How to obtain Signing certificate fingerprint (SHA1) for OAuth 2.0 on Android?
Start an export process to create an apk for your app and use your production key. The very last page displays both your SHA1 and MD5 certificate fingerprints
Start an export process to create an apk for your app and use your production key. The very last page displays both your SHA1 and MD5 certificate fingerprints
The spec says seconds: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-22#section-4.2.2 expires_in OPTIONAL. The lifetime in seconds of the access token. For example, the value “3600” denotes that the access token will expire in one hour from the time the response was generated. I agree with OP that it’s careless for Google to not document this.
As it turns out, my suspicions were right. The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token. As this post simply puts it: The audience of a token is the intended recipient of the token. The audience value is a string — typically, the … Read more
The access_token is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it: User must authenticate and returns a code to the API consumer (called the “Client”). The “client” of the API (usually your web server) exchanges the code obtained in #1 for … Read more
Read this: http://www.quora.com/OAuth-2-0/How-does-OAuth-2-0-work or an even simpler but quick explanation: http://agileanswer.blogspot.se/2012/08/oauth-20-for-my-ninth-grader.html The redirect URI is the callback entry point of the app. Think about how OAuth for Facebook works – after end user accepts permissions, “something” has to be called by Facebook to get back to the app, and that “something” is the redirect URI. … Read more
Google way Google Oauth2 Token Validation Request: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg Respond: { “audience”:”8819981768.apps.googleusercontent.com”, “user_id”:”123456789″, “scope”:”https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email”, “expires_in”:436 } Microsoft way Microsoft – Oauth2 check an authorization Github way Github – Oauth2 check an authorization Request: GET /applications/:client_id/tokens/:access_token Respond: { “id”: 1, “url”: “https://api.github.com/authorizations/1”, “scopes”: [ “public_repo” ], “token”: “abc123”, “app”: { “url”: “http://my-github-app.com”, “name”: “my github app”, … Read more
Example fetch with authorization header: fetch(‘URL_GOES_HERE’, { method: ‘post’, headers: new Headers({ ‘Authorization’: ‘Basic ‘+btoa(‘username:password’), ‘Content-Type’: ‘application/x-www-form-urlencoded’ }), body: ‘A=1&B=2’ });
Please do not use Interceptors to deal with authentication. Currently, the best approach to handle authentication is to use the new Authenticator API, designed specifically for this purpose. OkHttp will automatically ask the Authenticator for credentials when a response is 401 Not Authorised retrying last failed request with them. public class TokenAuthenticator implements Authenticator { … Read more
This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why? Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token. Large … Read more
Basically, refresh tokens are used to get new access token. To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework: Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access … Read more