I have a Next.js website with firebase. It takes care of everything I need with authentication. However, In addition to the signInWithPopup, I am also using signInWithEmailAndPassword function in order to let my users authenticate using email and password.
The problem is that signInWithEmailAndPassword sends a request to:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[PUBLIC_KEY]
And it returns a valid response with the authToken. And when I paste the request in Postman, I see that everyone can access this endpoint. How can I protect this route? I want this route to be accessible just from my website.
I saw that there is something called App-Check that can restrict access to API but couldn't find a way to make it work.
Thank you!
Related
I am attempting to use the LinkedIn V2 Profile API to aid in signups for my website.
I have properly implemented the "Sign in with LinkedIn" button on my website, set up the OAuth 2.0 callback, and my server properly swaps the OAuth 2.0 Access Code for the user's Access Token.
To do this, I am using the Python linkedin_v2 library linked here.
I am then attempting to grab the user's profile, and obtain their first name, last name, and email, to store in my database as a method of signup. I have confirmed that my application requests r_emailaddress, r_liteprofile, and r_member_social accesses.
To obtain their profile, I have attempted the following methods:
Using the Python Library linked above to create an application with the users access token and request the profile as follows:
application = linkedin.LinkedInApplication(token=accessToken)
profile = application.get_profile()
Unfortunately, this method only returns the user's first name, last name, and id, even when I include selectors=['email-address'] as a parameter to the get_profile() function, as specified by the library documentation.
Sending a GET request using the Python requests library https://api.linkedin.com/v2/people/(id:{person ID}) with headers that include Authentication: Bearer {user access token}.
Unfortunately, this method results in a 403 (forbidden) error.
I am curious of the following things:
Why do I obtain a 403 when querying the Profile API using the request library, when the same access token works to query the API through the Python linkedin_v2 library?
Does anyone know of how to use the python_linkedin_v2 library to obtain an email address with the profile?
Does anyone know of a better library to use in order to accomplish my goal of obtaining profile information regarding users whom are logging into my product using linkedin?
Do I need any additional permissions in order to access my users' emails from LinkedIn?
Thank you so much for your help, and I look forward to discussing potential solutions with all of you.
-Rob
There is an app that wants to authenticate with my users using oAuth2.
So they open a window, with the authorize URL, and parameters (such as redirect uri)
Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI
Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.
However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?
What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?
Just to be clear, this is my first time writing an oAuth2 service myself.
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
If I am understanding your question correctly:
User visits some website
User wants to register or login using your websites OAuth2
You redirect back to the original page and send your generated token
The page can access content on your site with this token
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
User lands on site - Clicks Login with Github
User is redirected to Github site where they login and click "Authorize"
Github redirects user back to your site /authorize with an auth token.
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
I'm developing a plugin based on WP Rest API and i need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).
How do I check on the API side if it is being accessed from an authorized domain?
I know that when i do a "register_rest_route" i can set a function that check user permission via "permission_callback" argument. However i don't know how i can check from what domain makes the API Request.
Thanks
I will not post any of my code, because this is more just a question to know if it's possible.
I've been googling a lot, but didn't find any concrete solutions. I hope someone can help me here.
The facts:
I have a login form
I need to authenticate the credentials over a web-service
I need to send both username and password, to get back a token if logged in successfully.
The problems:
With a custom provider I'm always stuck with the fact that they only have direct access to the userename, like: loadUserByUsername. I need to access the password there as well, to be able to send this to my web-service.
I have only 1 web-service which sends only back a token if provided username and password are correct.
Question:
How can I access and send both username and password to my web-service?
Thanks!
Generally speaking one would authenticate using an API token to a web service.
That API token is usually issued via an auto-generation script when the user account is created (either by an admin or by a registration form). This token is then passed by the API call to the web-service in a header which then uses it to authenticate the user.
As far as Symfony goes, by far the easiest way of doing this is with Guard. A new component built by Ryan Weaver from KNP.
KNPUniversity has a great tutorial on it (for free).
Note that this is only one option of many, and the 'best' way is probably mainly opinion based and directly related to the use case in question. But it might help you get on the right track.
If the token you want to create should be a JSON Web Token (JWT), a very conventient bundle is LexikJWTAuthenticationBundle, which does almost all of the work automatically. If you just follow the documentation, you will have it quickly up and running. You can combine it with FOSUserBundle, with a custom User entity or whatever.
I am working on a WordPress plugin that requires the use of OAuth 2. So far I've included the necessary OAuth files in an include folder in my plugin, put in the ClientId, ClientSecret I've obtained, and was able to authorize the app. After I authorized the app I received a callback code that I am supposed to use to get the token I assume. I put that code in my plugin, refreshed the page, and saw the information that is supposed to be outputted. When I go to a different page, it tells me that I am not authorized to view the information because the access token may be missing. So essentially it feels like the code that is sent to retrieve the token is only able to be used once. Do I need to store the token somehow? Any suggestions would be greatly appreciated.
In OAuth2 three-pass procedure the auth_code must be used only to obtain the access token
invoking a specific URL of the authentication server. The access token obtained can be used to access the pages later, as long as it is valid.