I believe that callback URLs are similar to callback function which when provided to an API will be called by the API when a certain event occurs or after certain requests. I went through the documentation but was unable to find when the callback URL in imgur will be called. Could you please let me know the scenarios in which the callback URL will be called and if I do not need it, how to opt out of it ?
If you are referring to the callback URL entered during app registration, that is used when authenticating a user. IF someone uses your Oauth2 link, they will be redirected to your callback URL after they sign in and that URL contains the access token which is what you need to use the API as a logged in user. This contains information about authorization.
Related
My goal is to tell if a user is authenticated, and get their name and email. So far, I can only do the first.
My server app is a NodeJS/Express router. The OIDC server is provided by my company, I believe is compliant, but not under my control. I can do an "Authorization code flow": response_type="code". My Node app eventually responds to the callback route and I can get the "code" and "grant_id" query string values. Other than knowing they exist and presuming that means the user is authorized, I have no idea what I can do with those values. It appears that the only scope that works is "openid".
If I can get the access_code, I can call the UserInfo service and get these values.
My other choice is to do an implicit call. Unfortuantely, the OIDC service it provides the "access_code" and other values after a hash mark on the callback. I believe the flow to be like this:
User makes call to Node app. Detects a lack of authentication, issues redirect to SSO service implicit authorization
User's browser follows redirect to SSO service implicit authorization. User fills it out and is successfully authenticated.
W3 returns a redirect to the provided callback URL.
User needs to cooperate with the app, somehow parse the query string parameters to get the access token and pass this back to the Node application.
The browser calls the provided Node callback application, but without the necessary access token.
I think I could make a proxy server to force OIDC to give my node server the request, just so I can get the access_token. It seems like a very convoluted way to do this, so I have to think there's some simpler way.
Again, all I want is to know the user is authorized to use the app, and what their name and email is. It should not be this hard.
You can use the ID-token to get the details about the user.
It is also important that your identity provider is all about authentication. Final authorization checks should be done in the client, by examining the scopes/claims in the token.
http://**XYZ.com**/login/oauth/authorize?response_type=code&redirect_uri=http%3A%2F%2F**XYZIP**%3A3000%2Fauth%2Fgithub%2Fcallback&scope=user%3Aemail&client_id=34940ae24cfd171d449a4
When I try to use domain name instead of IP on github oauth app callback url its giving me an error...
If I change it to:
http://github.com/login/oauth/authorize?response_type=code&redirect_uri=http%3A%2F%2F**XYZIP**%3A3000%2Fauth%2Fgithub%2Fcallback&scope=user%3Aemail&client_id=34940ae24cfd171d449a4
Then it will work but because of different callback URL in oauth it will show me mismatch callback URL.
Basically I am calling from react app front end and node JS back end and passport-git-hub that is in back-end
What am I doing wrong?
This is expected behaviour. When you login through a third party auth service They will call THEIR service and redirect to your service with a session key.
So, what happens is.
There is a Login button, user clicks it
It redirects to google/github/facebook login page where user puts the username and password and presses login.
If user authenticated it generates a session key and sends that session key with additional info(for example profile) to your callback page.
Your callback deserializes the request and generates the user session and profile object and such.
When you open your route passport middleware checks if the session is there, if it's there goes to next() otherwise sends some error as response.
Maybe I got the question completely wrong but this is some generalised flow.
I'm getting started with Google Cloud Platform.
I'm developing an Android App that will collect information and store it in a Firebase App. The idea is that a Google Assistant function can query this information and read it back- eg
OK Google, Talk To Simons App, Tell me the last time XYZ was done
The problem I've got however, is to get this being multi user.
I've got the Android App collecting data and putting it into the cloud. I'm using the FirebaseUser and using getUid() in the Android app to get a unique id which is a 28 character string like uVHkia8RRgWD8GGPVvW4AUDUK2.
I've setup Actions on Google, got it hooked into API.AI with Web Fulfilment and got Node.js working in firebase functions.
Unfortunately, the UserID I get back looks more like:HTge48H0CF2FC5jJQCigFBc-UCQ
The problem is that this UserID is not the same as the UserUID I got from Filebase User.
