I am new to google oath ,
Referring to the documentation of google
While i Generate the login URL
example
https://accounts.google.com/o/oauth2/auth?
redirect_uri=http://www.mywebapp.com/oauth2callback&
response_type=code&
client_id=104608secret-secret-secret-secret.apps.googleusercontent.com&
scope=https://www.googleapis.com/auth/analytics.readonly+https://www.googleapis.com/auth/userinfo.email&
approval_prompt=force&
access_type=offline
This redirects to an accept page showing google email Id
When the user clicks on “Accept” google will redirect the user to your given redirect_url
when i use chrome and
https://developers.google.com/oauthplayground/
Because it redirects screen to accept.
everything will work fine.
But when i use postman it wont return the "access code" of google
What am i making wrong in the url parameters .
I have to create rest service using the above url.
I have searched So for
How to get dummy google access token to test oauth google api?
How can I verify a Google authentication API access token?
https://developers.google.com/identity/protocols/OAuth2
https://www.themarketingtechnologist.co/google-oauth-2-enable-your-application-to-access-data-from-a-google-user/
But non explained about silent login to get token without accept screen
Your callback url receives a "code".
Then you need to exchange your "code" for an access token.
https://aaronparecki.com/oauth-2-simplified/
https://developers.google.com/oauthplayground/
https://developers.google.com/identity/protocols/oauth2
Related
Have created bot.
Have web site where user has been registered using facebook account.
From facebook manually building login flow :
https://www.facebook.com/v2.8/dialog/oauth?
client_id={app-id}
&redirect_uri={redirect-uri}
In the client_id i am sending my website facebookid.
What parameter should i use for redirect uri to make redirect to bot ?
Is it possible to get this work this way ?
Take a look to the SimpleFacebookAuthBot sample to understand all the pieces.
The RedirectUri must be something in your side that will receive the access code that later will be used to get the access token. Here is the implementation of that callback in the sample above mentioned.
I have been checking this document to find out how to authorize my user but I couldn't see any signup information on the UBER API itself. You can easily login and authorize the existing user but how do you actually sign up using the API? Which API calls to make?
Cheers
Visit this URL to register and manage your Uber client apps:
https://developer.uber.com/apps
It will prompt for your Uber credentials if you're not logged in.
What do you mean by sign up using the API?
Actually Uber can let you login via Uber's login page and you can input the credentials in the form and submit it; once you pass this authentication, you will get a web page saying if you want to allow your third party app to access user's info; then once you allow or deny it, Uber will redirect to the redirect_url you registered earlier on your app dashboard and send an authorization code to it; then you could use this code to exchange for the access_token for further use.
I'm performing the server side oAuth2 flow.
I noticed that google has added a cool feature for their oAuth2 signin API which is redirect_uri=postmessage so we don't show the real redirect_uri on the browser url bar and the authorization code won't be included in the redirect url.
For linkedin, when the users accepts to share his personal data with the app, the response url looks like :
http://dev.localhost.com:8080/auth/linkedin?code=xxxxxxxxxxx&state=yyyyyyyyyyyyy
it's the same for Google unless we replace the real redirect_uri by postmessage.
If the redirect_uri + the response code is set in the url Every malicious script could be able to retrieve the returned code from the url and perform its own authentications.
So, is there any way to hide the return parameters and the redirect_uri for LinkedIn and Facebook ?
LinkedIn and Facebook are not vulnerable to malicious scripts accessing the redirect_uri.
Assuming you use the recommended response_type=code both APIs require you make a request from your server that includes your API secret and the code value in order to get the users token. LinkedIn describes this in Exchange Authorization Code for a Request Token and Facebook describes this in Exchanging code for an access token.
Additional security with Facebook can enabled with requiring that every request be signed with your API secret. Additional protection in general can be had by using a strong Content Security Policy to help prevent malicious scripts from running in the first place. And be sure to host your site exclusively over TLS to prevent your own JavaScript from being modified.
I am trying to use Facebook Rest API in my application . I wanted to generate authentication token and using that generate page access token which can be used to post on page.
When I was going through the authentication process I found that all authentication flow uses redirection to main Facebook application. I want to have an authentication flow in which I don’t have to redirect to generate authentication toke and page token. Is there any way to do this.
We're hoping to create mobile phone applications for (among other features) posting video to a user's FaceBook page. However, using their API, it looks like we would need to open a web viewer and have the user enter their login credentials every time the application is used. We would prefer to store these credentials so the user only has to login once.
We could of course save the http login post and resend it as needed, but this breaks if FaceBook changes their API and I worry about their terms of service and using an unofficial hack such as this.
Maybe someone knows of another application that uses Facebook this way?
You should have been returned an oAuth token to use.
The new Facebook API has a service you can call with the old tokens and it returns you a new oAuth token.
You just have to add offline_access to your permissions. You do this by adding &scope=offline_permissions at the end of your authorization url. Then your oAuth token won't expire.