oauth

How do I make the AuthorizeEndpointPath work in ASP.NET Oauth 2.0 framework

∥☆過路亽.° 提交于 2021-01-27 06:45:14
问题 I currently have a website where I am trying to implement the OAuth server framework. The website is currently a combination of Web Forms (not MVC) and Web API 2. For the purposes of what I am trying to do, we cannot change the overall architecture of the system. So far, I have OAuth working via the Web API for validating clients, generating access tokens, and handling refresh tokens. The last piece I am trying to implement is the Authorize Code workflow. This will allow us to grant access to

Bad Request when using Google OAuth2.0

狂风中的少年 提交于 2021-01-27 06:32:10
问题 I am receiving a 400 bad request when using Google OAuth from within Salesforce. The following error is in regards to invalid grant_type, but if you look at the documentation under 'Using Refresh Token' you will see that it is correct. https://developers.google.com/identity/protocols/OAuth2WebServer Error: { "error": "unsupported_grant_type", "error_description": "Invalid grant_type: " } I am attempting to exchange a refresh_token for an access token and can successfully do it using CURL,

How does one securely authenticate a React client via OAuth if everything is client-side?

隐身守侯 提交于 2021-01-27 05:07:38
问题 I'm trying to use OAuth with a React (frontend) and Meteor (server) project. The service that I'm trying to OAuth to is not one of the popular widely supported ones (i.e. Google, Facebook), so I've been having some trouble figuring out how to go about this. Meteor has support for a secure server-sided 'settings.json' file that stores your app's api keys and secrets, which I would presumably use to authenticate the client. I just don't understand how. I found this package https://www.npmjs.com

How does one securely authenticate a React client via OAuth if everything is client-side?

馋奶兔 提交于 2021-01-27 05:05:29
问题 I'm trying to use OAuth with a React (frontend) and Meteor (server) project. The service that I'm trying to OAuth to is not one of the popular widely supported ones (i.e. Google, Facebook), so I've been having some trouble figuring out how to go about this. Meteor has support for a secure server-sided 'settings.json' file that stores your app's api keys and secrets, which I would presumably use to authenticate the client. I just don't understand how. I found this package https://www.npmjs.com

How does one securely authenticate a React client via OAuth if everything is client-side?

送分小仙女□ 提交于 2021-01-27 05:01:49
问题 I'm trying to use OAuth with a React (frontend) and Meteor (server) project. The service that I'm trying to OAuth to is not one of the popular widely supported ones (i.e. Google, Facebook), so I've been having some trouble figuring out how to go about this. Meteor has support for a secure server-sided 'settings.json' file that stores your app's api keys and secrets, which I would presumably use to authenticate the client. I just don't understand how. I found this package https://www.npmjs.com

Gmail Add-On: Oauth not being triggered

大憨熊 提交于 2021-01-27 04:19:32
问题 In the code below, 'Test' button triggers a function which calls an external endpoint to load data. However, nothing happens when the button is clicked and I get a 400 error in the console area saying Invalid Argument . Code.gs function buildAddOn(e) { // Create a section for that contains all user Labels. var section = CardService.newCardSection() var action = CardService.newAction() .setFunctionName("testCall"); var button = CardService.newTextButton().setText('Test').setOnClickAction

How do I retrieve user's email from Google

梦想的初衷 提交于 2021-01-27 03:51:38
问题 I am using the Google client library in PHP. I am successfully authenticated. Missing a simple thing (I added the right scope). How do I retrieve the user's email after I finish the auth process. Below is what I have: $client = new Google_Client(); $client->setClientId(MYCLIENTID); $client->setClientSecret(MYSECRET); $client->setRedirectUri(SOMEURLINMYSYSTEM); $service = new Google_Service_Oauth2($client); $client->addScope(Google_Service_Oauth2::USERINFO_EMAIL); $client->authenticate($_GET[

