I am working on a WordPress plugin that requires the use of OAuth 2. So far I've included the necessary OAuth files in an include folder in my plugin, put in the ClientId, ClientSecret I've obtained, and was able to authorize the app. After I authorized the app I received a callback code that I am supposed to use to get the token I assume. I put that code in my plugin, refreshed the page, and saw the information that is supposed to be outputted. When I go to a different page, it tells me that I am not authorized to view the information because the access token may be missing. So essentially it feels like the code that is sent to retrieve the token is only able to be used once. Do I need to store the token somehow? Any suggestions would be greatly appreciated.
In OAuth2 three-pass procedure the auth_code must be used only to obtain the access token
invoking a specific URL of the authentication server. The access token obtained can be used to access the pages later, as long as it is valid.
Related
I have a Next.js website with firebase. It takes care of everything I need with authentication. However, In addition to the signInWithPopup, I am also using signInWithEmailAndPassword function in order to let my users authenticate using email and password.
The problem is that signInWithEmailAndPassword sends a request to:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[PUBLIC_KEY]
And it returns a valid response with the authToken. And when I paste the request in Postman, I see that everyone can access this endpoint. How can I protect this route? I want this route to be accessible just from my website.
I saw that there is something called App-Check that can restrict access to API but couldn't find a way to make it work.
Thank you!
I am attempting to use the LinkedIn V2 Profile API to aid in signups for my website.
I have properly implemented the "Sign in with LinkedIn" button on my website, set up the OAuth 2.0 callback, and my server properly swaps the OAuth 2.0 Access Code for the user's Access Token.
To do this, I am using the Python linkedin_v2 library linked here.
I am then attempting to grab the user's profile, and obtain their first name, last name, and email, to store in my database as a method of signup. I have confirmed that my application requests r_emailaddress, r_liteprofile, and r_member_social accesses.
To obtain their profile, I have attempted the following methods:
Using the Python Library linked above to create an application with the users access token and request the profile as follows:
application = linkedin.LinkedInApplication(token=accessToken)
profile = application.get_profile()
Unfortunately, this method only returns the user's first name, last name, and id, even when I include selectors=['email-address'] as a parameter to the get_profile() function, as specified by the library documentation.
Sending a GET request using the Python requests library https://api.linkedin.com/v2/people/(id:{person ID}) with headers that include Authentication: Bearer {user access token}.
Unfortunately, this method results in a 403 (forbidden) error.
I am curious of the following things:
Why do I obtain a 403 when querying the Profile API using the request library, when the same access token works to query the API through the Python linkedin_v2 library?
Does anyone know of how to use the python_linkedin_v2 library to obtain an email address with the profile?
Does anyone know of a better library to use in order to accomplish my goal of obtaining profile information regarding users whom are logging into my product using linkedin?
Do I need any additional permissions in order to access my users' emails from LinkedIn?
Thank you so much for your help, and I look forward to discussing potential solutions with all of you.
-Rob
There is an app that wants to authenticate with my users using oAuth2.
So they open a window, with the authorize URL, and parameters (such as redirect uri)
Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI
Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.
However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?
What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?
Just to be clear, this is my first time writing an oAuth2 service myself.
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
If I am understanding your question correctly:
User visits some website
User wants to register or login using your websites OAuth2
You redirect back to the original page and send your generated token
The page can access content on your site with this token
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
User lands on site - Clicks Login with Github
User is redirected to Github site where they login and click "Authorize"
Github redirects user back to your site /authorize with an auth token.
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
I want to create a playlist through the command line, but I appear to need to use the "Authorization Code Flow" method of authentication to be able to do this. The only way I can think to do that, is with a full web app through the browser, but I just want to make a command line tool without any of that hassle.
Is there a way to deal with this?
You do indeed need to use the Authorization Code Flow. However, that doesn't mean you need to build a web app.
Method 1: Prompt from command line, a la Spotipy
Check out the way Spotipy, a 3rd party Python library implements their authentication: https://github.com/plamere/spotipy. It uses the command line to prompt for authentication, then gets users to copy the URL back. This could be an easy workaround if you don't want to fully implement an authorization flow yourself. I recommend going through their quick start to get an idea of a non- web app implementation.
(They even have an example for "Create a playlist", maybe you can just use and build off that? https://github.com/plamere/spotipy/blob/master/examples/create_playlist.py)
Method 2: Get an access token for your account only
The Authorization Guide states the following:
Accessing your data without showing a login form
I want to interact with the web API and show some data on my website.
I see that the endpoints I need authorization, but I don’t need/want a
login window to pop-up, because I want to grant my own app access to
my own playlists once. Is there any way of doing this?
You basically need an access token and a refresh token issued for your
user account. For obtaining a pair of access token / refresh token you
need to follow the Authorization Code Flow (if you need a certain
scope to be approved) or Client Credentials (if you just need to sign
your request, like when fetching a certain playlist). Once you obtain
them, you can use your access token and refresh it when it expires
without having to show any login form.
So, if you only need access for your own account, grab any of the simple tutorials from the internet, follow it, and get an access token. You can then use that access token to make calls.
I'm doing oauth in echo sign and have come across following steps.
App makes a get request to echosign along with the return url.
ex: https://secure.echosign.com/public/oauth?redirect_uri=https://example.com/oauthDemo&
response_type=code&client_id=d4HQNPFIXFD255H&scope=user_login:self+agreement_send:account
Echosign, asks the user to login to echosign and on success it appends code to the return url and sends back.
Taking the code from the return url, another post call is made to get the access token using which , api calls can be further made.
POST call to /oauth/token
On this success, token-access has been generated successfully.
The things here is, how can i bypass the step where user will not have to login to echosign. Is there other easier way to get the access-token, seems like, code needs to be generated each time to get a new access-token.
I'm working on meteor, angularjs. Also i couldnt find any working examples on js, is there any ?
Please correct any of my steps.
I couldn't find a way to bypass the user to login but this needs to be done only once.
At this step you get the access token, refresh token and expiry time in seconds.
Check if your access token has expired and if so then use your refresh token to get a new access token. You can use the refresh token indefinitely until the EchoSign user manually revokes your application's token.
User your access token to make API calls.
PS: I don't know any working examples in JS.