w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Unwanted Stacktrace in bad credentials (400) error response by spring-security oauth2 REST server
You could write a ExceptionMapper for that specific Exception and do whatever you want with the request. The ExceptionMapper handles the Response whenever the defined exception is thrown from your endpoint methods. import javax.ws.rs.core.Response; import javax.ws.rs.ext.ExceptionMapper; import javax.ws.rs.ext.Provider; @Provider public class MyExceptionMapper implements ExceptionMapper<InvalidGrantException> { @Override public Response toResponse(InvalidGrantException exception) { return Response.status(Response.Status.BAD_REQUEST).build(); } } EDIT 18.11.2013: I guess you could always you override the EntryPoint class (as seen in this StackOverflow Question). An customized OAuth2ExceptionRenderer (see SO: Customize SpringSecurity OAuth2 Error Output w

Categories : Java

How much dog food should one eat? - Internal and External RestAPI & Oauth2
I have been thinking about this for awhile - I'm currently working to build an angular application that accesses a REST API built in node. In keeping with REST, I shouldn't be maintaining a session, and instead should be passing some user/password detail along with each request. Now obviously, a lot of API's are happy to stick with some sort of basic authorization or api keys thereby avoid oauth2, but I wanted to log on with google/facebook, so a certain amount of token wrangling was going to be required. The particular flow I'm using is this - User accesses the angular application. As they are not logged in, they will be given a log in page with a choice to login with google/facebook. Assuming they click to log on with google - the link sends a request to my node server, with starts th

Categories : Django

OAuth2 Client Authentication Spring
Answering my own question: It turns out that the spring app only had 2 viable users: <user-service> <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="bob" password="bobspassword" authorities="ROLE_USER" /> </user-service> My tonr client was not in this user-service, so spring kept rejecting it. I just needed to add the client list to a ClientDetailsUserDetailsService: <beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <beans:constructor-arg ref="clientDetails" /> </beans:bean> and then add that UserDetailsService implementation to the <authentication-manager/> bean: <authentication-manager

Categories : Spring

Spring Oauth2 Provider in Grails - dependency
What happens when you run the release version of the plugin and not the SNAPSHOT? I found that when I work with latest versions of grails, many times they break existing plugins. So what I would do is... Try to use release version of plugin with your 2.2.2 grails. If that does not work, I would step back my grails version and try an older one with the released plugin. If an older version does not work, I might be missing something in my setup, so I would try to figure out what it is. If things work in older versions and it looks like my setup is good based on setting it up, then I would ask on the grails nabble on what is up and/or open a JIRA ticket. Another thing to consider is how young/old the plugin is and how many previous bugs it had. We have many times either decided to de

Categories : Spring

Spring security Oauth2 client ClientAuthenticationProcessingFilter
I thought I might write something. But the version you are using is very old, recent version of Spring Security OAuth2 is very easy to use and have applied wide - many document. Let's make some search :D http://jhasaket.blogspot.com/2014/09/securing-spring-mvc-application-using.html

Categories : Spring

How to specify OAuth2 scope with spring-social-security SocialAuthenticationFilter?
You can pass additional scope parameter in a connection / signup form. See example for twitter from the official documentation: <form action="<c:url value="/connect/twitter" />" method="POST"> <input type="hidden" name="scope" value="publish_stream,offline_access" /> ... <button type="submit"><img src="<c:url value="/resources/social/twitter/signin.png" />"/></button> </form> It is the same principle for facebook too, just use appropriate scope values. Be sure that you do not missed this part: Facebook access tokens expire after about 2 hours. So, to avoid having to ask your users to re-authorize ever 2 hours, the best way to keep a long-lived access token is to request "offline_access".

