Spring-security context setup for 2-legged (client credentials) OAuth2 server

userApprovalHandler: if you only have one client in your system, I agree the users should not have to approve it accessing their data. oauthAuthenticationEntryPoint: Normally, if authentication fails, the response type is JSON. Documentation says “If authentication fails and the caller has asked for a specific content type response, this entry point can send one, … Read more

Is it possible to pass Facebook Graph API access token through request header?

Yes it is possible Authorization: Bearer AccessTokenHere e.g. curl –header “Authorization: Bearer CAAC…ZD” https://graph.facebook.com/me This answer previously recommended using “OAuth” instead of “Bearer” as the token type. Both will work, but “Bearer” is the type that shows up in the standard. Also, on completing Facebook’s OAuth flow, the token_type in their response is bearer. So … Read more

Understanding client_id and client_secret

Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios. Namely: the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step … Read more

Closing OAuth 2.0 popup window after redirect

I think popup you can close by parent.close(); And to refresh main window I used this trick: $(function() { var win; var checkConnect; var $connect = $(“#some_button”); var oAuthURL = “http://example.com/account/_oauth?redirect_url=” + redirect_url; $connect.click(function() { win = window.open(oAuthURL, ‘SomeAuthentication’, ‘width=972,height=660,modal=yes,alwaysRaised=yes’); }); checkConnect = setInterval(function() { if (!win || !win.closed) return; clearInterval(checkConnect); window.location.reload(); }, 100); }); … Read more

Github oauth multiple authorization callback URL

I solved this issue by creating a dedicated OAuth application on Github for my local development environment. So I have the following 2 OAuth applications: My official OAuth application for production Client ID: ABC Client Secret: 123 Authorization callback URL: https://example.com/api/v1/security/oauth/github/callback My private OAuth application for development Client ID: XYZ Client Secret: 456 Authorization callback … Read more

How should a client pass a facebook access token to the server?

If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you’d see that they all have HTTPS endpoints. The ways in which you can pass an access token to the provider are – i) As Query Parameter – https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN ii) In the request header – GET /api/users/123/profile … Read more

tech