I have scaffolded a web app which is able to register a user with Passportjs and Google Oauth2. While registering the user in the scopes I am asking for accessing the Google Plus API and retrieving the accessToken and refreshToken to be persisted in the MongoDB.
Later in the application I am trying to make an API call to retrieve Google Plus user profile to test . I am following the following steps in the code
var oAuth2 = googleCredentials.oauthClient(); // Setting a new Oauth2 // Client using Project credentials
then retrieving the access_token and refresh_token for this particular user and setting the credentials like below
oAuth2.setCredentials({
access_tokens: user[0].access_token,
refresh_tokens: user[0].refresh_token
});
then making an API call
plus.people.get({
userId: 'me',
auth: oAuth2
}, function (err, response) {
console.log(err);
res.send(response);
});
but my application errors logging the following error
[Error: No access or refresh token is set.]
Any help would be much appreciated
Apologise for people who have spent time reading my code as it was such as obvious bummer . when setting the credentials I was passing plural words such as access_tokens instead of access_token and refresh_token. I spend an entire night trying to figure out the issue.
I am glad that I am able to proceed further.
Related
I need to create an endpoint that return user (token) data, that token I already have it.
I made a frontend where I logged in and I got the eyToken, the thing is that I dont't know how to validate or how to return that token through the backend using NestJS.
I've seen a lot of videos about JWT tokens but all the videos talk about to create that token. I don't want to create it because I already have it.
I just want to know how to return that token using NestJS.
I have a Web API developed with ASP.Net Core. I also have a client app developed with Next.js and it uses NextAuth.js to handle the authentication.
In the UI, when a user is authenticated, I have access to the access token from Facebook.
My question is how can I use this access token to authenticate the requests sent to the back-end API.
This is the back-end code used to register the Facebook authentication scheme (it is all standard):
builder.Services.AddAuthentication()
.AddFacebook(
facebookOptions =>
{
facebookOptions.AppId = "<my_app_id>";
facebookOptions.AppSecret = "<my_app_secret>";
});
I want to construct a Postman request that can authenticate my user using a specific access token but I do not know where to put this access token and whether this is possible at all.
Just sending the request like this (without any modifications) results in visualizing the Facebook login page.
Your Asp.NetCore project integrates Facebook login. After logging in, the token you get can only access protected resources in the current project, such as: [Authorize].
If you want to access Facebook's resources, you need to write your own code to get the token and then access the resources.
1. How to Get Facebook Access Token in a couple of minutes: 2020 guide
2. How to get current user access token from Facebook SDK in C#? Not the App access token
After you get facebook access_token, then you can access Facebook's resources.
I am using https://rnfirebase.io/ for react native application. I am successfully able to log in the user using Facebook Login.
My question is, once I have logged in the user using facebook, and then I am deleting the app from my facebook profile that gave permissions to firebase, the firebase is still authenticating me.
So, in this way, I will always be authenticated until I signout? Is this correct? or should I request for fresh Access Tokens ?
Here is the code I am using to check if the user is logged in
_bootStrap = () => {
let route = Home;
firebase.auth().onAuthStateChanged(user => {
saveDataInAsyncStorage('userLoginInfo', user);
this._navigate(route, result);
});
}
Once your client app get a valid ID token from Firebase Authentication, it remains valid for one hour after it was issued, even if you do something to disable the user. The user will be able to use that token to gain access to resources in Firebase until it expires. At that point, the client SDK will attempt to refresh the token. If the account is disabled in some way, the refresh will fail, the the previous token will no longer have the access it once had.
So, you will have to wait at least an hour for that user to be rejected by things like Firebase security rules and Firebase Admin token validation.
We have a website where the only way to login and authenticate yourself with the site is with Facebook (this was not my choice). The first time you login with Facebook, an account gets automatically created for you.
We now want to create an iPhone application for our site and also a public API for others to use our service.
This question is about how to authenticate with our website from the app/API and is broken into 2 parts:
What is the correct way to handle REST authentication from an API to a website which only uses Facebook OAuth as an authentication method?
I have read and researched a lot about standard methods of authentication for REST API. We can't use such methods as Basic Auth over HTTPS, as there are no credentials for a user as such. Something like this seems to be only for authenticating applications using the API.
Currently, the best way I can think is you hit an /authorize end-point on our API, it redirects to Facebook OAuth, then redirects back to the site and provides a 'token' which the user of the API can use to authenticate subsequent requests.
For an official application that we create, we wouldn't necessarily need to use the public API in the same way. What would be the best way then to talk to our website and authenticate users?
I understand (I think) how to authenticate 3rd-party applications that are using our API, using API (public) keys and secret (private) keys. However, when it comes to authenticating the user who is using the app, I am getting rather confused about how to go about it when the only way we have to authenticate a user is Facebook.
I feel like I'm missing something very obvious, or don't fully understand how public REST APIs should work, so any advice and help would be greatly appreciated.
UPDATE: see below
I've been thinking hard about this question too. It's not entirely clear to me yet but here's the route I am thinking of going. I am creating a REST API an my users only auth with Facebook connect.
On the CLIENT:
Use the Facebook API to login and get an OAUTH2 code.
Exchange this code for an access token.
In every call to my custom API I'll include the Facebook user id and the access token.