Categories : Java

Using Spring Security OAuth2, what's the right way to refresh the stored authentication in the TokenStore?
I resolved this issue in my app by deleting all tokens for a given user when the authentication information is sent. Use a custom AuthenticationProvider bean. @Component("authenticationProvider") public class AuthenticationProviderImpl implements AuthenticationProvider Autowire in the token store bean. @Autowired @Qualifier("tokenStore") private TokenStore tokenStore; Then in the authenticate method, remove all tokens for a given user if the credentials are passed a second time. @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication; try { //Do authentication //Delete previous tokens Collection<

Categories : Java

Angular JS + Node JS + Passport + Spring OAuth2 Authentication/Authorization
I do not know if I have to use passport-Bearer or not and how to use-it. No. There are other options, such as: oauth.io httpProvider + express middleware Here is an example of how to use passport: // Express using passport-local // This code is adaptation of examples/express3 from https://github.com/jaredhanson/passport-local // configure Express app.configure(function() { // ... app.use(express.session({ // The domain should start with a dot, as this allows the subdomain. domain: '.app.local', secret: 'keyboard cat' })); // Enable cors. app.use(function(req, res, next) { res.header('Access-Control-Allow-Credentials', true); res.header('Access-Control-Allow-Origin', req.headers.origin); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE'); res.header('Access-Contr

Categories : Angularjs

Why does OAuth2 authentication work on home machine but not on a server?
This is probably the first thing I should have thought of when there's a difference between Nix and Windows environments: Always check the EOL chars! The problem was that when grabbing the username, password, etc. from my credentials file, I was stripping the newline character using string.rstrip(' '), so in the Unix environment that was leaving an carriage return character behind which was then being passed as part of the POST request. The simple and correct solution which works in both environments is to use string.rstrip() which strips all trailing whitespace and end of line chars.

Categories : Python

How to make 'access_type=offline' / server-only OAuth2 operations on GAE/Python?
Offline access is the default when retrieving tokens; you may have noticed this in the OAuth dialog that comes up: Perform these operations when I'm not using the application When your user accepts the OAuth dialog in a method decorated with decorator.oauth_required the credentials for that user will be stored in the datastore, including the refresh token. Once you have one of these credentials objects, you can use it so authorize an HTTP object for calling APIS: import httplib2 http = credentials.authorize(httplib2.Http()) and once authorized, it will do all the work for you. So if the access_token is expired, the first API response will be a 401 and so the credentials object will use the refresh_token to get a new access_token and make the request again. If you know the user

Categories : Python

Is there any OAuth2 module for Node.js that offer access token validation without an extra server call?
I'm not clear on what you mean by wanting to find a node module (all of which are essentially 3rd party API's) that provides OAuth2 client capability that will work against facebook and twitter without an extra server call. However that being said, you might look at these: https://github.com/ciaranj/node-oauth https://github.com/lexer/node-oauth2 https://github.com/coolaj86/node-oauth2-examples https://github.com/AF83/oauth2_client_node And since Node.js is javascript, you can wrap up regular javascript written for client-side browsers provided you simulate the necessary browser environment elements expected by the client-side javascript. Your question made me think it might be useful to encapsulate the OAuth library provided here: https://github.com/andreassolberg/jso, and roll it u

Categories : Node Js

OAuth2.0 server to server authentication
I would look into the Client Credentials Grant part of the OAuth 2 spec This is how twitter does application-only auth, for example (see https://dev.twitter.com/docs/auth/application-only-auth) That said, I personally think there are better ways of doing server-to-server authentication then the one provided by OAuth2 (and I am not alone); I think that your point 2 is more solid alternative BUT security is something really difficult to implement correctly! I usually advice to not do it (and I avoid it myself, if possible). So, if you find something reliable that implements this schema, good. Otherwise, stick to a solid OAuth2 library.

Categories : Google App Engine

Spring OAuth2 - Manually creating an access token in the token store
Here it is, your use case may differ slightly based on the flow you are using. This is what works for a password grant flow. There are a few custom class like token store, token enhancer ect. but that is really just extended versions of the spring classes modified for our own needs. HashMap<String, String> authorizationParameters = new HashMap<String, String>(); authorizationParameters.put("scope", "read"); authorizationParameters.put("username", "mobile_client"); authorizationParameters.put("client_id", "mobile-client"); authorizationParameters.put("grant", "password"); DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest(authorizationParameters); authorizationRequest.setApproved(true);

Categories : Java

Spring Integration and JMS: recieving message from external client
The difference between InboundChannelAdapter and MessageGateway is just that Adapter is working uni-directional rather then bidirectional. I don't have really an insight what might be wrong but did you test if that your configuration of the ConnectionFactory for JMS is working as expected?

