Is it possible to use a Firebase Hosted site with OAuth 2.0 for a third party API? I would like to use the Quizlet API. This requires an OAuth 2.0 redirection flow and a custom state parameter.
State: A random string generated by you. You send us this, and we'll send it back to you, and you verify that we send back the same thing you sent.
You must send and verify this value in order to prevent CSRF attacks.
So for example:
https://quizlet.com/authorize?response_type=code&client_id=MY_CLIENT_ID&scope=read&state=RANDOM_STRING
This would take the user away from my Firebase Hosted page and then they would authenticate. Upon authentication, Quizlet would send me back to:
REDIRECT_URL/?code=GENERATED_CODE&state=YOUR_STATE&expires_in=60
Can I somehow catch these URL query parameters in my Firebase Hosted site or its Angular code?
Thanks!
Related
Cant establish persistent API connection to GA4 from Make (formerly Integromat). I use an HTTP OAuth 2.0 connection
I've enabled the Google Analytics Data API v1
In GCS I've created a project, Enabled the above mentioned API with authorized domains integromat.com and make.com and also created an OAuth 2.0 app. The scopes I added was:
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/analytics
I created credentials for a web app with the Authorized redirect URI’s of
https://www.integromat.com/oauth/cb/oauth2
https://www.integromat.com/oauth/cb/google/
The connection works but only for a short period (I assume the token expires). To try and mitigate this I created a service account. That does not work as I cant find a way to add an authorised URI to a service account. This is the Make error:
Error 400: redirect_uri_mismatch
You can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy.
If you’re the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=https://www.integromat.com/oauth/cb/oauth2
Any ideas please? I’m truly stuck
Your question lacks a bit of information as to what it is exactly you are trying to do. However there is enough here that I can help you clear up a few issues or miss understandings.
Oauth2
Oauth2 allows your application to prompt a user to request permission to access their data. The authorizaton server returns to you an access token, this access token is good for only an hour and then it will expire.
If you are using a server sided programming language then you can request offline access, at which point the authorizaiotn server will return to you an access token and a refresh token. The refresh token can then be used by you when needed to request a new access token.
service accounts.
Service accounts can be used if you are only accessing private data that you the developer own. You can create a service account, then go in the admin section of the google analytics website and add the service account as a user it will then have access to that account. There will be no need to request consent of a user to access the data it will just work. Note: service accounts only work with server sided programming languages.
redirect uri issue.
The redirect uri must exactly match the web page that your application is sending. In this case the error messages says you are missing https://www.integromat.com/oauth/cb/oauth2 you should add that.
Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
I've developed an website in Flutter that I've deployed on Firebase. What I want to achieve is to redirect the user of an app to this website using an URL that also contains an JWT token because there will be some authenticated requests to be done on the website - but the website doesn't have any login page.
Is it possible to retrieve that token in order to be used in the code of the website?
If you're using Firebase Hosting, all traffic between the client and server goes over an SSL-encrypted connection, so the data can only be seen by the sender and received (unless your certificate chain is compromised).
If you pass the token in the URL, anyone can see it, as the URL is not encrypted. So you'll want to send the token in (for example) a header, such as the pre-defined Authorization header of HTTP. This is actually what the Firebase JavaScript SDKs themselves do to pass authentication information to the Firebase server.s
Trying to get dot some Is and cross some Ts on getting SAML to function correctly with Firebase. I've followed Google's workflow on how to add SAML to a project (https://cloud.google.com/identity-platform/docs/how-to-enable-application-for-saml) but am hitting a wall with the authorization callback URL. When clicking the login to go to the SAML, it takes you to the provider's URL to sign in. But after logging in, you just get redirected back to the firebase site (*.firebaseapp.com/__/auth/handler), not the actual site. I've got the site URL set up as an authorized Domain in Firebase/Cloud Identity Platform. I'm not using Firebase hosting for the project, but I thought that as long as the URL is in the Authorized Domain, I didn't need to set up a redirect.
*3:26pm 2/26 - I think part of it might also be how I entered the SP Entity ID. I had used the same as the Entity ID that was with the SSO URL
In short: How can I manually authenticate a users with a given access token?
The long story:
An Amazon Alexa Skill should access user data within a Symfony 3.4 based web services.
The web services uses FOSOAuthServerBundle to handle the OAauth authentication and link the users Alexa account to the web services user account.
Once the account is linked Alexa API includes the OAuth Access Token in every request. However, the token is not included in the request header but simply within the JSON content. Additionally all request, both linked/authorized and not-linked/unauthorized call the same endpoint / route.
Thus using the Symfony firewall to authenticate the user does not work, does it?
Instead I manually check wether the Alexa request contains an access token to provide the correct response.
If the request contains an access token I would need to manually check and authenticate the user. How can this be done?
I've been reading through a bunch of documentation for using OAuth with Azure AD, but am still completely confused about how to properly implement things for my situation. Hopefully someone can steer me in the right direction.
I have created an ASP.NET Web API application that uses the EWS Managed API to access Exchange on behalf of different users. My application exposes endpoints such as /Mailbox/Messages and /Appointments with the intent that some front end web application will eventually use them to retrieve a user's emails and appointments. Currently the endpoints are working using basic http authentication, but I'd like to update them to use OAuth. The application has been registered in my Azure AD instance and I've configured it to require the "Access mailboxes as the signed-in user via Exchange Web Services" API permission.
Since the front end hasn't been implemented yet, I've been trying to test by manually calling the authentication endpoint. This prompts me to log in and provide consent. If I consent, I'm redirected to the callback URL that I provided when I registered the app with the authorization code contained in the query parameters. I'm still not quite sure how I'm supposed to be using this callback, but for the sake of testing I currently have the callback redeem the authorization code for an access token. This is done by calling the AcquireTokenByAuthorizationCode method on an instance of the AuthenticationContext class and providing my application's id and secret. Again, just for the sake of testing I return the access token to the browser. I can then call my aforementioned endpoints (after some modifications) with this access token and get the emails for the user. I'm guessing much of this is not the correct way to be doing things.
Some of my points of confusion:
What should the callback that I registered in Azure AD actually be doing when it gets the authorization code? Is this intended for a different type of application? Perhaps one that isn't just playing the role of a middle man.
I'm trying to make my application somewhat RESTful, so I don't want to have to maintain the access tokens on my end between requests. As such, does it make sense for my endpoints to expect that the access token be provided in the authentication header for each request? If so, does that mean the front end application should be responsible acquiring the access token and passing it to me?
Being completely new to OAuth and Azure, I'm not sure if any other details are pertinent, but I can provide more information as needed.
What you are implementing is this scenario: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api
Here's how it works:
Your client app redirects the user to sign in at the authorization endpoint
Your client app gets back an authorization code (if using the auth code grant flow, there are others)
The client app exchanges the code for an access token for your API app
It will need to provide its client id and secret along with the code and the API's resource URI to get it
The client app calls to your API app, passing the access token in the Authorization header
Your API app then validates the access token, and requests for another access token from Azure AD for the Exchange API
It will pass the access token sent by the client app, along with its client id and secret and the Exchange API's resource URI to Azure AD
Your API app receives an access token so you can call to the Exchange API as the user
And to answer your two questions:
Authorization code flow is not used with APIs, only with apps that have a user signing in, thus the redirect URL is basically never used
Your API can and must expect and authenticate the access token for it to be in every request. But the access token it uses to call the Exchange API can and should be cached on the API's side. This is provided out-of-the-box with ADAL, though the tokens are only in memory.