On the API (for every method that requires user authentication):
Make a request to the /me Facebook graph using the access token from above.
Verify that the Facebook user id returned matches the user id passed to my API from above.
If the access token has expired additional communication is required.
I have yet to test this. How does it sound?
--- Update: July 27th, 2014 to answer question ---
I only use the above exchange once upon login. Once I determine which user is logging in, I create my own access token, and that token is used from that point going forward. So the new flow looks like this...
On the CLIENT:
Use the Facebook API to login and get an OAUTH2 code.
Exchange this code for an access token.
Request an access token from my API, including the Facebook token as a parameter
On the API
Receive access token request.
Make a request to the /me Facebook graph using the facebook access token
Verify that the Facebook user exists and match to a user in my database
Create my own access token, save it and return it to the client to be used from this point forward
This is my implementation using JWTs (JSON Web Tokens), basically similar to Chris' updated answer. I have used Facebook JS SDK and JWT.
Here's my implementation.
Client: Use Facebook JS SDK to log in and get the access token.
Client: Request JWT from my API by calling /verify-access-token endpoint.
MyAPI: Receives access token, verify it by calling /me endpoint of Facebook API.
MyAPI: If access token is valid, finds the user from database, logs in the user if exist. Create a JWT with required fields as payload, set an expiry, sign with the secret key and send back to the client.
Client: Stores the JWT in local storage.
Client: Sends the token (the JWT from step 5) along with the request for the next API call.
MyAPI: validate the token with the secret key, if token is valid, exchange the token for a new one, send it back to the client along with the API response. (No external API calls for verification of the token here after) [if the token is invalid/expired request client to authenticate again and repeat from 1]
Client Replaces the stored token with the new one and use it for the next API call. Once the token expiry is met, the token expires revoking access to API.
Every token is used once.
Read more answers about security and JWT
How secure is JWT
If you can decode JWT how are they secure?
JSON Web Tokens (JWT) as user identification and authentication tokens
I am trying to answer the same question and have been going through a lot of reading recently...
I won't have "the" answer but things are getting a little clearer for me. Have you read the comments in the article you mentioned? I found them really interesting and helpful.
As a result, and in the light of how things have evolved since the first article has been written, here's what I think I'll do:
HTTPS everywhere — this allows you to forget about HMAC, signing, nonce, ...
Use OAuth2:
When authentication requests come from my own apps/website, use this 'trick' (or a variation of it) described in a reply to the article mentioned before.
In my case, I have two types of users: those with classic login/password credentials and those who have signed up with Facebook Connect.
So I'd provide a regular login form with a "Login with Facebook" button. If the user logs in with his "classic" credentials, I'd just send these to my OAuth2 endpoint with a grant_type=password.
If he chooses to log in via Facebook, I think that would be a two-steps process:
First, use Facebook iOS SDK to open an FBSession
When that's done and the app is given back control, there should be a way to get a Facebook ID for that user. I'd send this ID alone to my OAuth2 endpoint with an extension grant understood by my server as "using an FB User ID".
Please note that I am still heavily researching on all this stuff, so that might not be a perfect answer... maybe not even a correct one! But I think that would make for a good starting point.
The idea of using an "extension grant" for the Facebook authentication might involve having to register it to do things properly? I'm not quite sure.
Anyway, I hope I was able to help you even a bit, and that at least it can start a discussion to find the best solution to this problem :)
Update
The Facebook login is not a solution as pointed in the comments: anybody could send an arbitrary user ID and log in as this user on the API.
What about doing it like this:
Show a login form with a "Facebook login" button
If this login method is chosen, act kinda like the Facebook SDK: open a web page from your authentication server, which will initiate the Facebook login.
Once the user has logged in, Facebook will use your redirect URL to confirm; make that URL point to another endpoint of your authentication server (possibly with an extra parameter indicating the call came from an app?)
When the authentication endpoint is hit, the authentication can securely identify the user, retain its FB User ID/FB Session and return an access token to your app using a custom URL scheme, just like the Facebook SDK would do
Looks better?
Is it possible to get users extendest tokens via js api?
If it isn't what about getting multiple users token with single query?
I get tokens like this;
https://graph.facebook.com/oauth/access_token?client_id=xxx&client_secret=xxx&grant_type=fb_exchange_token&fb_exchange_token=".$u[token]
You can't issue an ajax request to that url since ajax requests are limited to your domain (cross-domain security policy), but you might be able to use the facebook javascript sdk, though I'm not sure it will work.
Something like:
FB.api("oauth/access_token", "get", {
client_id: xxx,
client_secret: xxx,
grant_type: "fb_exchange_token",
fb_exchange_token: currentToken
}, function(response) {
console.log(response);
});
Even if this works, it's not something that you should use since you have to include the app secret with the request, and since you want to do so from the client side it means that the app secret won't really be a secret no more.
Also, what's the point of doing that? As long as the user is interacting with your app, you can simply use what it states in Handling Invalid and Expired Access Tokens:
Desktop Web and Mobile Web apps which implement authentication with
the Javascript SDK
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
As for your other question, the facebook api has what's called Batch Requests, which let you make a few api queries in one request, but I'm not sure that it work for the relative path "oauth/access_token", but you are welcome to try it.