Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios. Namely: the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step … Read more
I think popup you can close by parent.close(); And to refresh main window I used this trick: $(function() { var win; var checkConnect; var $connect = $(“#some_button”); var oAuthURL = “http://example.com/account/_oauth?redirect_url=” + redirect_url; $connect.click(function() { win = window.open(oAuthURL, ‘SomeAuthentication’, ‘width=972,height=660,modal=yes,alwaysRaised=yes’); }); checkConnect = setInterval(function() { if (!win || !win.closed) return; clearInterval(checkConnect); window.location.reload(); }, 100); }); … Read more
A slightly different perspective on the great answer by Josh C: as it happens both the client authentication and the grant credentials can be expressed as JWTs but the semantics behind them are different. It is about separation of concerns: clients authenticate with a credential that identifies them i.e. they are the so-called subject whereas … Read more
On November 5th 2014 Google made some changes to the APIs terms of Service. Like you I had an issue with the following line. Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects. I have several open source projects on GitHub they are basically … Read more
[Update Aug 20th, 2015]: It looks like there is a new getting started experience, which will help register your app, and even create a starter project in the language of your choice. I would certainly recommend trying that first, rather than going through the manual steps outlined below. To register apps manually (e.g., not through … Read more
You can set “Authorized redirect URI” to local IP (like http://127.0.0.1/callback), it’s working fine for me. What really agonizing is that google don’t allow user to config an external IP (let’s say your server IP like 99.99.99.99) as “Authorized redirect URI”, google want the “Authorized redirect URI” to end with a public top-level domain (such … Read more
After digging manually through the configuration classes I was able to find and add the following, which did the trick… security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login security.oauth2.client.registered-redirect-uri=https://[application_host]/login security.oauth2.client.use-current-uri=false I’m not convinced there isn’t a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.
Short answer A JWT is a convenient way to encode and verify claims. A Bearer Token is just a string, potentially arbitrary, that is used for authorization. Context (story time) A few years ago, before the JWT revolution, a <token> was just a string with no intrinsic meaning, e.g. 2pWS6RQmdZpE0TQ93X. That token was then looked-up … Read more
I’ve been puzzled by the same question about lack of domain or app url, but it turns out redirection is not the only possible way to complete OAuth authentication process. I.e., when webapp requests access it provides callback url: the one user will be redirected to when process is completed. That’s how webapp know that … Read more