OAuth 2.0 vs Auth0
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
I’m answering my own question as have discovered that some of the assumptions behind my question were wrong, so easier to clarify here, rather than re-write the question. An ID token is meant for proving to a Client that the user has authenticated, and who they are as a result. When a Client receives an … Read more
As hinted at by this post Error in chrome: Content-Type is not allowed by Access-Control-Allow-Headers just add the additional header to your web.config like so… <httpProtocol> <customHeaders> <add name=”Access-Control-Allow-Origin” value=”*” /> <add name=”Access-Control-Allow-Headers” value=”Origin, X-Requested-With, Content-Type, Accept” /> </customHeaders> </httpProtocol>
I found a base implementation of a Json Web Token and expanded on it with the Google flavor. I still haven’t gotten it completely worked out but it’s 97% there. This project lost it’s steam, so hopefully this will help someone else get a good head-start: Note: Changes I made to the base implementation (Can’t … Read more
OAuth is a specification for authorization OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows: The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The … Read more
Replace: $authorization = “Bearer 080042cad6356ad5dc0a720c18b53b8e53d4c274” with: $authorization = “Authorization: Bearer 080042cad6356ad5dc0a720c18b53b8e53d4c274”; to make it a valid and working Authorization header.
State and nonce seem to be similar. But if you dig deep, you will find that they serve different purposes. State is there to protect the end user from cross site request forgery(CSRF) attacks. It is introduced from OAuth 2.0 protocol RFC6749. Protocol states that, Once authorization has been obtained from the end-user, the authorization … Read more
What you are looking for is the Google APIs Discovery Service. A few other interesting resources: An excellent blog by Nicolas Garnier which describes the important things behind this service. The Google OAuth2 playground, is another good source of info. Finally if you’re interested in tracking changes to the discovery documents or don’t want to … Read more
There is a brilliant blog post from Taiseer Joudeh with a detailed step-by-step description. Part 1: Token Based Authentication using ASP.NET Web API 2, Owin, and Identity Part 2: AngularJS Token Authentication using ASP.NET Web API 2, Owin, and Identity Part 3: Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, … Read more
token_type is a parameter in Access Token generate call to Authorization server, which essentially represents how an access_token will be generated and presented for resource access calls. You provide token_type in the access token generation call to an authorization server. If you choose Bearer (default on most implementation), an access_token is generated and sent back … Read more