makes the token expired!
Maybe these document could help you more:
https://www.rfc-editor.org/rfc/rfc6749
https://alexbilbie.com/guide-to-oauth-2-grants/
Cheers!

iOS authentication to web server

OK. So i need some guidance as I am a total iOS authentication noob.
I have a simple app. Users can login to the app, and send messages to friends. There is a web server and a MySql Database that holds the users and login information.
Question: How do I authenticate a user when he logs in safely and securely?
I have spent the last several hours hurting my brain on the following authentication stuff i found from google:
OAuth 1.0 - is said to be good. But it is a protocol and not a library. Do i have to implement this from scratch? Is this even needed in my case for authentication?
OAuth 2.0 - it seems that some sites are using this. I have the same questions for this as version 1.0. I also saw this this message from the library's lead creator literally saying f*** version 2.0 because it was bad for security. But yet so many still use it. Is it dangerous?
The creator of 2.0 has now gone on to make a completely other library because of how bad 2.0 was and because of how unscalable 1.0 was. His library is called OZ. Should I be using this for my server?
I see AlamoFire/ AFNetworking have basic authentication shown in their documentation. Should i just screw the oAuth stuff and just use theirs?
Being new to the authentication thing, all this is very confusing to me. Can anyone knowledgeable in this provide some guidance?
I am currently in the process of creating a cross-platform application and have spent quite some time researching this!
My approach to the project is using a ASP.NET Web API using OWIN middleware.
This uses bearer tokens to authenticate the user.
Using Microsoft.Identity you can limit endpoints down to roles or even individual users (Autherization)
Currently I create a user on the REST API, They log-in at the /token endpoint and then receive a token. This token is then saved to the Apple key chain and can be used to authenticate the user for further requests to the API.
As long as you use SSL this is a secure method and is used widely in many applications.
This approach uses OAuth2 also, so you'll be albe to easily integrate Facebook/Google/etc integration.
Here is a link to the Microsoft Documentation for some further reading on how I did it:
http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Currently this is working perfectly for me for an angular front-end but would work exactly the same in iOS except you may want to save the token to the KeyChain Storage.
We mostly use OAuth 2 creating custom system on iOS to handle the authentication.
Nothing is ever bullet-proof but the 2 token system decreases the chance for stealing credential quite nicely.
The AlamoFire, AFNetworking or any other libraries you amy find have nothing to do with this though. What type of credentials you use depends on your choice or rather the choice of the API. You may use these tools to ease your communication with the API though.
So what the idea behind this is you will try to send your user name and password only once when logging in and then you will receive the two tokens which are further used to communicate. This will decrease a chance for someone to intercept the request with the user name and password which are the ultimate key to get the access to the user data.
Next is "refresh token" which is used to receive a new "access token". This call should be made every few hours or so (controlled by the API). If someone was to steal this token he would be able to use it to get further access for an infinite duration or until the owner chooses to invalidate the refresh tokens (this is what happens when you click "log out from all devices"). So this is still quite bad if someone gets it.
Then there is the "access token" which is used for each and every further request to the server. These tokens have a limited time till they are invalidated so if someone was to intercept it somehow he would have the access to the data for the duration of the token.
So assuming this is the procedure that is done on the backend this is what you need to do:
If you have the access token and is valid simply use the service
If you receive the error that the access token is invalid you need to refresh the access token using your refresh token
If refresh token reports an error you need to navigate back to the login screen
If the app has no refresh token then simply go to the login screen
There are some other things that are nice to cover such as if the request reports an invalid token you should pend the request, refresh the token and then repeat the call to the pending request. A system around this may be quite large.
This is pretty much it about the tokens and authentication but there are other parts of the communication which increase the security such as using a https secure connection. When talking about security you must take a look into every part of the communication.

Getting started with OAuth

I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.

Resources