I'm having a problem figuring out to maintain the same session after I get the oauth callback in a servlet. Since th callback come from Twitter and not the clients browser, I get a different session.
Can someone help??
Without knowing about servlets, I offer three pieces of generic advice.
1 - start a new session when you get the OAuth callback.
2 - store a Session Id in a cookie and retrieve later
3 - the OAuth token begins with nnnnnn-XXXXX where nnn is the users twitter Id.
Hope this helps.
You can also provide additional querystring parameters in the callback url and they will be provided when the user returns from authenticating.
I encountered this issue in my development environment, where my callback URL was different from the URL I was accessing my local application from.
So, if the callback URL is http://myapp.apps.com, you should start accessing your application via the same URL (configured via /etc/hosts).
Some further details are available in this post.
Related
I am developing an application that posts comments into Merge Requests on Gitlab. It works by authenticating with a given user, and then after some setup will register a webhook on the relevant project to be informed when a Merge Request update happens. When a new Merge Request is detected I want to post a comment on the Merge Request asking for some specific detail to be sent over.
However, when we post the comment on the Merge Request we can only ever seem to do it as the user that we have the OAuth token for (which of course makes sense). My question is what should we do/could we have done in order to post the note as a 'bot user' without having to register a full user into the repository? Or is this just impossible?
You can create a reporter user and use its access token. The problem my arise when the user doesn't have enough access control.
You can create a project scoped token, a bot user will automatically be created for such a token
Ref: https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html
I'm doing oauth in echo sign and have come across following steps.
App makes a get request to echosign along with the return url.
ex: https://secure.echosign.com/public/oauth?redirect_uri=https://example.com/oauthDemo&
response_type=code&client_id=d4HQNPFIXFD255H&scope=user_login:self+agreement_send:account
Echosign, asks the user to login to echosign and on success it appends code to the return url and sends back.
Taking the code from the return url, another post call is made to get the access token using which , api calls can be further made.
POST call to /oauth/token
On this success, token-access has been generated successfully.
The things here is, how can i bypass the step where user will not have to login to echosign. Is there other easier way to get the access-token, seems like, code needs to be generated each time to get a new access-token.
I'm working on meteor, angularjs. Also i couldnt find any working examples on js, is there any ?
Please correct any of my steps.
I couldn't find a way to bypass the user to login but this needs to be done only once.
At this step you get the access token, refresh token and expiry time in seconds.
Check if your access token has expired and if so then use your refresh token to get a new access token. You can use the refresh token indefinitely until the EchoSign user manually revokes your application's token.
User your access token to make API calls.
PS: I don't know any working examples in JS.
Symphony Version 2.2 (yah, I know).
FOSRestBundle: 1.5.3
Current Scenario
I have a REST Api driving an angular page. Let's say that each user has a token associated w/ their user record. Consider the following Urls.
GET /api/user/{token}/messages
POST /api/user/{token}/messages
GET /api/messages/{messageId}
GET /api/user/{token}/votes
POST /api/user/{token}/votes
So the user can GET and POST messages. The user can make votes and see them.
(I have about 30 diff routes like this - the URLs are all over the place).
Question
How can I verify that the user is allowed to GET/POST data for the token they're providing?
I do realize I could copy/paste some code to check the given user vs the user from the URL. Or I could write a service w/ a checkUser() function on each endpoint.
My hope, though, is that there is some way of doing this that doesn't require me to check the user on each endpoint's entry point.
Don't send the authentication in the Endpoint. An endpoint typically should be Idempotent, and should individually identify a particular resource.
Send your authentication tokens in HTTP headers.
With that said, as a strategy, baking in your security using #wonde is a good idea. I have implemented a custom base controller class in the past, but the filter and event handling built into symphony provides an even sexier solution.
i would create a before filter and add the checkUser() hook in there , that way you don't have to check the user permission on each endpoint
example
I am working on a WordPress plugin that requires the use of OAuth 2. So far I've included the necessary OAuth files in an include folder in my plugin, put in the ClientId, ClientSecret I've obtained, and was able to authorize the app. After I authorized the app I received a callback code that I am supposed to use to get the token I assume. I put that code in my plugin, refreshed the page, and saw the information that is supposed to be outputted. When I go to a different page, it tells me that I am not authorized to view the information because the access token may be missing. So essentially it feels like the code that is sent to retrieve the token is only able to be used once. Do I need to store the token somehow? Any suggestions would be greatly appreciated.
In OAuth2 three-pass procedure the auth_code must be used only to obtain the access token
invoking a specific URL of the authentication server. The access token obtained can be used to access the pages later, as long as it is valid.
In LinkedIn API, the access tokens will be expired after 60 days, I want to refresh them in 60 days before they are expired in a console application. I viewed this document: https://developer.linkedin.com/blog/tips-and-tricks-refreshing-access-token, and I also viewed many posts in this forum, but it looks like the refresh flow is still now clear for me.
Please note that:
I need to refresh access tokens from a console application - it is not a website, it is a tool running in backend, it has no cookies and cannot open web page to ask user to login.
And if there are some sample code (not for website) that should be better, for example: C# or Java code.
You can use curl to accomplish this. For whatever programming language you use, there should be a relevant curl library.
The way this works is as follows:
You send a POST request to https://api.linkedin.com/uas/oauth/requestToken
You receive back a request token. Use that token in place of XXX in the following call: https//www.linkedin.com/uas/oauth/authenticate?oauth_token=XXX
You will receive the response you need, which includes the access token, which you need to save. It will not expire for the next 60 days.
If you could elaborate on the issues you're having, that would certainly help.
I see what you mean now. Linkedin doesn't allow you and will never allow you to do this. The reason access tokens expire is in order to add an extra layer of privacy protection for users. Linkedin would never want you to access user data if the user's aren't actively using your application. Of course, you might have a situation where no action is required on their part, that's the only drawback. Therefore, you would need to give them a reason to visit your application at least once in each token's lifetime.
I hope this helps.