I'm making a script that gets my latest played song from Spotify. I seem to need authentication. I've registerd my app and am making a curl to Spotify
https://accounts.spotify.com/authorize?client_id=MYCLIENTID&response_type=code&scope=playlist-read-private&show_dialog=true&redirect_uri=http%3A%2F%2Fwww.stevenliemberg.nl%2Fspotify%2F%3Faction%3DrequestAcces
I do get a login screen, but when I try to login with Facebook I get a generic text saying 'the developer has done something wrong' that ends up in a recursive loop. Once you click ok, the error comes back.
When I try to login via the form with my userID (I can't use email addresses to log on, as I get an error on typing #) it says something's "gone wrong".
The return uri is registered to my app. Does anyone have an idea what's going on? Is it my account or my code?
I'm not sure why you are curling the authorize endpoint, it's meant for your application to direct your users there.
I assume that your web server on http://www.stevenliemberg.nl has an endpoint at /spotify/, handling the query parameter action=requestAcces. (typo?) I also assume that this exact redirect URI is registered for your client ID in https://developer.spotify.com/my-applications/. It's of course important that you don't direct them back at the authorization URL after this, as that would create a redirection loop.
It's correct that if you don't use Facebook to log in, you only provide a username. If you originally registered through Facebook, I believe you can find your username by going to https://www.spotify.com/us/account/overview/.
Related
I'm testing proof of concept using php, no frameworks. I want to use Onelogin with the OpenID connect flow to confirm the identity of an existing user (already setup on Onelogin) with Onelogin and then get redirected to my login page to finish the process. I cannot find similar issues answered so here i am.
Using https://developers.onelogin.com/openid-connect/api/authorization-code
i've set up the first api call with the OpenId Connect (OIDC) -> SSO -> Application Type set to Web and Token endpoint set to POST.
With this i am able to go through the flow once successfully back to my test system login. But this doesn't pass back any user identifiable information so i cannot confirm the user on our db system.
As far as I can tell in all examples here i am logging into Onelogin and using the MFA okay. I have Google Auth on my phone. All looks good. I can then confirm i am logged into Onelogin under my test user.
The test user has no Privileges as my end user will be only using Onelogin to confirm identity on my final system.
So i guess this is fine if someone does not care about confirming the user on the initiating system. But i do need that so unless i missed something i can't use that way (Web).
Also i seem to be able to login and get redirected back to my test system login once using this but then if i try again soon after i get UnauthorizedError. Which makes me think of logging the user out of Onelogin first but no, logging user out between has no effect.
So then i tried setting Application Type set to Native hoping that we get redirected back to my redirect URL i've set in the App but I then keep getting UnauthorizedError after MFA and i can't seem to get past this bit even after checking over the Roles, Policies and App settings.
I've tried Token Endpoint to all the options but i still get UnauthorizedError after MFA or I get logged into Onelogin but I don't get redirected to my test login url set in the App settings.
Now at a loss and need help.
edited to add- the user has been added to the app which i can confirm via the app and the user. Also i can see that within the Activity for my user i can see it says 'logged into Openid Connect (OIDC)'. So it seems like i am getting logged in but i am still getting an UnauthorizedError 401.
Authentication is performed first, then authorization. So if you are authenticating to Onelogin OK, and are recieving an "Unauthorized" error, then all things being equal the OIDC app you have configured in Onelogin does not have you user assigned to it, either directly or through a Onelogin role.
So, check your app. Go to the Access tab. See who the app is assigned to. Confirm your test user is assigned to that role. Or go to the Users tab and check there whether your user is assigned.
The comment from #nial_atlasidentity is correct. The most likely answer here is that your user is not assigned to your OIDC app.
Once you have the user assigned you will be able to complete the second part of the Auth Code Flow and gain the user information from the id_token that is returned. You can also use the access_token that is returned to get user details from the User Info Endpoint.
If you want to test the flow and inspect the content of the tokens returned I recommend using the OIDC Inspector tool.
I'm working on an application that is loaded inside iframe within other web page. When user launches application I got request to my app like this one:
www.mypage.com/?user=1234
Then my app redirects user to
https://login.host.com/oauth2?response=code&client_id=my_app_id&scope=&
redirect_url=www.mypage.com/?index/loadApp
Given user id is used to check if there is already token in DB, if not - received code is used to receive new access token.
Question is following:
How do I prevent calls that aren't going from i-frame on www.host.com? Request "www.mypage.com/?user=1234" can be seen in firebug console, so, if someone manually enters this url in browser, he can launch app for random user. Whats more, if there will be found such token in DB, person will see this random user data!
I use request signing for all my requests. But I dont know what to do with this first request (www.mypage.com/?user=1234).
Whats is the best practice in such cases?
Thanks!
Your problem is, in essence, that your site isn't using any authentication for that first request! You need to come up with some scheme for the other web page to sign the request, and verify that signature before performing the redirect.
(Additionally, make sure that the URL that's being redirected to performs appropriate authentication as well...)
I enabled Google Login option in website from where I get UserInfo and Email. I am using Google APIs Client Library for PHP.
