oauth-2.0
In oauth2, is expires_in is in seconds or miliseconds?
The expires_in is value in seconds. See this section of the specification.
Can you get a public Facebook page’s feed using Graph API without asking a user to allow?
If you’re anything like me your clients won’t want a standard Facebook likebox plugin, they’ll want it all styled and customised their own way. You don’t need to spend all day going round the official documentation wondering if any of it applies to you for something simple like this, it’s quite easy. The confusion arises … Read more
How to persist an OAuth2 token (or use a refresh token) in Postman collections?
Ok, first enter your OAUTH token URL, click on the Body tab, and fill out these POST parameters: client_id, grant_type, username, password, override. Then, click on the Test tab, enter this text and then press Send: var data = JSON.parse(responseBody); postman.setGlobalVariable(“access_token”, data.access_token); postman.setGlobalVariable(“refresh_token”, data.refresh_token); Then enter one of your application URLs, click on the Headers … Read more
How do client-side JS libraries for OAuth2 maintain secure authentication?
There’re flows in OAuth2 that don’t require a secret (e.g. implicit flow is typically used for JS based clients, SPAs, etc). Not all providers support this flow though, so in those situations you need a server side component that negotiates that for you and then handles the interactions with your front-end/device. In any case, you … Read more
How can I redirect after OAUTH2 with SameSite=Strict and still get my cookies?
I don’t think that this can be done for security reasons. SameSite=Strict means that if user has been redirected or just clicked on link to your site (from other host), cookie shouldn’t be send. And redirecting is like ‘chaining’ requests. So if your server redirects to another and this server redirects back immediately with 3xx … Read more
Laravel Passport Scopes
Or are scopes not the same as roles? The biggest difference between the two is the context they apply to. Role-based Access Control (RBAC) governs the access control of a user when using the web application directly, while Oauth-2 scope governs the access to the API resources for an external client on behalf of a … Read more
How do you consume extra parameters in OAuth2 Token request within .net WebApi2 application
As it often is the case, I found the answer immediately after submitting the question… ApplicationOAuthProvider.cs contains the following code out-of-the-box public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { using (UserManager<IdentityUser> userManager = _userManagerFactory()) { IdentityUser user = await userManager.FindAsync(context.UserName, context.Password); if (user == null) { context.SetError(“invalid_grant”, “The user name or password is incorrect.”); return; } … Read more
Testing Google OAuth 2.0 with localhost?
localhost is not a valid top-level domain, and it won’t let you generate credentials without setting up a consent screen. You can add more than one authorized domain if you’d like, but you can’t leave it empty. But you CAN delete the field if you have no domains / would not like to add domains … Read more
DotNetOpenAuth not working with MVC 5 RC
Fix available. Install NuGet package DotNetOpenAuth.Mvc5 and change all uses of AsActionResult() to AsActionResultMvc5()