I am writing a service that will access a Google Nest Thermostat, and need a Google Oauth2 token in order to do so. All of the documentation I can find references a browser-driven login to identify, authenticate, and then store a token as a cookie.
All of my OAuth experience has involved receiving a secret and/or API key, and then using that against a token service to get a security token. I then use that token for subsequent API endpoints. All of the Google docs / samples tell me I have to get my "headless" service to log in via browser and get a token via a redirect, the same way I'd log in to any other service using my Google credentials. Is there a way to do this without a live browser session, i.e. just a Google endpoint that I trigger with my secret data, to get a token to use with the Google Smart Home APIs?
Related
My quarkus backend is calling a rest web service which requires an access token. The access token is generated using client id, client secret and grant type client credentials. The token is valid for a couple of days.
This quarkus backend then propagates the data to an angular frontend.
I have a couple of questions:
Is there an out of the box implementation from Quarkus framework?
If not, please guide me if I should use httpclient or any other library for getting the access token.
How to check for refresh token?
How to save the access token, so that it can be used for other requests by other users?
Otherwise I end up generating an access token every time a user calls the rest service.
Since there is no answer, I will write here how I implemented this:
I use a java.net.http.httpclient to call the oauth server for getting the token with the client id and secret.
I cache the token using quarkus-cache and when the token expires, the quarkus-cache is invalidated and rebuilt with the new token.
Suggestions or better solutions are welcome.
From my application I have to invoke external http service which uses google authentication. It works when I invoke it from browser. I found out that it happens because I have cookie which contains
GCP_IAAP_AUTH_TOKEN_<random_string>
GCP_IAP_UID
So my cookie look like this:
cookie: GCP_IAP_UID=111111111111; GCP_IAAP_AUTH_TOKEN_1234567891234567890B=verylongstringhere"
I tried to set this cookie directly in my restTemplate and it works properly but I expect that I have to get token based on some kind of credentials.
webClient.post()
.uri(uploadUrl)
.header("cookie", "GCP_IAP_UID=12345678901234567890; GCP_IAAP_AUTH_TOKEN_12345678907645456546B=verylongstringhere")
Could you please provide example of correct usage GCP auth ? How to update token? Based on what?
Google APIs use the OAuth 2.0 protocol for authentication and authorization
You can obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
Before your application can access private data using a Google API, it must obtain an access token that grants access to that API.
There are several ways to make this request, and they vary based on the type of application you are building. For example, a JavaScript application might request an access token using a browser redirect to Google, while an application installed on a device that has no browser uses web service requests.
I recommend you to go trough OAuth 2.0 to Access Google APIs article to choose the best method for your application, there are a couple of documented scenarios to explain how GCP uses application authentication
I've an angular app which calls a java rest api to get the data. We need to secure these apps by azure AD.
I'm using ADAL.js library for angular app and trying to find any library which can be used for rest api but haven't found any on the internet. All the samples are provided for webAPi which is using Microsoft's OWIN framework.
Currently my understanding is that, our angular app will call to Azure AD to get the access token and will send that to java rest api.
Its a JWT token signed by RSA private key.
I can get the public key from JWKs uri and validate whether the JWT token and its signature is valid or not. If it's valid, the rest api will send the response back to angular app
- Is it enough on rest api side? Don't we need any communication between Rest api and Azure AD ? What if someone steals the access token and use that (within its expiration period ?)
I was under impression that resource server ( java rest api) also needs to talk to Authorization server (Azure AD) but not sure if it's really required for JWT tokens.
#Deb,I found your reqirement matched this scenarios----Web application to Web API.I recommend you refer to this document(
https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#web-application-to-web-api). If your front-end used the Angular App, you could use passportjs to pass Azure AD authorization. Please refer to documnet(
https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-nodejs/#6-install-passportjs-in-to-your-web-api).
Its a JWT token signed by RSA private key. I can get the public key
from JWKs uri and validate whether the JWT token and its signature is
valid or not. If it's valid, the rest api will send the response back
to angular app - Is it enough on rest api side? Don't we need any
communication between Rest api and Azure AD ?
If you got the access_token,you could call your REST API with this token in your request. You need not any communication between REST API and AAD. But please note, you need make your API application trust another application
What if someone steals the access token and use that (within its
expiration period ?) I was under impression that resource server (
java rest api) also needs to talk to Authorization server (Azure AD)
but not sure if it's really required for JWT tokens.
You also can set the expiration time in your application for the tokens. See the part 'Token Expiration' in this document(https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#application-types-and-scenarios)
I'm working on a Java app that uses JavaMail. Currently, I'm trying to connect to a mail provider that uses OAuth2. The provider returns an access token and a refresh token. After sometime, my app doesn't work because the access token has expired. I now need to use my refresh token to get a new access token. However, I'm not sure how to do that in JavaMail.
Is there a way to use the refresh token to get a new access token in JavaMail? If so, how?
Thank you
You don't use JavaMail to do this, since OAuth can be used with other protocols and services. Depending on the OAuth provider, you should be able to issue an HTTP request of the proper form to get a new access token based on the refresh token.
There's some pointers on the JavaMail wiki that might help.
Is it possible to obtain a OAuth2 token to use with Google APIs, using the android AccountManager? The only other way I know of would be to have a webView and make the user log in to obtain the OAuth2 token, but it would seem to be a lot of work for that many people would want to do, so if I could just obtain it using AccountManager that would be much better. Is there any functionality like this?
AccountManager is not for generating tokens at all - its only for storing credentials related to an Account. These classes are not specific to Google server accounts - you can use them for any type of account. For example, I use them to store OAuth2 tokens for Facebook, Twitter, etc.
You will need to use the Google APIs to generate an OAuth2 token, which you store in an Account using the AccountManager. You need to use the Google APIs, because part of the OAuth2 token generation occurs on the server itself - Google will store a record of the tokens it has given out, and the server accounts that they are related to. If you didn't call the Google APIs to generate the token, Google wouldn't know how to match the token to a Google server account.
Your approach of using a WebView to obtain the OAuth2 token is the correct way to do this.
Once you have the OAuth2 token stored for the Account, you just retrieve it from the AccountManager whenever you want to use it to make a query. So, you only need to generate the OAuth2 token once (unless it expires), and then you keep using it over and over again.