OAuth2的基本概念的理解

生来就可爱ヽ(ⅴ<●) 提交于 2021-01-24 05:47:54
书籍推荐 OAuth2 in Action -- 原理 OAuth2 Cookbook -- 实践 OAuth2 解决的问题域 开放系统间授权 社交联合登录 开放API平台 现代微服务安全 单页浏览器App(HTML5/JS/无状态) 无线原生App 服务器端WebApp 微服务和API间调用 企业内部应用认证授权(IAM/SSO) OAuth2的原理 OAuth2的最简向导可以很清楚的说明.简单明了(地址在 https://github.com/MissWangLove/Micro-Service中的pdf下面 ). 应用请求资源服务器,访问客户数据,在没有OAuth2的情况下,资源服务器区分不出请求过来的应用是恶意用户还是其他用户,数据都会返回. 有了OAuth2之后,使用授权服务器颁发给客户应用Access Token, 资源服务器拿到Access Token进行校验,验证通过之后才返回数据. 整体的流程就是: 客户应用向授权服务器请求Sccess Token ---> 授权服务器向用户征询意见,是否将权限授予客户应用 ---> 用户同意 ---> 授权服务器生成颁发Access Token给客户应用 ---> 客户应用请求资源服务器 ---> 资源服务器验证客户应用的Access Token ---> 验证通过,返回数据. 涉及到三个角色: 客户应用(请求资源方)

IdentityServer4(六)授权码流程原理之SPA

ε祈祈猫儿з 提交于 2021-01-23 11:34:58
在【One by One系列】IdentityServer4(四)授权码流程中提过一句: “ 为了安全,IdentityServer4是带有PKCE支持的授权码模式 ” 我们来回顾一下授权码流程 (A)用户访问客户端,后者将前者导向认证服务器。 (B)用户选择是否给予客户端授权。 (C)假设用户给予授权,认证服务器将用户导向客户端事先指定的"重定向URI"(redirection URI),同时附上一个授权码。 (D)客户端收到授权码,附上早先的"重定向URI",向认证服务器申请令牌。这一步是在客户端的后台的服务器上完成的,对用户不可见。 (E)认证服务器核对了授权码和重定向URI,确认无误后,向客户端发送访问令牌(access token)和更新令牌(refresh token)。 --摘自阮一峰老师-理解OAuth 2.0,自认为阮老师这块已经写比较清晰了,正所谓”眼前有景道不得,崔颢题诗在上头“。 1.什么是PKCE PKCE,全称Proof Key for Code Exchange,上篇讲到SPA,这是一种没有后端服务器的原生客户端,代码都在用户本地设备上运行,比如SPA在用户浏览器上运行,Win/Mac客户端,iOS/Android APP,如果让这些原生客户端安全地存放密钥(client secret)并不现实,且容易被破解。 Implicit Flow

IdentityServer4(六)授权码流程原理之SPA

杀马特。学长 韩版系。学妹 提交于 2021-01-23 10:52:57
在【One by One系列】IdentityServer4(四)授权码流程中提过一句: “ 为了安全,IdentityServer4是带有PKCE支持的授权码模式 ” 我们来回顾一下授权码流程 (A)用户访问客户端,后者将前者导向认证服务器。 (B)用户选择是否给予客户端授权。 (C)假设用户给予授权,认证服务器将用户导向客户端事先指定的"重定向URI"(redirection URI),同时附上一个授权码。 (D)客户端收到授权码,附上早先的"重定向URI",向认证服务器申请令牌。这一步是在客户端的后台的服务器上完成的,对用户不可见。 (E)认证服务器核对了授权码和重定向URI,确认无误后,向客户端发送访问令牌(access token)和更新令牌(refresh token)。 --摘自阮一峰老师-理解OAuth 2.0,自认为阮老师这块已经写比较清晰了,正所谓”眼前有景道不得,崔颢题诗在上头“。 1.什么是PKCE PKCE,全称Proof Key for Code Exchange,上篇讲到SPA,这是一种没有后端服务器的原生客户端,代码都在用户本地设备上运行,比如SPA在用户浏览器上运行,Win/Mac客户端,iOS/Android APP,如果让这些原生客户端安全地存放密钥(client secret)并不现实,且容易被破解。 Implicit Flow
订阅 oauth