oauth-2.0
Getting Server Rejected error when upload using Google Picker, Oauth2
Give us a little more code, or check the call to gapi.auth.authorize() Check that you are using the correct scope to obtain the OAuth token. Scope should be https://www.googleapis.com/auth/drive Double-Check the scope declaration: https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest Check the call to gapi.auth.authorize() window.gapi.auth.authorize( { ‘client_id’: clientId, ‘scope’: scope, ‘immediate’: false }, handleAuthResult); from: https://developers.google.com/picker/docs/#hiworld Without an actual code … Read more
Possible to test Google social login locally?
You can set “Authorized redirect URI” to local IP (like http://127.0.0.1/callback), it’s working fine for me. What really agonizing is that google don’t allow user to config an external IP (let’s say your server IP like 99.99.99.99) as “Authorized redirect URI”, google want the “Authorized redirect URI” to end with a public top-level domain (such … Read more
The App keeps asking for permission to “Have offline access”, why?
This prompt could come because of two parameters, access_type (if it is ‘offline’) approval_prompt (if it is ‘force’) make sure you have set access_type to ‘online’ and apporoval_prompt to ‘auto’ $client->setAccessType(‘online’); $client->setApprovalPrompt(‘auto’) ;
Google APIs Console – missing client secret
It seems that Google finally ditched the unnecessary client_secret for installable applications and is not yet up-to-date with their documentation. You should check if you already get an access_token in the initial OAuth request like it’s handled on Facebook. Another possibility would be to fall back to using a Simple API Access key. Update: First … Read more
Do OAuth2 access tokens for a mobile app have to expire?
The difference between a refresh token and a non-expiring access token in means of security is one additional call to the authorization server. If an attacker gains access to your non-expiring access token, he can directly call your resource server and get confidential data as response. Now if he steals your refresh token, he first … Read more
OAuth 2 access_token vs OpenId Connect id_token
Originally, OAuth and OpenId are designed for different purpose: OpenId for authentication and OAuth for authorization. OpenId Connect is a unification of the two and serves for both, but does not change their original functionalities. Keeping that in mind, you should be able to find out yourself. 😉 The id_token is used to identify the … Read more
Spring security. How to log out user (revoke oauth2 token)
Here’s my implementation (Spring OAuth2): @Controller public class OAuthController { @Autowired private TokenStore tokenStore; @RequestMapping(value = “/oauth/revoke-token”, method = RequestMethod.GET) @ResponseStatus(HttpStatus.OK) public void logout(HttpServletRequest request) { String authHeader = request.getHeader(“Authorization”); if (authHeader != null) { String tokenValue = authHeader.replace(“Bearer”, “”).trim(); OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue); tokenStore.removeAccessToken(accessToken); } } } For testing: curl -X GET -H “Authorization: … Read more
What’s the purpose of the client secret in OAuth2?
Client Secret was used in OAuth 1.0 to sign the request, so it was required. Some OAuth2 servers (such as Google Web Server API) required the client secret to be sent to receive the access token (either from request token or refresh token). OAuth 2.0 has reduced the role of the client secret significantly, but … Read more
oauth2 error AADSTS90014: The request body must contain the following parameter: ‘grant_type’
You shouldn’t send grant_type neither in params nor in headers. Those should be sent in body params then only it will work. Url: https://login.microsoftonline.com/common/oauth2/v2.0/token client_id, scope and redirect_uri params can be sent as query params. where as grant_type, code and client_secret should sent in body params. grant_type:authorization_code, code: {code you got from the authorization step}, … Read more