Categories : Spring

Using OAuth2 in HTML5 Web App
The only way to be fully secure is to not store the access tokens client side. Anyone with (physical)access to your browser could obtain your token. 1) Your assessment of neither being a great solution is accurate. 2) Using expiration times would be your best if you are limited to only client side development. It wouldn't require your users to re-authenticate with Oauth as frequently, and guarantee that the token wouldn't live forever. Still not the most secure. 3) Getting a new token would require performing the Oauth workflow to obtain a fresh token. The client_id is tied to a specific domain for Oauth to function. The most secure method for retaining Oauth tokens would be a server side implementation.

Categories : Javascript

oauth2 website on GAE
Your application is not an OAuth Consumer. Google is the provider, but your application needs to request access, you as a user need to approve it, and then your application can consume the Google APIs. Sending an OAuth token to your application doesn't get you a session cookie.

Categories : Google App Engine

OAuth2 for custom API
"As far as I know, the user never have to interact with my Auth Server at all using third-party login." That's only partly true. Theoretically, you could use the token of the Third-Party login as your own. So a normal resource request would be: Client requests resource - sends token (from 3rd party) and type of login (facebook/google/etc) Server validates request by checking the token with the 3rd party Authorization Server and returns data. The downside with that is, that your API server has to talk with the 3rd party server every time a request gets made (whether data from them is needed or not). Instead when you generate your own token you have more control and it's simpler to validate requests. I would stick with your workflow though. I did something similar once and my steps were

Categories : PHP

IMAP using OAuth2 on App Engine
I've the same problem than you... I've been researching, and I think the session isn't instantiated correctly. I attached a picture that shows the difference. At the top of the image shows the contents of the variable "props" which is the same values for the AppEngine project (left image) that the project Normal(right image). The down images shows the contents of the Session variable, and within this, the contents of the variables Properties. Like you can see in the left case, is null. But in the right case have values. Here is the image: http://ricorrico.comoj.com/misc/img2.jpg It really is a bug, is there any workaround? Thank you very much in advance. Regards!

Categories : Google App Engine

DotNetOpenAuth OAuth2 for Basecamp API
Change this: server.AuthorizationEndpoint = new Uri("https://launchpad.37signals.com/authorization/new"); to this: server.AuthorizationEndpoint = new Uri("https://launchpad.37signals.com/authorization/new?type=web_server"); Note: i added type=web_server to the end of the uri. Take from these official docs.

Categories : C#

Authenticating to Google API with OAuth2
This one works: var provider = new AssertionFlowClient( GoogleAuthenticationServer.Description, new X509Certificate2(privateKeyPath, keyPassword, X509KeyStorageFlags.Exportable)) { ServiceAccountId = serviceAccountEmail, Scope = DriveService.Scopes.Drive.GetStringValue(), ServiceAccountUser = driveHolderAccountEmail }; var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState); m_service = new DriveService(new BaseClientService.Initializer() { Authenticator = auth });

Categories : C#

PayPal - OAuth2 API Access?
In the same application that you've created on developer.paypal.com, you will see both test and live credentials. If for any reason you need to be verified, it will show you a button to get started with the verification process, which will enable your live credentials.

Categories : Paypal

OAuth2 authentication for Google API with PHP
You need to enable the Analytics API for your project in the Google APIs Console. Open your project, select the Services tab, and then click on the switch under the Status column for the Analytics API. P.S. you might want to avoid publishing your client secrets.

Categories : Google Analytics

Is there a 23andMe oauth2 example for iPhone?
You can try to use this client from 23andme https://github.com/23andMe/OAuth2Client (forked from https://github.com/nxtbgthng/OAuth2Client ) . This is an OAuth2 library for Mac OS X & iOS (Cocoa & Cocoa touch). Actually OAuth2.0 is a standard level protocol and most companies' OAuth2.0 service interface is standard too .

Categories : Iphone

Automatic login with oauth2
if they are true instagram users, you shouldn't do that. You run the risk that Instagram will revoke your app. That's the whole point of Oauth: users don't have and should never have to share their credentials with 3rd party applications. Now if these users are more like "virtual" users and you are nearly in a 2-legged scenario (i.e. you own the credentials of these users), nothing prevents you to orchestrate the login yourself, instead of displaying a UIWebView and have the user login.

