I'm building a Java web app that needs access to a user's Google Calendar data - therefore I thought the OAuth/OpenID hybrid is the best way to go.
What's the best library to handle the job - and reduce the amount of code on my end?
I tried openid4java & Spring Security OpenID (both don't support hybrid) as well as dyuproject (couldn't get it integrated).
PS: GAE is not an option
Any ideas?
I don't know any integrated library but I do it with an OpenID library (openid4java), an OAuth library (net.oauth Java implementation [Edit: or Scribe]) and my bare hands as follows:
My OAuth consumer key is like www.example.com so I use http://*.example.com as OpenID realm.
I add following parameters (to redirect url or form) when redirecting user to Google OpenID endpoint:
openid.ns.ext2=http://specs.openid.net/extensions/oauth/1.0
openid.ext2.consumer=<my oauth consumer key>
openid.ext2.scope=<oauth scope to be authorized>
In return in addition to plain OpenID response I receive:
openid.ext2.request_token=<request-token>
I exchange received request-token with access-token and access-secret which are what is needed to make OAuth-authorized calls. That's all!
Note that in plain OAuth along with request-token you have to use a request-secret and verifier but here you don't need them.
To have a better view you may read Google OAuth, Google OpenID and OpenID OAuth Extension.
Edit: Here (comment 8) is the OAuth extension for openid4java that does above for you.
It does not support OpenID but, Scribe is a very good OAuth Java library that supports Google.
Related
From my application I have to invoke external http service which uses google authentication. It works when I invoke it from browser. I found out that it happens because I have cookie which contains
GCP_IAAP_AUTH_TOKEN_<random_string>
GCP_IAP_UID
So my cookie look like this:
cookie: GCP_IAP_UID=111111111111; GCP_IAAP_AUTH_TOKEN_1234567891234567890B=verylongstringhere"
I tried to set this cookie directly in my restTemplate and it works properly but I expect that I have to get token based on some kind of credentials.
webClient.post()
.uri(uploadUrl)
.header("cookie", "GCP_IAP_UID=12345678901234567890; GCP_IAAP_AUTH_TOKEN_12345678907645456546B=verylongstringhere")
Could you please provide example of correct usage GCP auth ? How to update token? Based on what?
Google APIs use the OAuth 2.0 protocol for authentication and authorization
You can obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
Before your application can access private data using a Google API, it must obtain an access token that grants access to that API.
There are several ways to make this request, and they vary based on the type of application you are building. For example, a JavaScript application might request an access token using a browser redirect to Google, while an application installed on a device that has no browser uses web service requests.
I recommend you to go trough OAuth 2.0 to Access Google APIs article to choose the best method for your application, there are a couple of documented scenarios to explain how GCP uses application authentication
I am searching for the best approach of authenticating users of mobile clients when accessing my RESTful API. For example, how approximately AirBnb uses it's auth module.
Should the authentication be different for RESTful and basic session-based resource, working with the same data?
I am not a mobile developer therefore, I am interested in what is the best way to provide authentication from server-side, so the mobile-platform developers could use it simply.
I googled for few approaches using OAuth, OAuth2, HTTPBasic authentication and still wonder how the mobile developers can use such API, how they will store this token (cookie is stored by browser in browser-oriented apps).
Could you please suggest me some links/code samples/techiques that you used in production or pet-projects or something?
An easy and manageable alternative to OAuth(2) for authentication is JWT.
You don't need additional infrastructure, the workflow and use is straightforward and there are ready to use libraries for all major languages already available.
Compared to HTTP Basic Authentication JWT is more flexible by transmitting additional information not just credentials, you can store the JWT token as JSON or you can use cookies, you don't need to store the credentials on client side and you don't transmit the credentials on every request.
Also based on JWT you can realize very easy a single sign on function. So if you need more than just a simple system user then you should definitely try JWT.
I would like to write a custom authenticator for Android. I found this nice tutorial to do it, but instead of using Parse as authentication server, I want to use Google App Engine:
http://udinic.wordpress.com/2013/04/24/write-your-own-android-authenticator/
The problem is that I couldn’t find the way to do it. Do you know if that is possible?
All I can find is how to implement authentication using a Google account, but I’d rather prefer to allow users to use any email account.
Thanks.
You have plenty of choices, the first ones that come to mind:
You can use 3rd party OAuth providers which not all email providers are.
Implemment and use your own Authenticator.
(Recommended) Since you are not accessing user data through OAuth just implement a standard user/password authentication method using endpoints and secure the API using your android's app SHA fingersprint, as explained here
I'm reading the Google Cloud Endpoints docs related to OAuth2 Security.
I assume this kind of security is against Google accounts.
Is there any support to have a custom User schema to authenticate against?
What I would like is to have client JS application which uses Google Cloud Endpoints but authenticate against local storage (App Engine) of users.
Is Google Clound Endpoints suitable for this or do I need to write my own Security mechanism?
My understanding of OAuth is:
An end point is implemented by a provider, so when an application such as yourself, authenticates a user such as myself, it returns a result.
Now the problem is if google's end points can return custom schema.
What you could do is, implement the functions, and change your DNS (/etc/conf) so that google's endpoints hit your localhost. In principal this will work, however in practice I am not sure I would do this myself, but perhaps you have your reasons.
So with AppEngine, I imagine there might be a class which overrides/implements this stuff. With the DNS rewrite trick, you should be able to get it to work.
If you do, please write about it, so it can help others.
The OAuth for Cloud Endpoints is Google accounts only. You would have to write your own.
Honestly, just use Google Accounts, user can even sign up for Google accounts with their own email address. In the future they will probably support Open ID with Endpoints as well.
Hey all, i want to integrate my Blackberry App with Twitter, and found that the way to do it is with OAuth. The problem I have is that i would like to do the verification of this from my server as to put less strain on the device, but I have no idea how to get the OAuth PIN from the server to be displayed on the device so the user can enter it, any ideas as to how i can do this? or an alternative ?
You can't. OAuth was designed such that only the service provider can provide authentication (so that the developers don't have to store their client passwords on their database servers and if the client changes their passwords, then it would have to be managed also on the developers side too). There is only one source of authentication and that's from the service provider (Twitter, in this case). Sharing of passwords is therefore eliminated.
OAuth doesn't work on PINs but rather using Request/Access Token. Follow the Beginners' Guide to OAuth and Twitter Developer's Auth Page to see how you can incorporate OAuth to Twitter. Just to give you an heads up, you will have to register your application to Twitter.
Update For Mobile and Desktop applications, rather go through Twitter's xAuth. Here's a documentation on how to register and use your application to use xAuth.
Twitter OAuth FAQ.