a while back I worked on a program with a friend for which I needed to use the Gmail API. I generated a client_secret JSON and a credentials JSON. Now, neither of us needs to use that program, and I'd like to make sure that I've revoked access correctly so that neither the client_secret nor credentials can be used anymore. I went to the project in console.developers.google.com. I then went to the project, reset the secret, then deleted. Are there any more steps I need to take to make sure that no one has access to my account through client_secret or credentials? Thanks!
Deleting the secret or regenerating it should be more then enough to disable the client.
However if you want to be sure you can just delete the client itself or the full project.
Related
We are using Go server side code to interact with Google Ads REST API.
Namely, we authenticate it with help of "golang.org/x/oauth2" and
"golang.org/x/oauth2"packages.
In May (and recently again) we've got a email from Google regarding deprecation
Out-of-band flow, essentially rewording of this
one.
But additionally to common information, Google email listed account, which we
are using to authenticate, as being used in OOB flow and going to be blocked.
We checked our sources and available sources of mentioned packages but was not
able to find redirect URIs which are said to be used for OOB flow as one of
those:
redirect_uri=urn:ietf:wg:oauth:2.0:oob
urn:ietf:wg:oauth:2.0:oob:auto
oob
We explicitly use http://localhost in our code and long-live refresh token
(which seems never expires).
We also tried to use tcpdump to monitor our API calls, but was not able to
learn much from it, because calls are made via https and, therefore, encrypted.
We considered to use man-in-the-middle kind of proxy like
https://www.charlesproxy.com/, but haven't tried it yet, because it become
non-free and because of complexity of setup.
We tried to log our requests to API endpoint with custom RoundTripper, but
have not spotted anything suspicious. It seems that we're using refresh token
only and exchange of code to refresh token just never happen in the code.
Because of this, we don't think that further logging or monitoring with
decrypting https packages may help (but we open to suggestions how to do it better).
Finally, we decided to create a new OAuth 2 Client in the Google console with
fresh set of client id, client secret and refresh token. We obtained a new
refresh token with oauth2l and replaced
credentials in our configuration. But still, we are not sure that new account
will not be blocked by Google due OOB deprication, because seemingly it looks
the same as old one.
Questions:
Why may Google mark our account as OOB?
How can we ensure that newly created account will not be blocked?
Same here.
I find out an answer, that says "Desktop" type of Credentials uses OOB by default. Probably you need to create new Credentials with type "Web"
Xcode won't let me login to GitHub using my email and password, and is forcing me to use an account and personal access token. Of course, I could just generate a token and log in with that. However, I’d prefer not to have to use tokens - logging in with an email and password is just so much more simple.
Is this normal behavior, and is anyone else experiencing this? Maybe there is a workaround that I'm not aware of?
This is normal behavior. GitHub is deprecating their basic auth with username/password for their API. In fact, when you access them via Xcode with an old account you get an email about it:
Basic authentication using a password to the API is deprecated and
will soon no longer work. Visit
https://developer.github.com/changes/2020-02-14-deprecating-password-auth/
for more information around suggested workarounds and removal dates.
To do this, after you generate the token (recommend the repo token), go to xcode > Preferences > Accounts > GitHub
If SSH is shown: press Enter Password and a new screen appears with a placement for your token. When you enter the token, the protocol will change to HTTPS.
That's it.
I am just starting out trying to connect Xcode to Github. I keep getting this peculiar error, saying "Failed to load owners" whenever I try to create a remote repository from within Xcode under the Source Control Manager. See the error here
If I ignore the warning, the upload then fails with this error.
I cannot seem to find anything online regarding this, and I cannot for the world notice anything being wrong with my GitHub account. The account itself is also accepted by Xcode (successfully added under the Accounts pane in Preferences).
Any help will be greatly appreciated.
In your GitHub account, when you are creating a personal access token to connect your Xcode to GitHub, you have to check off repo, write:packages, and read:packages.
Shown by the image here: https://i.stack.imgur.com/NUiiC.png
Then, you should be able to create the repo without any problems! Hope this helped.
I deleted my GitHub-Profile in the XCode Preferences and setted up again. After that it worked smoothly.
After having had a chat with a kind representative from GitHub Developer Support, it seems like it in my case had to do with my old username and password credentials that was saved on my machine. I quote:
Sometimes applications can use these old credentials, even if you
replace it with the personal access token.
Credentials for git authentication are stored in the Keychain App, and
git passes these onto GitHub when pushing changes to a Repository.
I'd suggest checking in the Keychain App for any records with the name
GitHub.
If they exist, delete those and try the push again.
Git should ask you to enter your username and password and once you
re-enter them, the correct credentials should be stored in your
Keychain app for future use.
So there you have it. This in fact solved my problem. It could also have had something to do with the personal access token that might not be set up with the proper permissions. If you have the same problem as I had you could also check out the scopes on your personal access token to verify it has access to everything you need. Step 7 on the help guide below has a screenshot of what that looks like:
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
For anyone who's looking for another way. What happened to me is that my personal access token expired, and I needed to generate a new one in Github / setting/ developer/ access token. After I generated a new one, I logged out of Github via Xcode, Logged back in and put in my new access code and cleared the issue!
What someone could do if they have access to the application key of a laravel project?
What could be done?
Basically, they can decrypt and encrypt almost anything and your app will accept it as an input.
For example with your app key, someone can generate cookies that will log them in as any user of your app, without using any password.
If someone stole that key, best is to regenerate it as soon as possible.
However it'll render everything encrypted by your app invalid. So remember me token, cookies, and session will get invalidated and everyone will have to login again.
Also, if you use the Encrypter class in your app, remember that it'll not be able to decrypt successfully any previously encrypted thing anymore, so you'll have to migrate data by decrypting it using the old key, then re-encrypting it with the new one.
Also the most annoying part is that every password created with Hash:make will no longer be valid. But well, if the attacker has access to your APP key, he also has access to your DB credential, and so your full password database isn't safe anymore and you should force users to regenerate all of their passwords.
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.