Categories : IOS

Using Python and OAuth2 with Twitter streaming API
I think your error is becouse using JSON data on terms = json.dumps({'track' : 'twitter'}) You should write your code just like this terms = 'track=twitter'

Categories : Python

Google Reader Subscriptions With OAuth2
The library tries to get user's profile, which requires userinfo.profile scope (https://www.googleapis.com/auth/userinfo.profile). Add that scope to your config and it should work.

Categories : PHP

OAuth2 different client authentication methods
If by web application you mean a JavaScript and HTML app that runs in the client browser and needs to make secure requests to your service, that is not a "confidential client". You cannot store secrets in a browser based app, as they will be visible to all. If by web application you mean a server-side application that needs to make server to server requests, that is a "confidential client" because the executing code and secrets are not available to public scrutiny. I interpret the "other authentication methods" to mean any authentication scheme that is customary over http (or https) that can be completed in one request. Client certificate authentication using TLS might also fall into this bucket. I think the main part of the OAuth2 4.4 Client Credentials Grant is that the client app pre

Categories : Authentication

Obtaining an access token in OAuth2
If you have to use this API then you should use POST version of AQuery and pass the POST parameters properly as below. This API OAuth2ForDevices is meant for resources constrained devices where the user has another way of authorizing your app. params.put("scope", "your scopes"); params.put("client_id", "your client id"); AQuery aq = new AQuery(activity); aq.ajax("https://accounts.google.com/o/oauth2/device/code", params, JSONObject.class, new AjaxCallback<JSONObject>() { @Override public void callback(String url, JSONObject traffic_flow, AjaxStatus status) { publishProgress(traffic_flow.toString()); } }); However, if your requirement is to use regular OAuth2 with Android on say an Android phone with regular input capabilities th

Categories : Java

Choosing the right OAuth2 grant type for PHP web app
For Public API Access: One method is to skip tokens all together and just use Basic HTTP Authentication for API access. You could accept Client Credentials for this, and limit what clients can do using client-specific scopes. Github offers HTTP Basic authentication using user credentials for all their API calls. For Private user API Access: This is an interesting question because it begins to breech the line between Authentication and Authorization. OAuth is used for Authorization, so logging in users becomes dicy. Session management, for example, is something not covered by the OAuth2.0 spec. However, this is a common use of OAuth2.0 anyway. You can use the password grant type, or any other grant type for that matter, to obtain an access token. A major downside is they have to t

Categories : PHP

oauth2.0 how to pass access token
With OAuth, the token is generally passed in the request headers. You may wish to try something similar to the following, for both POST or GET: POST: curl http://api.localhost/write -H 'Authorization: Bearer ACCESS_TOKEN' GET: curl http://api.localhost/read -H 'Authorization: Bearer ACCESS_TOKEN' The value part of the Authorization key/value pair can vary by REST service provider. With Github, for instance, the header key/value pair looks like this: curl -H "Authorization: token your_token" https://api.github.com/repos/user/repo You may need to consult the webservice provider docs for details.

Categories : Http

OAuth2.0 - How does it protect from client impersonation?
Why you care about user gets an access token? With that token, only data belong to that user are exposed to the app. For the case the user needs to be identified: now that a backend server is already there, code flow can be used also. Both user and client are identified. For the case the user needn't to be identified: is a proxy in the client's backend server acceptable? The access token can be hold only be the proxy, and you can make sure it is a real client. The only problem is the proxy need to check the origin of each HTTP request to make sure it comes from the same domain. The JavaScript application can add some custom headers when sends requests to proxy.

Categories : Api

Google OAuth2: When and how to use refresh token
An access token will expire after 1 hour - after that time you will begin to receive "401 Invalid Credentials" errors when you make calls against a Google API. I'm not familiar with the .NET Google API Client library - the Java and Python libraries will automatically make a request for a new access token when this occurs, depending on how you are creating the DriveService object. I would expect the .NET library to have similar semantics.

