userApprovalHandler: if you only have one client in your system, I agree the users should not have to approve it accessing their data. oauthAuthenticationEntryPoint: Normally, if authentication fails, the response type is JSON. Documentation says “If authentication fails and the caller has asked for a specific content type response, this entry point can send one, … Read more
Yes it is possible Authorization: Bearer AccessTokenHere e.g. curl –header “Authorization: Bearer CAAC…ZD” https://graph.facebook.com/me This answer previously recommended using “OAuth” instead of “Bearer” as the token type. Both will work, but “Bearer” is the type that shows up in the standard. Also, on completing Facebook’s OAuth flow, the token_type in their response is bearer. So … Read more
Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios. Namely: the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step … Read more
I think popup you can close by parent.close(); And to refresh main window I used this trick: $(function() { var win; var checkConnect; var $connect = $(“#some_button”); var oAuthURL = “http://example.com/account/_oauth?redirect_url=” + redirect_url; $connect.click(function() { win = window.open(oAuthURL, ‘SomeAuthentication’, ‘width=972,height=660,modal=yes,alwaysRaised=yes’); }); checkConnect = setInterval(function() { if (!win || !win.closed) return; clearInterval(checkConnect); window.location.reload(); }, 100); }); … Read more
I solved this issue by creating a dedicated OAuth application on Github for my local development environment. So I have the following 2 OAuth applications: My official OAuth application for production Client ID: ABC Client Secret: 123 Authorization callback URL: https://example.com/api/v1/security/oauth/github/callback My private OAuth application for development Client ID: XYZ Client Secret: 456 Authorization callback … Read more
The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server. From my point of view an authorization server should never issue a refresh token with … Read more
The client should always be prepared to handle an error returned from the API that indicates that the access_token validation failed. Depending on the implementation the access token may have been revoked or declared invalid otherwise. The client may then use a refresh_token to get a new access token and try again. So you can … Read more
If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you’d see that they all have HTTPS endpoints. The ways in which you can pass an access token to the provider are – i) As Query Parameter – https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN ii) In the request header – GET /api/users/123/profile … Read more