I am a total noob in Scala, I am just learning. So I am writing a server in Scala and I need to login to Github to access a repository. Are there any libraries that implement an OAuth consumer that I could use? I come from Ruby, and there is Warden that I used in the past. I am looking for something like that...
There are two versions of OAuth, OAuth 1 and OAuth 2. Github uses OAuth 2. The Play Framework authors, for one, consider OAuth 2 sufficiently simple to implement yourself that they don't provide a helper for it.
However, Google says:
"Given the security implications of getting the implementation correct, we strongly encourage developers to use OAuth 2.0 libraries when interacting with Google's OAuth 2.0 endpoints"
(I know Github isn't a Google endpoint, but this security point is valid for any website protected by OAuth.) And Google provides a generic OAuth 2 client for Java, and because Java code can be called from Scala, you can use that.
However, note that certain Github API calls (I think it's ones that access public repositories) don't require any authentication.
You will, however, need to set the User-Agent header to the name of your application in each HTTP request.
Related
My client is web based with a NodeJS server.
I've recently implemented Google Sign-In for server-side apps using this flow
see https://developers.google.com/identity/sign-in/web/server-side-flow
I'm now trying to implement something similar on Facebook but when I look at the docs there is no reference to oauth2.
https://developers.facebook.com/docs/facebook-login
Should I be using Facebook connect? Where do I get my "one time code" from so that I can send it to my server?
Lots of confusion on the subject. Some direction would be most welcome.
OAuth is, by design, not a very prescriptive standard. It describes various flows for doing the authorization, and each of those is specified broadly enough to afford multiple interpretations and implementations.
Facebook's implementation is broadly similar to Google's, and supports many different flows. The Javascript SDK offers a way of doing it in the browser, whereas the more traditional server-side flow uses a series of redirects and doesn't require any Javascript. Neither Facebook flow really calls itself OAuth, though the latter refers to it implicitly.
You asked about a "one-time code". That's a part of the Authorization Code flow described in section 4.1 of the OAuth2 specification. The server-side Facebook flow described above seems to be quite close to the specification, and the documentation describes how to get this code and exchange it for an access token. You could do it using the redirects, or you could write some Javascript to hit that endpoint in an XHR and then extract the code yourself and pass it to the server.
But you could also use the Javascript SDK to do essentially the same thing. It is based around the Implicit, browser-driven flow described in section 4.2 of the specification. In that case, the client is issued a short-lived access token. However, it can send that token to the server, and the server can then exchange it for a long-lived access token, similar to the use case of the one-time code. That process is described in the Javascript SDK documentation.
All of this is to say that I wouldn't worry too much about what is or isn't "OAuth". Most of these authorization services are based on the same basic OAuth concepts, but because the specification is quite general none of them work exactly the same way. Just figure out which flow works best for your application and use that.
In my current work, I have to develop an intern REST API engine.
I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec.
There is only one point that I dont really know how to overcome : the security problem.
Again, I documented myself, and I wanted to use OAuth2.0 in my engine.
The problem is that I dont understand nothing at all how to use this protocol.
I dont understand how the consumer can connect himself and be recognized by the server.
I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server
I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security.
In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this.
That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ?
I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically.
Thanks for all
The main problem with OAuth (both versions) is that you'll see a lot of talk about the three legged version. That is when you have user, a data-providing service and a consuming service, let's say a service that will create physical copies of your flickr photos. In this case the OAuth flow allows the user to tell flickr that the third party can access their data. This is not the scenario you are after, you are interested in 2-legged OAuth, see here for a description.
Of course you could look at other methods too. I've used HAWK in a number of REST/Hypermedia APIs and found it to be great to use in both nodejs and .NET server stacks.
Thank you for your answer, I studied a bit more OAUth2 en tried to implement it with 3 stragery : basic, clientPassword, bearer.
I created a new thread for an other problem, if you want to take part of it :
OAuth2 server creation with nodejs
I started to integrate GitHub3.py, and from what I have seen it appears to be an excellent library for my use.
However, I'm a little confused on how to go forward and get using the library in my Django project. So far, I have implemented a login method using the GitHub web flow API, this returns me a code which I could send to the API to return an OAuth token.
However, from reading the GitHub3.py docs, I'm not sure how this can be done.
So I'm wondering how I should go forward from here. I have read this past issue https://github.com/sigmavirus24/github3.py/issues/7 - I don't believe this applies to me since an OAuth code has a already been achieved.
I'm fairly new to Python and OAuth authentication, so I would appreciate it if somebody could push me in the right direction (if the library has code to OAuth methods or if there is another way that I am not familiar with)
Thanks!
So if I understand you correctly you have a token for a user who has granted you permission (i.e., they logged went through the webflow and your application has received and stored the token GitHub returns).
In this case you can do the following:
import github3
g = github3.login(token=TOKEN_RECEIVED_FROM_THE_API)
With that (and assuming you have the proper scopes on the token) you should be able to use most methods that require authentication. If you have the user scope you can use g.user() to get some extra detail about the logged in user.
If you have repos then you can also list a user's private repositories.
In short, when we wrote the library we wanted to make it easy to authenticate in a number of ways and then use the same API that you would if you had authenticated another way.
I coded a small Java program that handles Facebook's API from server to server, it was very simple especially when getting the code parameter from Facebook (on the callback URL). I only had to use HttpClient (I used apache commons).
Now I am trying to develop a client to use Netflix API, but for some reason I need to use some OAuth client (rather than just HttpClient and overloading the parameters such as AppID and secret).
I have to say I am a bit confused and I am not sure why there is such a difference.
I must say that I am not super familiar with OAuth and maybe it is a result of the different protocol versions (1.0a and 2.0) but I would appreciate it if anyone could help me with this.
I ended up creating the signature and oauth calls by hand, using these gems:
require 'cgi'
require "base64"
require "hmac-sha1"
require 'net/http'
for details on constructing the call, see my answer here:
Generating oauth_signature for Netflix
Based on the question I asked here, but I wanted to get feedback from the stackoverflow community on this.
It seems from my tests using the twitter API with oauth that oauth_verifier check that should be done by the service provider (twitter) in step E of http://oauth.net/core/diagram.png is not being done by api.twitter.com; this happens whether the oauth_callback is oob or a regular callback url.
To test this on twitter is simple: just don't send the oauth_verifier parameter as part of step F for acquiring an access token.
This issue should be easy to reproduce, but if necessary I can post my test code.
The oauth_verifier was part of the solution to the session fixation threat, and was only introduced in the oauth 1.0a specification. Because of this twitter API may still not be forcing application developers to use it to avoid breaking backwards compatibility.
Is this correct? Or am I misinterpreting the oauth specification?
Does this also happen with other APIs that should be compliant with oauth1.0a? (LinkedIn etc..)
ps - This question is somewhat related but the issue no longer applies because twitter is returning the oauth_verifier for both types of callbacks (oob and regular callbacks).
I got a reply from the official twitter discussions:
Currently the API supports both the OAuth 1.0 and OAuth 1.0a authorization flows. We strongly encourage developers not using OAuth 1.0a to update their code as soon as possible.