Categories : C#

Google OAuth2 Remembering User?
I am not familiar with the Objective-C library, but maybe this part of the Google Reference could be useful. It explains how to use the authentication tokens and how to handle the Keychain when the user relaunches the app.

Categories : Iphone

Add scopes to authentified oAuth2 user
HWIOAuthBundle requests only "https://www.googleapis.com/auth/userinfo.profile" scope by default. In order to manage user's Google Calendar, you want to request "https://www.googleapis.com/auth/calendar" scope too. Check this out on how to customize the scope you request: https://github.com/hwi/HWIOAuthBundle/blob/master/Resources/doc/resource_owners/google.md

Categories : Symfony2

google oauth2 C#: no refresh token
In the API, within OAuth2ProviderForApplications.cs file, in GetAuthorizationUrl() method, on line 100 if you add &approval_prompt=force to the string: return string.Format("{0}?scope={1}&state={2}&redirect_uri={3}&response_type={4}&" + "client_id={5}&access_type={6}&approval_prompt=force" it works. But this is a horrible workaround plus it might create apache license issues. How found: in google oauth2 playground (https://developers.google.com/oauthplayground/) this parameter (approval_prompt=force) is set and if you omit it, it does not give refresh token.

Categories : C#

Authorizing my Google API app by going through the OAuth2 flow only once
The typical OAuth 2.0 flow goes as follows: Send a request for permission to access the user's data within a certain scope (https://www.googleapis.com/auth/tasks) User gets the authentication screen where they must log in and allow your app to "Manage your tasks" Your app receives an authorization code Your app must exchange the authorization code for an access token and a refresh token. The access token can be used to make authenticated requests to the users data, but it will expire after a set amount of time. The refresh token never expires (unless the user revokes your app's privileges in their account settings) and can be used to get a new request token. You can see the whole flow here in the OAuth2.0 Playground. If you follow the flow correctly and save the two tokens (in a da

Categories : Java

oauth2 how to deal with refresh token
Here is my experience when implementing the oAuth library and api using this library. If you are implementing it as a library,you need to have checkToken and refreshToken seperately.So the api(depending on the requirement) can decide whether to refresh token or not while checking/verifing the token. When doing in the api, again it depends on the requirement.if the requirement is that the user session should be active for some time(say 4 hours) from his last access, then it is better to refresh token every time you are checking/validating the token. The same refresh token can be done on the client,but the issue will be that the client has to call refresh token after every api call,which means there will 2 calls for every single api. Hope this will clarify.

Categories : PHP

Storing Oauth2 Credentials in golang
I think you want a CacheFile which you pass as the TokenCache. Here is some code ripped from a project which uses google drive with oauth2 which should hopefully get you started! import "code.google.com/p/goauth2/oauth" // Ask the user for a new auth func MakeNewToken(t *oauth.Transport) error { if *driveAuthCode == "" { // Generate a URL to visit for authorization. authUrl := t.Config.AuthCodeURL("state") fmt.Fprintf(os.Stderr, "Go to the following link in your browser ") fmt.Fprintf(os.Stderr, "%s ", authUrl) fmt.Fprintf(os.Stderr, "Log in, then re-run this program with the -drive-auth-code parameter ") fmt.Fprintf(os.Stderr, "You only need this parameter once until the drive token file has been created ") return errors.New("

Categories : Go

Android Google Oauth2 ContactService
Before you using any of the properties of oauthParameters... check in an if condition if it is null. Especially before this statement: client.setOAuthCredentials(oauthParameters, new OAuthHmacSha1Signer()); and check if client is null for this: ContactFeed resultFeed = client.getFeed(feedUrl, ContactFeed.class);

Categories : Android

OAuth2 Login for Google Calendar API
Not sure it is possible, Important note concerning your design: if you login automatically to the club's account, it means that everyone that uses this website is logged in to Google Calendar on behalf of the club's user name. hence, everyone can CHANGE the calendar, delete events, etc. Are you sure you want this to happen? (you can set the login params to "read-only", but even then, it means that the club shows ALL his calendar to everyone. there is no privacy...) I suggest that every user logins with his own creds, and the club's calendar can invite all registered users to his events....

Categories : Api



© Copyright 2017 w3hello.com Publishing Limited. All rights reserved.