I am currently developing a GWT/AppEngine application that uses the Java Dropbox API.
To pair with my user's Dropbox account I basically recover a URL to the Dropbox website that I need to forward my user to in order to authorize my app; the Dropbox website then redirects my user to a callback URL of my choice.
So I have my GWT app opening this website in a new window/iframe. However I want to be able to check when the user has authorized my app. So I was thinking of starting a GWT request that would only terminate when the callback URL is visited (that can be handled by a specific servlet).
Does that make sense? What is the "good way" of doing it?
On App Engine front end request are subject to a 60s deadline, so that wouldn't be the preferred solution.
If you really want to do the authorization flow in a new window/frame, you can consider communicating between the servlet handling the callback URL and your main application using JavaScript.
Alternatively you can redirect the user to the Dropbox authorization url, and set the callback url to your main application window.
Related
I'm writing a simple desktop application that sometimes needs to upload a compressed archive to OneDrive.
It's the first time I'm messing up with OAuth and I'm trying to understand how to show the user the login page and obtain back the access token.
I understand that the login page is called via this url:
https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}&response_type=token&redirect_uri={redirect_uri}
Which is the best way to "show" the login page to the user and wait the redirect with the access code using java?
I'm writing a simple desktop application that sometimes needs to upload a compressed archive to OneDrive
You may try to use the device authorization grant flow.
The service will return a signin URL and a code. Your application then
opens a browser to the returned URL
reguralry polls for a token, which is returned if the user signs in and enters the code
There are ways to embed a web page in the java app, but then you will have to handle the redirect urls, etc.. So for the desktop apps, I find the device grant flow the simplest to implement.
I have an application that has both a backend and a frontend (in java). I need to have user authentication but I would prefer not to handle most of it myself. So I thought I could have users authenticate with their google accounts.
The backend part is mostly implemented, and it works fine from the browser:
I try to navigate to a URL of my server, and the browser is redirected to the google login page.
I login, and the browser is redirected back to my server, this time with auth info (some kind of token?) and I get a response.
But I'm having trouble figuring out how to set this up from a desktop app. I would like for the app to have a login button that when pressed, opens the google login page in the system browser for the user to login. If the login is successful, the desktop client can use the info from their google account (e.g. the email address) to identify itself with my server.
It's the first time I'm working on something like this, so I don't know if I'm looking in the right place. My research online leads me to OAuth2.0, but that seems more like authorization than authentication.
I looked at google's OpenID guide and it directed me to using OAuth2 for installed applications, is that the right solution for my use case? Or is that for applications that only have a frontend and all data is kept in the desktop app?
I am not completely sure whether it is secure, and whether it aligns with best practices, but I found a solution. I used the idea of the loopback redirect uri in my own way.
I start an http listener on the desktop app on a random available port, let's say it's port 54321.
I want to contact a url to my server. In that url I add the loopback port as a query argument. So the url would be something like https://myserver.org:8443/signin?loopback_port=54321
I start the system browser with this url. The server requires authentication, so the browser is redirected to google to login and provide authorization for the application to access my google account data.
Once the login in google is done, the browser is redirected back to the url of my server that it was first trying to reach. Now since the authentication is done, the request goes through.
I updated the /signin endpoint on my server to return redirects to /signin2 (again with the loopback_port param). The redirect from /signin will set the JSESSIONID in a cookie in the browser, and when we get the request in /signin2, we can read that JSESSIONID.
When we get the request in /signin2, we use the loopback port and the jsessionid to build a redirect url to the http listener on the desktop app. The jsessionid will be included as a query argument. So the browser is redirected to http://localhost:54321/?JSESSIONID=....
The http listener on the desktop app parses the request to get the JSESSIONID from the cookie, and it can use that in subsequent requests it sends to the server. Having this cookie, the server associates the desktop app's request with the authentication done earlier.
I have a web application that when user click on the a link it will generate security information and log on to an external application if the security information is authenticated.
At this point from security concern I don't want to expose the URL and request information on the web page, so instead I am seeking solutions to handle the process behind the scene
I know Apache Components can easily send post request within POJO, jersey client can do as well through web service. However the requirement here is also including to let browser automatically redirect to the 3rd app's front page if the login process succeeded.
My question is what could be the proper solution to handle the login process and go to the external application from web as well.
Say you have:
publicapp.com
secretapp.com
Set up an API in publicapp.com to POST the initial request to itself. When the user submits the initial login form it goes to say publicapp.com/login. This endpoint will pre-process the information then send a server to server request to secretapp.com/login.
If secretapp.com/login accepts the information it responds to publicapp.com with a success and publicapp.com redirects the client to secretapp.com/home, with a short term auth token encoded in a JWT. secretapp.com, swaps the short term token for a full auth token.
In the above scenario, the actual login endpoint is never made public. secretapp.com should also have IP whitelisting to only accepts login attempts from publicapp.com. You can also do a lot of filtering on publicapp.com to eliminate malicious requests without bothering secretapp.com.
I am working on a desktop project that requires Google Authorization for Google Calendar API using OAuth2.0. The language used is java.
Currently to authorize the project, I have to open the browser using java.swt.Desktop.getDesktop().browse(url), click the "accept" button, copy the authorization code in the redirected page and paste it in my application. And the user has to close the webpage manually. Quite troublesome.
Is there a better, more user-friendly approach to achieve this authorization procedure? The ultimate procedure I want to achieve is only that the application opens the authorization page, the user clicks "accept", the page closes itself automatically and the software is authorized. I have seen this kind of procedure in other applications. It's just that I don't know how to achieve this.
Thanks in advance.
You need to provide a callbackURL. I would recommend using a java library like Scribe to accomplish this - there is a good getting started page and plenty of examples.
EDIT 1
Here is a sample for setting up a callback url
String apiKey = "your_app_id";
String apiSecret = "your_api_secret";
OAuthService service = new ServiceBuilder()
.provider(FacebookApi.class)
.apiKey(apiKey)
.apiSecret(apiSecret)
.callback("myApp://oauthcallback")
.build();
You would need to open an embedded browser in your desktop app, and go to the oauth url as given by OAuthService. Once the user has approved your app, the embedded browser will be redirected to your callback URI. You'll need to detect this and then extract the oauth info included in the callback.
I've never done this through a desktop application (it was always within a servlet/jsp - web app). But if you search for how to detect redirect on a URI in windows, hopefully you will find some examples.
I'm working on a Java REST server serving an iPhone app. Now we have to integrate with third party service exposed by oauth2 protocol. This is new to me so I've been reading and writing some "proof of concept" code but I have a big problem or I fundamentally don't understand something...
I made a simple web page with "log in with XXX" button that the user sees in a web view. When he clicks it, login page of the third party service opens and he can approve my app, at what time they will redirect the user to an URL I've specified with the authorization code as a parameter. This URL points to a REST service on my server.
The problem is that this URL must be absolutely the same as the one I've set up when applying my app for their service. Since I'm running a REST server I have no way of knowing about which user are we talking about when the redirection to my server happens (there is no session). I wanted to do this identification with some query or path param but they are not allowing it.
Does any of this makes sense to you or am I implementing this in a wrong way? The only possible solution I can imagine now will be with the help of cookies but I'm not really fond of that...
Yes, that does make sense. You got a few different options, try one of these:
Store a cookie with some user id and read it out after redirection
Use the state parameter of the authorization request for transmitting some user id. The provider is required to return it back to you in his redirect.