I am making an api that accepts social logins from a few services, namely Google.
So far, the mobile app allows the user to log in to google with the OAuth2 flow, and obtains a JWT token. The first time I was able to get the profile info from the token (first name, family name, profile pic, etc...). Now, I doesn't contain all of the fields I need.
I remember reading somewhere that google will only send all the fields from time to time...
Since I'm in testing, I tend to wipe the user database often and would like to be able to count on the google JWT to re-create the account.
I'd rather use the token than hitting the userInfo API. Especially since the JWT is technically secure.
So, is there any sure way to get all of the user profile info in the id_token from the google API?
Check the 'scopes' that you define when logging in with Google. Each scope has a type of data that it returns back to the user. Be sure that you're using scope: 'profile'" when initializing the Google login. If additional scopes are necessary, use add them to the request as shown in the link below.
https://developers.google.com/identity/sign-in/web/incremental-auth
I was using an older endpoint, changed to https://accounts.google.com/o/oauth2/v2/auth and everything is ok!
Related
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
My IdentityServer application is configured to use Google login. I am using OIDC. This question is about external claims.
At login time, my application has access to all of the claims Google sends back from the auth request. I can access them in my custom implementation of UserServiceBase in the method AuthenticateExternalAsync (via the context). I can even add them to the AuthenticateResult object so when GetProfileDataAsync gets executed after the user has accepted the consent, I can access them via the ProfileDataRequestContext.Subject.Claims list. But this is the last point they will be in memory.
If I do not save these claims in a database, how can I access them once the login process is over? I want to keep my id_token simple so I do not put claims (other than sub) in the token. So I need to call the /userinfo end point to get the claims, but by this point they are no longer in memory.
What is the cleanest way of getting these claims back? To be clear, I want to get the claims from Google when the user calls /userinfo and translate them to the claims naming convention of my application. (I do not want to store them in the id_token at login time if possible... as per OIDC spec)
Note: This question is similar to mine, but that does not address how to do it using IdentityServer3.
Yes, you will need some persistence mechanism for the claims from the external provider. You should already have this, as the subject claim that you are issuing from IdentityServer should be unique to your token service (and not the unique id google gives you).
We have a webapp that integrates with a number of Google APIs (calendars, contacts, drive). We have an integrations panel where the user can selectively check on each integration. When a new integration is enabled we save the new refresh token Google returns and flag the old one as inactive. Great so far.
The problem is when we request a new scope (incremental), Google seems to correctly add the scope to the User (if we check granted scopes from the frontend it shows the correct list), but if we check scopes from the access token it will only list profile and whatever we just requested.
So if someone enables Calendar, that refresh token will have 'profile' and 'calendar', but if they then enable Drive, the new refresh token will have only 'profile' and 'drive', not 'calendar'. This is especially problematic for our Drive worker, as it will generate a lovely slew of errors as it tries to build out a User's Drive with a valid refresh token but invalid scopes.
On the backend, I'm using the setIncludeGrantedScopes(true) method before I cash in the code, and as far as I know the front end is doing what it should (it does seem to have the expected scopes), but the refresh token is not inclusive.
Tips/tricks/gotchas/etc?
So, it turns out that this was a fairly simple solution, but was documented in only one place: when the front-end requests an additional scope, it must also send up all current scopes.
Failing to do this will cause the returned refresh token to represent only the scopes included in the grant request, while the app will incrementally gain scopes as expected.
I would like to access my own facebook news feeds using spring social facebook. I have registered my app and i could able to get app key and secret key. How to generate facebook access token for given app key and secret key using spring social facebook(programmatically)?
Now i'm using the link https://developers.facebook.com/tools/explorer generate the temporary access token which is valid only for 60 minutes.
How to generate the access token in my java application itself without having any login page redirecting to facebook redirecting back, etc.
If you're wanting to use the token to access user-owned resources at Facebook (e.g., the user's timeline, friends, etc) there's no way to get a token without involving the user. That's on purpose so that you aren't allowed to fetch data or write data to Facebook without getting the user's permission to do so.
But if that's what you want, then you must redirect the user to Facebook and back. This is OAuth 2's authorization code grant. Spring Social's ConnectController can help you with this.
You might be able to do it via the JS API, but it's been awhile since I've done it that way and I know a few things have changed at Facebook in that regard. And it probably relies on OAuth 2 Implicit Grant (which involves a redirect).
There is another way to obtain an access token without redirecting: Via OAuth 2's client credentials grant. But I don't think that's what you want. Such a token can only be used to work with non-user resources (such as Facebook's Insights API). But if that's what you want, then you can use OAuth2Template's authenticateClient() method.
Again, to be perfectly clear, it is very much by design that you can't obtain a user access token without involving the user. And with Facebook, that will require redirects.