Im using
let ApiAiApp = require('actions-on-google').ApiAiApp;
const app = new ApiAiApp({request: request, response: response});
and
const userId = app.getUser().userId;
What am I missing? I see references to OAuth2, Account Linking etc. I'm not entirely sure what to do at this point. All I need to do at the moment, is get the User UID like I get from FirebaseUser.getUID() in order to look the data up in the Firebase Database.
I think the rest should be straight forward.
There's loads of documentation on linking to Firebase from the Assistant, but very little on actually authenticating. So far I've not setup an flows, like Authorization Code Flows, Implicit Flows, or set a username/password against API.AI and the Fulfilment option. Quite frankly Im not sure what needs to go where at this point.
The user provided by app.getUser().userId is designed as a persistent anonymous identifier. It is roughly the equivalent of a cookie that one sets in a web server - you can use it to determine if you've seen this user before, and what else they've done in your Action, but it does not inheriently relate to any outside account.
Unfortunately, the best solution you have at this point is to use Account Linking which requires you to setup an OAuth2 server. As part of this setup, you will need to create three components:
A login web page for your service. You'll provide the URL for this page to Google as part of Account Linking. When the user accesses your Action, and your action indicates they need to log in, they'll be redirected to this URL on their mobile device. On this page the user will log in - once logged in, you now know their Firebase ID and will create an auth code for this user. You'll then redirect them back to a different URL and pass this auth code (along with some other info) as a parameter.
A token exchange endpoint. Google will call this URL with the auth code above. You'll verify this code, determine who the user is, and send back a unique access token. (You'll also send back a refresh token that Google will use in the same way to get an updated access token.)
An auth token handler in your webhook. When API.AI calls your webhook, it will include the access token as one of the fields in the request. You can use this access token to get the Firebase ID for the user.
One thing to note for the auth code, the access token, and the refresh token is that you'll need to have some way to map from these codes/tokens to the Firebase ID. There are two good ways to do this:
The code/token can be a JSON Web Token (JWT). This takes the Firebase ID, and other information you wish to retain about the user, and puts it in a standard format. It then creates a cryptographic signature, to make sure it hasn't been tampered with, and encodes it in a standard format. When you need to determine the ID from the JWT, you can decode it, verify the signature is valid, and read the value.
Generate a random string and store this in your database against the Firebase ID. When you get the token, you can then look up in your database the ID that this string was assigned to.
There are many additional details about an OAuth implementation and about each of these steps. See https://developers.google.com/actions/identity/oauth2-code-flow for more details.
I'm using Facebook Authentication for my Azure Function App, it works fine if I navigate to a function within the browser. I would like to invoke my functions from within an app but an unsure how to perform the authentication.
At current I am attempting to use the Facebook Client, this returns me an access_token that I am then forwarding to the ".auth/login/facebook/callback" function within my function app. Unfortunately that's as far as I can get, doing this via a GET returns HTML with JavaScript in, and doing it via a POST redirects back to Facebook.
What I really need is the cookie created by the azure function, AppServiceAuthSession, I believe I can then use this to call the functions.
Edit: I don't think i can just use the cookie, like I said above so I need to authenticate properly.
Nick.
I was able to get the tokens passed along to the function app while using the Facebook Javascript SDK (I wasn't having any luck with the C# one) -- maybe this will get you moving in the right direction.
The client:
Performs the login to Facebook, which returns an accessToken.
Client needs to exchange this accessToken for an 'App Service Token'. It does this by making a POST to https://{app}.azurewebsites.net/.auth/login/facebook with the content { "access_token" : "{token from Facebook}" }. This will return back an authenticationToken.
Use that authenticationToken in a header named x-zumo-auth. Make all requests to your function app using that header.
From within your function app, you should then have the current Principal set to that logged in user.
According to the reference link https://developers.trello.com/authorize, I choose the first way Using the Authorize Route to implement OAuth on Trello.
The involved url request is https://trello.com/1/authorize?return_url=http://xxx/union/callback/trello&namae=xxx&key=xxx&callback_method=xxx&scope=read&expiration=30days
Finally, the program stops with url http://xxx/union/callback/trello#token=a1418eb97b298edc9a7a83fb85107bad4d2861cf46ac897037002aff778c3927 on the browser location.
In my opinion, token should be returned after "?" instead of "#".
Because string after "#" will not be sent to server.
For this issue, is it a bug of trello's OAuth or I can do anything to proceed ?