Is it possible to obtain a OAuth2 token to use with Google APIs, using the android AccountManager? The only other way I know of would be to have a webView and make the user log in to obtain the OAuth2 token, but it would seem to be a lot of work for that many people would want to do, so if I could just obtain it using AccountManager that would be much better. Is there any functionality like this?
AccountManager is not for generating tokens at all - its only for storing credentials related to an Account. These classes are not specific to Google server accounts - you can use them for any type of account. For example, I use them to store OAuth2 tokens for Facebook, Twitter, etc.
You will need to use the Google APIs to generate an OAuth2 token, which you store in an Account using the AccountManager. You need to use the Google APIs, because part of the OAuth2 token generation occurs on the server itself - Google will store a record of the tokens it has given out, and the server accounts that they are related to. If you didn't call the Google APIs to generate the token, Google wouldn't know how to match the token to a Google server account.
Your approach of using a WebView to obtain the OAuth2 token is the correct way to do this.
Once you have the OAuth2 token stored for the Account, you just retrieve it from the AccountManager whenever you want to use it to make a query. So, you only need to generate the OAuth2 token once (unless it expires), and then you keep using it over and over again.
Related
I am writing a service that will access a Google Nest Thermostat, and need a Google Oauth2 token in order to do so. All of the documentation I can find references a browser-driven login to identify, authenticate, and then store a token as a cookie.
All of my OAuth experience has involved receiving a secret and/or API key, and then using that against a token service to get a security token. I then use that token for subsequent API endpoints. All of the Google docs / samples tell me I have to get my "headless" service to log in via browser and get a token via a redirect, the same way I'd log in to any other service using my Google credentials. Is there a way to do this without a live browser session, i.e. just a Google endpoint that I trigger with my secret data, to get a token to use with the Google Smart Home APIs?
I'm trying to build a Spring Boot REST API that will implement social login(Spotify). After successful login with Spotify, I would like to store the Spotify access_token in my JWT token that I'm generating to be able to access my backend. I need a Spotify access token to be able to make API calls to Spotify(almost every request to my app will need to call Spotify API). Is it a good practice to store access tokens to external services in JWT? Or should I store the access token in my DB and read it when I need it? Maybe do you have any guides on how to implement stateless REST API that will call external services?
usually, I store access token in Redis, it's faster then DB. if you use DB, every quest will link DB twice,one for get user infomation(like username and password),one for read the access token. When the frequency of quest is very small,it's ok. but when the frequency of quest more and more, store in DB, will very waste of performance. Use Redis have another advantage,it has expire time. So, most of my project, I use Redis store token.
I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants
I works like a charm when keycloak manages users and passwords on its own.
But, my scenario is different:
I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP
How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?
Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).
Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.
So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.
Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.
Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.
This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html
Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.
To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.
I want get my Google Analytics data. I do not want to see others Google Analytics data, so I don't want to use oAuth2.
In detail I just need have the Analytics Object: ManagementApiReferenceSample.java
I just want to use my google account to get my Google Analytics Data. I don't understand how to use use google-api-java-client to get access with out Oauth2.
For starters you should look into using a service account. By using a service account you can set it up and give it permissions to access your Google Analytics account it will act like any other user but will only have access to your account and you will not need to request access like you do with Oauth2.
Note: Make sure that you grant the Service account access to use the Google Analytics account at the account level. It wont work at the web property or view level. Its the service account email address you use.
There are several examples for using the Google Analytics api with Java client lib. The main one I can find is called hello analyitcs
I have a Java web application that uses Google OAuth for authentication (with this API : http://goo.gl/6wWyT3) and it works fine. However, I need a way to allow only users from a certain Google Apps for Education domain e.g mike#wdu.edu.ng to be able to gain access to the app using Google's OAuth. How do I go about this ??
send users off to Google with a parameter hd=<domain.com> in the authorization request (by modifying buildLoginUrl) to skip the account chooser screen and upon return, check that the claims returned from Google contain the hd claim with a value <domain.com> in getUserInfoJson to enforce the access requirement