I am trying to authenticate user in firebase with KakaoTalk credentials. For that, I've got accesstoken from KakaoTalk. And then trying to authenticate user with that token. Here is my code :
String token = await kakaoService.getAccessToken();
await firebaseAuth.signInWithCustomToken(
token: token,
);
Got acceess token like this : nmAzFpOF9XrijP-ZoFpQbVluGZ4lLDbZxOCXIAo9c-sAAAFxrID6xA
But getting this error :
The custom token format is incorrect. Please check the documentation. [ Invalid assertion format. 3 dot separated segments required. ]
Whats wrong here? Am I missing something?
Check out the Firebase documentation regarding the use of custom token: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_a_third-party_jwt_library
Firebase needs to successfully decode the auth token your client submits then use its claims to validate access to your Firebase resources. As such, Firebase requires that custom tokens be formatted according to the rules spelled out in their docs. (They describe a very typical JSON Web Token.)
The access token you're getting from KakaoTalk does not follow Firebase's token rules so Firebase doesn't know what to do with it. I suggest you revisit the KakaoTalk docs to see if it can generate a standard RS256 JWT token with which Firebase can work.
It seems that the token returns by kakaoService.getAccessToken() is not a valid custom token for Firebase Authentication. In fact, given the error message, it doesn't even seem to be a JWT.
Custom tokens for Firebase Authentication must have a specific format, that is documented in creating custom tokens. You'll typically want to follow this process to get a valid token for Firebase Authentication:
Sign the user in to the identity provider (KakaoTalk in your case).
Decode the token from the provider, to get the verified information about the user.
Create a custom token for the user with the Firebase Authentication Admin SDK.
Use that token to sign in to Firebase on the client.
Steps 2 and 3 must happen in a trusted environment, such as your development machine, a server you control, or Cloud Functions.
Related
I'm doing a Flutter app for iOS and Android, and I need to use authentification to access to the main content.
For that I used this pubdev package(aad_oauth), and it works very well. I need to get the token provided by Azure to send it to my API to authenticate my user.
I used this method :
var token = await oauth.getAccessToken();
But the token is considered invalid even by my API then by https://jwt.io/ with the error "invalid signature" but works in the Flutter app.
Here is a censored screen of jwt.io :
Did someone knows how to get a valid token to send it after ?
The invalid signature thrown by jwt.io is well known. You will need to manually obtain and set the Azure AD signing certificate content. Follow the steps detailed in USING JWT.IO TO VERIFY THE SIGNATURE OF A JWT TOKEN.
Regarding validation at the API, you may have to fine-tune its token validation routine. This varies depending on the platform or library used for such end. you can find samples for Microsoft backed libraries here.
For more information on recommended validation please take a look to Validate tokens.
I'm currently using Firebase cloud functions as my mobile app's backend and I'm using Auth0 as my authentication provider.
My problem is that I've used Postman to send test login requests to my API and I'm able to get a valid JWT. I then deleted the user account through Auth0's user management panel and used Postman to test the login function again to see the type of response I would receive. Instead of receiving any errors, I receive a new valid JWT which allows me to access protected routes even though the user does not exist.
I've tried setting the response cache control to "no-store" and yet I'm able to receive a valid JWT. What could the reason be?
I'm trying to build JWT Grant flow in authentication using Docusign APIs.
I usually get "invalid_grant" or "invalid_request" errors.
The redirect uri is returned with a code parameter and a jwt token.
What I understood, is I need to create a JWT at my server to further utilise that for authentication, and the structure of this JWT does not utilise that code parameter either.
I need to use the User:lists API to get the GUUID of the user who just gave my server consent using the email address.
And then use that GUUID for creating our JWT, which will now work?
But in all this we are not using the JWT returned in the code parameter.
Why it is there it is confusing?
When using the JWT grant auth method, you will be ignoring the code that is returned in your callback URL after user grants the permissions.
I understand that may be confusing but think of that step as "User granting permission to required scopes". If you were using the auth code grant flow, you'd be using the code returned to your callback URL to complete the auth and get the access token.
However, in the case of JWT grant you will ignore that code and you will create a signed payload to get a token as described here: https://developers.docusign.com/platform/auth/jwt/
I created a single page application (SPA), which relies on GitHub API v4.
The API requires an access token to access, so I created an input element to ask users to store their access token.
I want to persist the entered token so that users don't re-input the token after reloading or re-visiting the site, without building any backend server.
I tried few things to achieve my purpose:
save the token in localStorage
It is very easy, but there are security concerns to store secret information in the storage, so I rejected this approach.
use GitHub OAuth App to fetch tokens
It is not suitable because it requires to store client secret in my app. Since my app is SPA, the stored secret can be read by any user.
use Auth0 to bypass the authentification
At first, it seemed very easy to get GitHub access token, but it requires a backend proxy server to fetch the token as described here
Is it impossible to persist the token without any backend server?
If so, how to persist the token easily? For now, I came up with the below solutions:
use AWS Lambda to encrypt the token and save it into cookie
When users input the token, the app send the token to a Lambda function, which encrypt the token and response it into cookie. When users back to my app, the app send cookie to the Lambda function and decrypt the token and send it back to the app.
use AWS Lambda as a proxy to communicate with Auth0
As described here, Lambda functions can retrieve the GitHub access token via Auth0.
However, I don't want to do this because I don't want to use two external services just to persist the token.
We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh