I enabled Google Login option in website from where I get UserInfo and Email. I am using Google APIs Client Library for PHP.
I set redirect URL to
$client->setRedirectUri('http://login.example.com/authenticate/redirect_back');
and same in Google Developers Console. So after successful user login Google redirect back to
http://login.example.com/authenticate/redirect_back?code=4/gdtpUtOQ3ThblOTVnhEOtoeoeNRa.AqLKJLKDJxy_bnfDxpKmSx6cjgI
now my question is "What if somebody intentionally create code=4/xzzzz?" because Google openly showing where it is going to redirect (see in screenshot link | sorry i cannot post with < 10 reputation).
Google Auth Screenshot
I tried myself with dummy value and it get authenticated. But throws fatal error with invalid_grant when getting UserInfo. Is there a way to validate code value just after Google redirect back?
I guess you do not need to secure the Google Redirect URL.
Because the flow of authentication clearly says that,
once user grants the basic permission to access their data, user is redirected back to your website with Authentication code. The code is used to obtain Access Token, using Access Token the application can access current user data from Google, which could be used to register and login the user.
So in case a user tries to hit the callback URL with any arbitrary code, Google will not be able to authenticate the user and provide you with an User Info and email . Hence, you will not be able to register/login the user.
Related
Good morning all,
I must create a site in PHP where we enter the url of the facebook profile, and then it must retrieve some information from the profile:
The profile picture
The name
If the profile and verify
I wish I could do it without this connection.
What to give me a clue?
(I succeeded with tiktok, instagram, etc.) but with facebook it's been a while that I'm looking for the solution
This is not possible for 2 reasons:
Scraping is not allowed on Facebook, you must use the API for accessing any data
Any user data is unavailable with the API, unless the user authorizes your App to access his data
The correct way to implement verification is to implement login with the Graph API and let the user authorize your App. Btw, this still does not mean you can verify his profile url, because you will not get the real URL, not even with authorization.
I'm testing proof of concept using php, no frameworks. I want to use Onelogin with the OpenID connect flow to confirm the identity of an existing user (already setup on Onelogin) with Onelogin and then get redirected to my login page to finish the process. I cannot find similar issues answered so here i am.
Using https://developers.onelogin.com/openid-connect/api/authorization-code
i've set up the first api call with the OpenId Connect (OIDC) -> SSO -> Application Type set to Web and Token endpoint set to POST.
With this i am able to go through the flow once successfully back to my test system login. But this doesn't pass back any user identifiable information so i cannot confirm the user on our db system.
As far as I can tell in all examples here i am logging into Onelogin and using the MFA okay. I have Google Auth on my phone. All looks good. I can then confirm i am logged into Onelogin under my test user.
The test user has no Privileges as my end user will be only using Onelogin to confirm identity on my final system.
So i guess this is fine if someone does not care about confirming the user on the initiating system. But i do need that so unless i missed something i can't use that way (Web).
Also i seem to be able to login and get redirected back to my test system login once using this but then if i try again soon after i get UnauthorizedError. Which makes me think of logging the user out of Onelogin first but no, logging user out between has no effect.
So then i tried setting Application Type set to Native hoping that we get redirected back to my redirect URL i've set in the App but I then keep getting UnauthorizedError after MFA and i can't seem to get past this bit even after checking over the Roles, Policies and App settings.
I've tried Token Endpoint to all the options but i still get UnauthorizedError after MFA or I get logged into Onelogin but I don't get redirected to my test login url set in the App settings.
Now at a loss and need help.
edited to add- the user has been added to the app which i can confirm via the app and the user. Also i can see that within the Activity for my user i can see it says 'logged into Openid Connect (OIDC)'. So it seems like i am getting logged in but i am still getting an UnauthorizedError 401.
Authentication is performed first, then authorization. So if you are authenticating to Onelogin OK, and are recieving an "Unauthorized" error, then all things being equal the OIDC app you have configured in Onelogin does not have you user assigned to it, either directly or through a Onelogin role.
So, check your app. Go to the Access tab. See who the app is assigned to. Confirm your test user is assigned to that role. Or go to the Users tab and check there whether your user is assigned.
The comment from #nial_atlasidentity is correct. The most likely answer here is that your user is not assigned to your OIDC app.
Once you have the user assigned you will be able to complete the second part of the Auth Code Flow and gain the user information from the id_token that is returned. You can also use the access_token that is returned to get user details from the User Info Endpoint.
If you want to test the flow and inspect the content of the tokens returned I recommend using the OIDC Inspector tool.
