Does Github support OAuth 20 resource owner password credential grant type? I know you can use basic authentication for CLI to login with Github account. The basic authentication can be used to directly request all sorts of user data (like emails, teams, etc). I am curiously to know if CL can request an OAuth access_token by using ROPC, then uses access_token (similar to authorization code grant type) to request user data.
Github's oAuth implementation only supports authorization code grant type. As an alternative (and similar to CLI), you can retrieve a personal access token via basic auth, then use the token for subsequent resource access.
Related
Can I use keycloak to support PAT like github in addition to the OIDC JWT authentication?
Say, for some specific users, we should be able to support PAT or API key.
The expectation is that any SAML users who has to write a script to use our API's can use a PAT for authentication.
In the Google Actions panel we can enable account linking. We can also specify Authorization URL (Endpoint for your sign-in web page that supports OAuth2 code or implicit flows) and Token URL (OAuth2 endpoint for token exchange). Endpoints configuration image
I don't see any configuration options for Token revocation endpoint, and this possibility is described in the documentation: https://developers.google.com/identity/account-linking/unlinking#token_revocation_endpoint
If you support an OAuth 2.0 token revocation endpoint, your platform can receive notifications from Google. This lets you inform users of link state changes, invalidate a token, and cleanup security credentials and authorization grants.
Where can I set Token revocation endpoint to receive requests when a user deletes a Google Account link directly in their account?
I’m using Keycloak (OIDC) for authentication, and I want to add permissions of users to their access token.
My problem is that our permissions are managed by a dedicated application, and that we can recover them by an API.
So : How can I add authorizations to the claims of an access token, by getting these authorizations from a remote API?
I try to download a file from a google cloud drive bucket via the REST. But if I use the access_token of the oAuth 2.0 client which I have created I get "Insufficient Permission" as an error (It works with the access toke of my googel account).
So, where in the cloud platform I can grant the oAuth2 client access to the bucket from where I want to download the file?
Thx
TL;DR - You're most likely missing the step where you request the right scopes when requesting your OAuth2.0 access token. Please look at the supported scopes with Google Cloud Storage APIs. Access tokens typically expire in 60 minutes and you will need to use a refresh token to get a new access token when it expires.
Please read the Google Cloud Storage Authentication page for detailed information.
Scopes
Authorization is the process of determining what permissions an
authenticated identity has on a set of specified resources. OAuth uses
scopes to determine if an authenticated identity is authorized.
Applications use a credential (obtained from a user-centric or
server-centric authentication flow) together with one or more scopes
to request an access token from a Google authorization server to
access protected resources.
For example, application A with an access
token with read-only scope can only read, while application B with an
access token with read-write scope can read and modify data. Neither
application can read or modify access control lists on objects and
buckets; only an application with full-control scope can do so.
Authentication in Google Cloud
Google Cloud services generally provides 3 main modes of authentication:
End User Account credentials - here you authenticate as the end user directly using their google account or an OAuth 2.0 access token. When requesting an access token, you will need to provide the scopes which determine which APIs are accessible to the client using that access token.
OAuth2.0 credentials - if granted the right scope, can access the user's private data. In addition, Cloud IAM lets you control fine grained permissions by granting roles to this user account.
Service Accounts - here you create a service account which is associated with a specific GCP project (and billed to that project thereby). These are mainly used for automated use from your code or any of the Google Cloud services like Compute Engine, App Engine, Cloud Functions, etc. You can create service accounts using Google Cloud IAM.
Each service account has an associated email address (you specify when creating the service account) and you will need to grant appropriate roles for this email address for your Cloud Storage buckets/objects. These credentials if granted the right roles can access the user's private data.
API keys - here you get an encrypted string which is associated with a GCP project. It is supported only by very few Google Cloud APIs and it is not possible to restrict the scope of API keys (unlike service accounts or OAuth2.0 access tokens).
I'm trying to post an issue on GitHub with the GitHub API.
I looked at the API documentation,
https://developer.github.com/v3/issues/#create-an-issue
but I can't figure out where the account information should go in the request body.
How should I authenticate this request?
You can see example of scripts posting issues in:
"'mapserver-trac-importer" (authentication github_post, with user/password)
"simple basic-auth node github api" (authentication here, with user/password)
".bashrc" (authentication in curl, with oauth)
As described in API V3 authentication, you can either user username/password, or an oauth token.
Note that if you have activated the 2FA (2 Form Authentication), you will need an oauth token.
I prefer oauth anyway, because you can revoke the token at any time (token that you can create just for this script), without having the hassle to change your password (which you could use in multiple other instances).