We are setting up a website, where users will fill out and submit answers to a surveymonkey survey. After the user submits his survey answers, we will access that data through an API call and generate a report for the user based on that data.
Everything works perfectly, EXCEPT every time I open a new browser and access the website, it takes me to https://api.surveymonkey.net/oauth/authorize?client_id=XXXXXX&redirect_uri=http%3A%2F%2FXXXXXXXXX%2Flogin_with_surveymonkey.php&response_type=code&state=1379358300-12fd31&api_key=XXXXXXXXXX (the X's cover identifying info), where I need to "Authorize user_name to use your SurveyMonkey account" ('user_name' is the SM-developer account login name). Once I input my SM account login and password, the website works perfectly and I can successfully do as many API calls as I want without any issues. However, if I close and reopen the browser window, I need to go through that tedious authorization process again.
Is there any way to permanently grant authorization to my surveymonkey account for my app, so that I don't need to go through this process every time I open a new browser window?
Thanks!
How are you storing the access token for the SurveyMonkey user?
Once you have generated an access token via OAuth for a particular SurveyMonkey user, that token will work until it expires (if it has an expiry time in it) or until the user revokes access. Only when that happens, i.e. you receive an error saying "Client revoked access grant", you should discard the old access token and reauthorize.
The access token is what you get back when you call through to /oauth/token (with the code retrieved from /oauth/authorize).
Related
I am using: https://github.com/thephpleague/oauth2-client and https://github.com/TheNetworg/oauth2-azure to allow users to register/login using their MS accounts.
I have the first bit working: Users click the login with MS button. Request is then sent and received for auth code. Request is then sent and received for token.
I then create a new user in my application and log them in.
What should happen the second time they visit my application? Should they click the button again and somehow be logged in using the token?
If they still have an active session cookie, they probably won't need to re-authenticate. But it depends. If you need a new access token and can't use a refresh token to do so, you will need them to do the authentication again.
To re-authenticate, they will click the button and go through same flow.
The important thing that you need to do on your app's side is:
User logged in
Get the object identifier claim value from the oid claim
Check with the object id if the user exists already
If they don't, create the data for them
The oid claim will be in the ID token that you can ask for when authenticating, and you also get it when you exchange the authorization code for an access token.
Documentation on claims in ID tokens: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims#idtokens
We're building a web application that consists of a separate front and back end:
The front end is built in React. A user can log in to this front end using his Facebook credentials (using the Facebook Login SDK). After the user logs in, the front end receives the facebook_id, user_name and an access token. The user can then do inputs that can be stored in and received from the database.
The front end communicates with the back end through AJAX calls
to different routes in the back end.
The back end is built in Laravel as a REST API. When an AJAX request
is received, the right function is called to modify the database
with the request's parameters.
What is the best way to make sure that the user that logs in to Facebook is the only one that can make request on behalf of that user_id? I was thinking about adding a 'token' column to the users table in the database, then generating a random token on login and sending this to the user. But that way the user could send a fake Facebook id to the server, generating an illegal token.
Laravel already has an authentication implementation called Passport, but I'm not sure how to use this when the user is already logged in to Facebook. Maybe there is a more direct way of using the Facebook authentication in my back end, but I'm afraid that sending around the Facebook access tokens will compromise security. I have no experience with online securtiy, but I want my users to be safe.
I think the main problem lies in ensuring that every user that is logged in through Facebook will receive one user account on the back end. But it should not be possible to receive a user account if someone is not logged in. So I think the server should check in some way if the user is really logged in to Facebook and only then give out a user account and token.
I'm manually writing OAuth2 Server Flow to allow users to login using Google (and other websites, but let's focus on Google).
I have the basic flow working:
user clicks on the login link.
goes to Google and sees consent screen.
accepts.
redirected back to my website.
server takes relevant information and logs user in.
So far so good. Now I want to make sure that the server remembers the user for next time. For that I store the token along with other user data on the server.
Now, how do I check, server-to-server, if the token is still valid? I have it's expiration time, so I know it's invalid after that time passes, but what do I do then? Should I ask for a permanent (offline) token if I only want to allow login?
As a result of authorization success from Google, you should also get refresh_token. If you are not getting then do the following.
when you are redirecting to Authorization endpoint add additional parameter access_type=offline which will make sure that you will get refresh_token
Use refresh token to get additional access tokens.
Now, for validating you can hit the token validation endpoint of Google, if you are not maintaining the state. If you are maintaining the state then you can validate the expiry of token if token is only signed, if encrypted then you have to validate from Google.
You can play with different Google OAuth URLs here
more details on token validation here
I am using the facebook JS sdk to login a user. These are the steps that I follow:-
1) I use the FB.login(...) to get the details of the user.
2) Now, after receiving the details from Facebook, I send a POST request using jQuery's $.post(..) function to a php page say FBUser.php with the parameters - name,uid(Facebook User Id),email and access_token for publish_actions.
3) Now in the FBUser.php page, I do all the stuff like converting the short-lived-token to long-lived and then I check that if the uid received is present in my users table. If it is not, I create a new user, else I log in the old user. Today, I just realized that I was making such a big security compromise because anyone can send a POST request to the FBUser.php page with a uid of an existing user and get access to his account. But, on the other hand I am sure that some big websites also use the JS SDK. So obviously, I am wrong somewhere. What would be the correct procedure to log in the user securely and preventing his account getting hacked?
You should match the app and user id first, then you should check the access token, like this:
graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app-token}
You can get the app token from https://developers.facebook.com/tools/accesstoken/
You can get the uid of the user using the access token that was sent to you, by using this token to access Facebook graph and query "/me".
You shouldn't relay on the uid that is sent by the client. My application only receives the access token and gets the rest of the data from a server-to-server call.
I am trying to develop a simple PHP application that would fetch files via Dropbox API.
Problem is the authorization, which user has to complete every time one tries to run the script (after the session expires).
I was wondering if there was a way of obtaining some permanent access token via which I could login the once-authorized user to my app.
The access token you receive from /oauth/access_token after the user authorizes the app is actually effectively permanent. (That is, they don't expire for a very long period of time.) So, you can store and reuse the access token for future calls for the user without having them re-process the OAuth authorization flow each time.
One thing to note though is that the user can revoke access tokens (e.g., via https://www.dropbox.com/account/applications ) so be careful to catch 401 errors. If you do get one, it means the access token is no longer valid, so you should throw it out and prompt the user to re-process the authorization flow if they want to use the integration again.