I'm making a script that gets my latest played song from Spotify. I seem to need authentication. I've registerd my app and am making a curl to Spotify
https://accounts.spotify.com/authorize?client_id=MYCLIENTID&response_type=code&scope=playlist-read-private&show_dialog=true&redirect_uri=http%3A%2F%2Fwww.stevenliemberg.nl%2Fspotify%2F%3Faction%3DrequestAcces
I do get a login screen, but when I try to login with Facebook I get a generic text saying 'the developer has done something wrong' that ends up in a recursive loop. Once you click ok, the error comes back.
When I try to login via the form with my userID (I can't use email addresses to log on, as I get an error on typing #) it says something's "gone wrong".
The return uri is registered to my app. Does anyone have an idea what's going on? Is it my account or my code?
I'm not sure why you are curling the authorize endpoint, it's meant for your application to direct your users there.
I assume that your web server on http://www.stevenliemberg.nl has an endpoint at /spotify/, handling the query parameter action=requestAcces. (typo?) I also assume that this exact redirect URI is registered for your client ID in https://developer.spotify.com/my-applications/. It's of course important that you don't direct them back at the authorization URL after this, as that would create a redirection loop.
It's correct that if you don't use Facebook to log in, you only provide a username. If you originally registered through Facebook, I believe you can find your username by going to https://www.spotify.com/us/account/overview/.
I am always reading about Facebook and Twitter logins for someones website.
The integration using one of theses services is okay, but my questions is how can I access both API´s for one user.
Example:
User is logged in on my website (active session). Now he somehow has to grant me access to his user details etc. on facebook AND twitter. How do I realize that? I don´t want him/her to type in his facebook or twitter credentials everytime he logs in to get his access token (oAuth).
How do I get my own oAuth user access token after using my websites login, so I can interact with Facebook and Twitter´s API.
Is this correct?
Thank you very much, if you can help me.
Facebook
When someone logs into the Facebook account, they stay logged in until they actively log out.
The way to test for this is:
FB.getLoginStatus(function(response){
if response.status === 'connected'{
// The user is logged in
var access_token = response.authResponse.accessToken;
// Do whatever you need to do
} else {
// Get the user to log in
}
});
See here for more details:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Twitter
The process is a little more complex for Twitter, but if you only want to display tweets, consider Web Intents.
Otherwise, follow these steps:
https://dev.twitter.com/docs/auth/3-legged-authorization
Both platforms have the ability to check whether or not the user is logged in first, so you shouldn't have to worry about someone having to log in every time they use your site. However, you cannot use the same oAuth token on both sites - you must get a separate one for each.
Each individual API will need a popup to authenticate, which will redirect to the appropriate api for authorisation, and then once you have the token after the authorisation redirects back to your popup.
You will then end up with a token that you can pass back to the calling page "window.opener" and store the token for that api in a Javascript variable by alling a Javascript funcation on the main page.
window.opener.getInstagramData("self", oauth_token);
Each authentication needs to have its own token and needs to be a button that the user should click on.
I am using this method to get Facebook, Twitter, LinkedIn Foursquare and GooglePlus account info.
Hope this helps.
I am using the oauth method in order to allow a user to sign into my website with Twitter and Facebook. I also plan to add Yahoo! and Google as well such as Stack Overflow does. Once the user logs in with Twitter successfully they have the option of logging out.
I want to make it to where when the 'Log out' button or link is selected, the user is logged out of my site AND TWITTER. I need it to log out of Twitter also in the case that the user is accessing my website and not Twitters. How do I do this?
Demo and example at: develop.f12media.com
The user clicks on 'Login' at the top of the page to log in with their Twitter account.
Redirecting the user to http://twitter.com/logout will probably work.
But don't do it. OAuth isn't meant to behave that way. Just log the user out of YOUR site.
Logging in to your site via OAuth doesn't necessarily log them in at Twitter, so logging out via your site shouldn't log them out either.
In Facebook it can be done easily because facebook provides logout.php and it takes next=sendBackURL as param.
so when user clicks on Logout button of your application, we can just invoke above logout URL, which will log out the user and smart facebook URL next=sendBackURL will send to your application login page.
But the above seems difficult in twitter, but I think if I do the same, then user will be on Twitter site but he will be logged out of both ur application and twitter.
so it can be by sending authorize?force_login=true, it will be called or will get redirection just after your application logs out user from your site, and user will be directed to Twitter again, I have tested it logs out user from twitter, although it will ask twitter credentials again, but no issue, user can just ignore that.
If Twitter can also provide some logout url, which takes next URL, it will be easy.
Whether or not the user is authenticated on the Twitter site is between the user and the Twitter site. You don't have access or control to that. You only have control over your auth token for that user on your site. You could expire the user's auth token when they log out of your site, but that only affects their Twitter authentication through your site. All that would accomplish is making it so they have to authenticate with Twitter again the next time they log into your site.
I think you're trying to accomplish something you don't need to here. This is the expected flow of OAuth and you shouldn't be worrying about logging the person out of a 3rd party site.