As the questioner writes In the advanced tab, Valid OAuth redirect URIs is set to: … and I had the same problem (writing the redirect url into the wrong input field) I would like to highlight that It’s NOT Settings -> Advanced -> Share Redirect Whitelist but Facebook Login -> Settings -> Valid OAuth redirect … Read more
You cannot add anything to the redirect uri, redirect uri is constant as set in the app settings of Oauth. eg :http://www.example.com/redirect.html To pass several parameters to your redirect uri, have them stored in state parameter before calling Oauth url, the url after authorization will send the same parameters to your redirect uri as state=THE_STATE_PARAMETERS … Read more
As it turns out, my suspicions were right. The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token. As this post simply puts it: The audience of a token is the intended recipient of the token. The audience value is a string — typically, the … Read more
For user check, just post get the access token as accessToken and post it and get the response https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken you can try in address bar in browsers too, use httppost and response in java also response will be like { “issued_to”: “xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com”, “audience”: “xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com”, “user_id”: “xxxxxxxxxxxxxxxxxxxxxxx”, “scope”: “https://www.googleapis.com/auth/userinfo.profile https://gdata.youtube.com”, “expires_in”: 3340, “access_type”: “offline” } The … Read more
I am faced with the exact same task at the moment. The design I worked out is rather simple, but it works well. The core idea is that models for a local site identity and the third-party site identities are kept isolated, but are later linked. So every user that logs into the site has … Read more
The access_token is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it: User must authenticate and returns a code to the API consumer (called the “Client”). The “client” of the API (usually your web server) exchanges the code obtained in #1 for … Read more
The way I’m thinking about doing the login part of this in my projects is: before login the user requests a login_token from the server. These are generated and stored on the server on request, and probably have a limited lifetime. to login the application calculates the hash of the users password, then hashes the … Read more
Google way Google Oauth2 Token Validation Request: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg Respond: { “audience”:”8819981768.apps.googleusercontent.com”, “user_id”:”123456789″, “scope”:”https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email”, “expires_in”:436 } Microsoft way Microsoft – Oauth2 check an authorization Github way Github – Oauth2 check an authorization Request: GET /applications/:client_id/tokens/:access_token Respond: { “id”: 1, “url”: “https://api.github.com/authorizations/1”, “scopes”: [ “public_repo” ], “token”: “abc123”, “app”: { “url”: “http://my-github-app.com”, “name”: “my github app”, … Read more
Just use the HTTPS address to clone with the key as the user, so: git clone https://oauth-key-goes-here@github.com/username/repo.git
OpenID is not a ‘successor’ or ‘substitute’ for CAS, they’re different, in intent and in implementation. CAS centralizes authentication. Use it if you want all your (probably internal) applications to ask users to login to a single server (all applications are configured to point to a single CAS server). OpenID decentralizes authentication. Use it if … Read more