Hey all, i want to integrate my Blackberry App with Twitter, and found that the way to do it is with OAuth. The problem I have is that i would like to do the verification of this from my server as to put less strain on the device, but I have no idea how to get the OAuth PIN from the server to be displayed on the device so the user can enter it, any ideas as to how i can do this? or an alternative ?
You can't. OAuth was designed such that only the service provider can provide authentication (so that the developers don't have to store their client passwords on their database servers and if the client changes their passwords, then it would have to be managed also on the developers side too). There is only one source of authentication and that's from the service provider (Twitter, in this case). Sharing of passwords is therefore eliminated.
OAuth doesn't work on PINs but rather using Request/Access Token. Follow the Beginners' Guide to OAuth and Twitter Developer's Auth Page to see how you can incorporate OAuth to Twitter. Just to give you an heads up, you will have to register your application to Twitter.
Update For Mobile and Desktop applications, rather go through Twitter's xAuth. Here's a documentation on how to register and use your application to use xAuth.
Twitter OAuth FAQ.
Related
I am going to write a java backend application that once a day should download data using google ads api.
I did something similar for google search console and I was using a service account in order to authenticate. I would like to use the same mechanism but I don't know how to link the service account to the google ads account.
I found this link but I don't have clear how to:
Request the domain administrator to delegate domain-wide authority to
your service account.
Can someone explain (it would be great with some code example) how to authenticate and use google ads api from a backend java application? Which is the easiest authentication mechanism to setup?
Thanks a lot
I am making a desktop application for Reddit in Java. I want to let users log in to their Reddit account via my application so that they can do things on Reddit. I know that I need to get access tokens and whatnot but I don't know how to go through the process of doing that. Whenever I have accessed the API previously, it has been in Python using PRAW, so I would manually enter in the client id and client secret - obviously I can't be doing this for a professional application. I'd appreciate it if anyone would guide me through the process of authenticating the user and how to receive and use the access token.
You have to use oauth apis. There is a sample integration for reddit. https://www.e4developer.com/2018/11/04/reddit-api-authentication-with-java-spring/
also there are developer guide for oauth in reddit page
https://reddit.com/dev/api/oauth
Reddit github page have good documentation
https://github.com/reddit-archive/reddit/wiki/OAuth2
I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants
I works like a charm when keycloak manages users and passwords on its own.
But, my scenario is different:
I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP
How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?
Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).
Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.
So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.
Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.
Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.
This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html
Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.
To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.
Background
I believe the recommended way to access Google services from Android is to use the Google APIs Client Library for Java (for some services play services is recommeneded too).
If you want to access your user's account, you use oauth2 to authenticate the user, but things seem less clear if you want to access your own services (eg. I want to access Google Cloud Storage belonging to my app engine project).
The problem with service accounts
What I see a lot of here is using service accounts, and I've used them server-side and found them to be a comparatively simple solution, but this requires you to deploy your private key so I don't think this could be right for public Android apps.
The solution: Public API access
If you go to the 'credentials' page of the cloud console:
https://console.developers.google.com/project/[your_project]/apiui/credential
it seems pretty clear that they expect you to use a 'public API access key' for the situation I'm describing. It appears that this is not OAUTH based.
I assume that I will still use the type 'GoogleCredential' for this, but in the documentation for the credential builder I don't see how to do this. The set client functions appear to relate to the oauth2 access (which uses client ID/secret).
The Question
How do I use the 'public API access' key to access Google services from an Android app.
Or, if I'm wrong about service accounts - and they really are the recommended solution, then please show me some evidence of this because it certainly apppears to me that they are not the right solution for publicly distributed apps.
The good news is that it's very much easier. You can either use a Service Account (ie. a brand new account dedicated to your app) or a regular account.
For a service account you embed the key in your app, for a regular account you embed a refresh token in your app. In both cases, be aware of the security risk and use the minimal scope necessary.
You can get a refresh token without writing any code by following the steps in How do I authorise an app (web or installed) without user intervention? (canonical ?)
Hi I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
First, please do not whine about not getting answers after only an hour, particularly when it's Sunday in much of the world. If you want responses in less than an hour on a weekend, hire an expensive consultant.
Hi I am developing an Android App
where I require a user to authenticate
his session before using the app.
Why?
Any Suggestions and comments?
Most Android applications do not require authentication for local use. They may require authentication for access to online content (e.g., Web service), in which case the authentication is handled by the Web service and uses technology dictated by the Web service.
Bear in mind that any online authentication process (e.g., OAuth, Facebook Connect) means your application cannot be used in offline mode.
If your goal is to use authentication as some means of helping to combat piracy, you might consider using the new LVL system that Google released this week.