I'm using OAuth2. Since it's a two step verification, shouldn't it give me an error when I try to make the following request? I haven't specified the client secret, but it still is sending back an access token that works to use.
http://localhost/oauth/authorize/?response_type=token&client_id=myclientid&redirect_uri=http%3A%2F%2Flocalhost%2Fmyredirecturi.php
I understand that I first need to ask for a request token, and then trade that in for an access token, but every time I make this request I get back an access token that works..? Although, I get an error message if I specify the wrong client id.
Looks like I forgot to disable the allowed implicit grant type. :) Works now.
Related
I'm very new to auth0 and authenticating and facing a problem for two days with authenticating a user to our api. How i understand to get an access token is:
A user click on a sign in button on our app.
The user will be redirected to the auth0 hosted login screen.
When the user has correctly signed in on any social platform or registered account then the user will be redirected to my call back URL.
When the user is on the callback url then the user will receive an access token.
Please correct me if im wrong. Now i left out with a few questions.
Im using laravel with auth0 and used the example files of the page: Auth0 Laravel quicktart. So the login is working but when i vardump the user, i get all the user's info but my accessToken is null.
But when i save the accessToken in a session on the callback url, the accessToken look like this: tha63vkb0nnbr6vc. Isnt the length way too short for an access token? I don't understand why i get null when i dump the user but on a callback url it show a short length of string.
Maybe i got it totally wrong and this isnt the access token to use it for my api. On the other note, when i try to receive a token with postman i get an error: "error_description": "Invalid authorization code". my postman look like this: Screenshot of my postman. The code value ive sent is Crk_ri8mKcKX7IcX (the red bordered string in the image).
The value is the code parameter i took from the redirect url. And my redirect url look like this: example.com/public/callback?code=Crk_ri8mKcKX7IcX&state=5-ym0uFBxpiiBqcK_ivb2QIYxsIzAEMX#. Is this the right way to do it? i did exactly how it was indicated in the Auth0 Authorization Code API] at the auth0 athorization token api but it still doesnt work.
Maybe i get this error because the user already authorized so i cant do it twice but if so, why is my access token so short and it doenst work?
I'm very new to this so please excuse me if i got it all wrong. Also my post is maybe to long to put my codes in here but my codes is exactly the same as the aformentoined Auth0 Laravel quicktart example
I would really appreciate it if someone can help me ive been struggling for 2 days now.
Thanks alot for taking your time and reading my post!!
I have a webservice with the name http://mywebsite.com/myapp/findname. The parameters it take is name. When i provide the name the return result will be the actual details of that person.
I have a worry about security in this instance. What happens if someone gets the Webservice URL (This can be got easily, by going though a web pages source). Anyone will be able to pass some data and retrieve information using my webservice.
So how am i able to avoid this ?
For security purpose u will ask a valid usertakon(which can be generated at the time of signup with random number), when u receive usertakon(as parameter) then first match this usertoken with your Database for verification that the user is valid or not, if user is valid then u give response otherwise restrict it at first level.
Basically,
U can resolve this problem by the following step.
First there is a login API . In that api you need to provide the some token in the response.
and change it if user request for again login.
Than u can request for token in each request . if token is valid allow him to access the API response. if the token is invalid show the invalid request
I'm integrating FOSOAuthServerBundle to handle login from a mobile app to a Symfony2 backoffice. I've followed the instructions of this answer, but as I've never used OAuth2 before I'm a bit lost sometimes.
I tried logging in using the 'password' grant_type but for some reason it won't work unless I specify the client_secret as a GET parameter. Am I actually supposed to ?
Here's what my request looks like:
http://myserv.local/app_dev.php/oauth/v2/token
?client_id=1_4up4x3hpaask4g0sok0so8sg00gk48c44cc0wkwwsg8048wcog
&grant_type=password
&username=test#test.com
&password=somepassword
It returns this response unless the client_secret parameter is added:
{"error":"invalid_client","error_description":"The client credentials are invalid"}
Yes, you are supposed to include the client secret. Once you make this request, you will get an access_token that can be used with each each future request so that you don't need to use the credentials or client info again until the access_token expires. And when the token expires, even then you won't need to use the user credentials again, you can use the refresh_token, along with the client id and secret to get a new access_token. So your initial request should look like this:
http://localhost/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
and in the response, you would get the access_token, which can be used like this:
http://localhost/api/users?access_token=[ACCESS_TOKEN]
hopefully this clarifies a little more for you.
When you create a new client with the only allowed grant type "password", that shouldn't be a security issue that the client secret is public and no one will be able to use it with client_credential grant.
My app is simple, it connects to the Google+ API to authenticate the user, and if successful, it retrieves the user's email and then performs a series of operations on a given database based on the email retrieved.
My main issue is that every hour, my access token expires, and I seem not to know how to "refresh" it. I get the following error, which I imagine is expected:
The OAuth 2.0 access token has expired, and a refresh token is not available.
I am currently storing the access token on a database, and I can therefore retrieve if needed. My only question is how do I use that token to gain a new one?
Whoa, it took me significantly longer to figure this out, and the answers out there seemed quite incomplete to me.
Before we start please keep in mind that this answer assumes you are using the latest Google API PHP Library, as of May 26th of 2014.
1 - Make sure the access type your app requests is offline. A refresh_token is not provided otherwise. From Google: This field is only present if access_type=offline is included in the authorization code request.
$gClient->setAccessType('offline');
2 - Upon the first authorization, persist the provided refresh_token for further access. This can be done via cookies, database, etc. I chose to store in on a database:
$tokens = json_decode($gClient->getAccessToken()); /* Get a JSON object */
setRefreshToken($con, $tokens->refresh_token /* Retrieve form JSON object */);
3 - Check if the AccessToken has expired, and request a refreshed token from Google if such is the case.
if ($gClient->isAccessTokenExpired()) {
$refreshToken = getRefreshToken($con, $email);
$gClient->refreshToken($refreshToken);
}
Where getRefreshToken is retrieving the previously stored refresh_token from our database, and then we pass that value to the Client's refreshToken method.
Quick Note: It's key to remember that if you had previously authorized your app, you probably won't see a refresh_token on the response, since it is only provided the first time we call authenticate. Therefore, you can either go to https://www.google.com/settings/security and Revoke Access to your app or you can add the following line when creating the Client object:
$gClient->setApprovalPrompt('force');
From Google: If the value is force, then the user sees a consent page even if they previously gave consent to your application for a given set of scopes. Which in turn ensures that a refresh_token is provided on each authorization.
Full Sample Here: http://pastebin.com/jA9sBNTk
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.