I set redirect URL to
$client->setRedirectUri('http://login.example.com/authenticate/redirect_back');
and same in Google Developers Console. So after successful user login Google redirect back to
http://login.example.com/authenticate/redirect_back?code=4/gdtpUtOQ3ThblOTVnhEOtoeoeNRa.AqLKJLKDJxy_bnfDxpKmSx6cjgI
now my question is "What if somebody intentionally create code=4/xzzzz?" because Google openly showing where it is going to redirect (see in screenshot link | sorry i cannot post with < 10 reputation).
Google Auth Screenshot
I tried myself with dummy value and it get authenticated. But throws fatal error with invalid_grant when getting UserInfo. Is there a way to validate code value just after Google redirect back?
I guess you do not need to secure the Google Redirect URL.
Because the flow of authentication clearly says that,
once user grants the basic permission to access their data, user is redirected back to your website with Authentication code. The code is used to obtain Access Token, using Access Token the application can access current user data from Google, which could be used to register and login the user.
So in case a user tries to hit the callback URL with any arbitrary code, Google will not be able to authenticate the user and provide you with an User Info and email . Hence, you will not be able to register/login the user.
So I am trying to let my customers login in with Twitter, and just twitter.
Twitter says "You should never store a password for your users again", but how am I going to reauthenticate my users with twitters API?
If I resend the user to twitter after they have deleted their session, twitter asks the user again if they want to give acces to my application.
Is it at all possible to have seamless intergration with twitter accounts without ever storing local user data?
EDIT
It seems that the question is not extremely clear. What I have experienced using for example http://forum.jquery.com/. They use OpenID. I click "Login with google". I get redirected to google. Google remebers I gave acces to Zoho once and instantly sends me back to forums.jquery.com, this time with an access_token for zoho to authenticate me with. I have no persistent data with Zoho. Yet they can log me in.
What twitter with OAuth does is the following. A user comes to my site, they click "Login with twitter" and get redirected to twitter.
Twitter asks them again whether they want to give the application access to their data. Instead of the immediate redirect google does.
Is it possible for twitter to immediatly redirect the user to me. Is there a setting for me I am overlooking.
Send users to https://api.twitter.com/oauth/authenticate instead of https://api.twitter.com/oauth/authorize. If the user is already signed into Twitter and has previously authenticated with your app they will be redirected without seeing an allow/deny prompt.
What you store from Twitter are the user's TOKEN and user's SECRET. Those values are issued by Twitter (or any oauth provider) when you are in the process of oauth authentication.
You can get the idea using this library in PHP:
https://github.com/abraham/twitteroauth
Or this one in Ruby:
https://github.com/jnunemaker/twitter
The process is quite straightforward once you tried with any real example. It is not difficult at all.
There are also some nice screencasts here:
http://railscasts.com/episodes/241-simple-omniauth
http://railscasts.com/episodes/235-omniauth-part-1
http://railscasts.com/episodes/236-omniauth-part-2
Have you actually read the API?
Read the getting started page, you don't store passwords you store access tokens for the user. And if you want people to log in and register your going to have to store some data ;-)
I had this problem exactly and solved it using setAuthorizedUrl method - for more details see here http://www.evilprofessor.co.uk/359-sign-in-with-twitter-using-zend-framework/
This tutorials might Helpful for you.
Twitter API connect using oAuth
Cristian comment is what I was looking for.
You have to save those values in any persistent storage, if not, your users will always need to go Twitter again.
Shame that twitter doesn't recognize that the users have already allowed my app and redirects automatically
I need to login with my account with php curl in a website that uses facebook connect to login.
I'll take as example site one of my favourite apps: Mousehunt
As you can see, it uses facebook (of course) to login: if you are already connected to facebook, it succeeds in automatic login, otherwise it popups facebook login.
How i can login into it with php curl? I know some about curl & cookie (cookiejar, cookiefile, post etc) but not too much.
Which is the target url to post data? How can i return to that site as user logged in?
Let me explain how this sort of FB login works. There is of course the alternate method used for desktop applications, which would make it possible, but this website doesn't use it.
So heres the deal:
The login button opens a link on facebook servers containing the api key of the website and some arbitrary information. So far so good. You could simulate that easily.
Then after accepting the privacy stuff you get redirected back to the website. You can simulate that as well.
But then comes the burden:
The location you get redirected to contains an facebook token after the hashtag (#).
The website can then read this token by Javascript and use it to query the facebook api to confirm your dientity.
The reason why this is done that way is easy:
Think about it. Everyone could fake a request in the name of the website and read your private data. But everything after the hashtag is never readable by the server the request is directed to. The web browser just does not pass it and it would be violating http standards and cause an error.
The only way to access it is by javascript. And this can only be by the website serving the request (where facebook redirects to). And the domain where facebook redirects to is locked by the application key owner.
You see javascript is an essential part of the security here.
I think it is very insecure indeed because there are many possible explits, but its very easy which is a reason why this form of login is spreading so much in comparision to e.g. openid.
So to sum it up: You need simulate a fully javascript enabled browser. It is partly possible but very complex and there are no out of the box solutions for that.
well, there might be a way.
looks like facebook request don't sign the permission scope in any way.
so this basically means you can grant the application/website more permission than they even asked for.
then you could grant the website permament permission - log in the usual way - and save the cookies.
then you can send those cookies along with curl.
if the website uses servers side login authentication, which is very likely, you will still be logged in, because the access token is permament.
however there is no guarantee for that hack to stay functional.