I am working on a web extension that displays a badge as a 'page action' when you are logged in using HTTP Basic auth.
When clicked, I would to automatically log the user out. I can't seem to find an API that allows me to clear the HTTP Basic auth cache. Does such an API exist?
There is no cross browser client-side method for "logging out" of an authorized resource. To do it securely, you really need to delete the auth/session info on the server side so the server no longer recognizes it.
This isn't something you can do inside the browser.
Related
I'm tasked with making a server using Node.js which will read emails from a Google account and parse the content from those emails into data we can store in a database. I'm using Google's googleapis package (v103.0.0) in NPM to authenticate/authorize with whichever account we'd like to use.
The issue comes when we try to switch accounts and have the user re-auth. During development on a local machine, the Auth process works as expected:
The client requests an Auth URL.
The server generates a new Auth URL and sends it back to the client.
The client redirects to that URL and the Google Consent Screen is shown.
The client is asked to choose between logged-in Google accounts.
The client authorizes the application and is redirected back to the server with a code.
The server uses the code to generate/save a token, which allows it to use the Gmail API.
However, after deploying to Heroku, the Google Consent Screen no longer allows the user to select an account. Instead, at step 3, it shows this message. In just about every other question related to this error, there's always additional information below the error code/message, but nothing's there for me. I made sure: (1) the domain I'm using in Heroku is verified on the Google Cloud Console, and (2) the redirect_uri within the Node.js application is passing the correct domain to the Auth URL, even while in production.
I can't provide the URL for privacy reasons, but let me know if there's any source code or Cloud Console info I should include.
It didn't take long after posting this question, but I realized I was using an incorrect OAuth 2.0 Client ID type. I was attempting to use "Desktop" when I should've been using "Web application" instead. Take a look at this image to see the difference.
When you select "Web application", you're given some new options: Authorized JavaScript origins, and Authorized redirect URIs. This is where you need to fill out the allowed URIs. Here's a sample of what that should look like.
So I work on a project where I have a Website that calls an API (both hosted on IIS), nothing special for now.
The website is configured with windows authentication allowing access to users within a group.
The API is configured with windows authentication only allowing access to the user defined as identity in the website's application pool.
I'm expecting that any user in the group calling the website would be able to see data on the website, and they won't be able to directly call the API.
However, what I get is that when calling a page of the website, the website receives a 401 error when it calls the API.
Am I missing something in the configuration ?
I hope this is clear for you.
Thank you for your upcoming help ! :)
Elyan
If you're using HTTP as a transport between your website and your API then you cannot restrict access to API from Postman or any other tool, including simple GET requests in browser. Any technically skilled enough user can open "Network" tab in Chrome debugger and see all requests that your site sended to the API.
So, I think you should do API request on server-side, on HTML page render step.
AS IS:
(browser or any client) -> WebSite AND (browser or any client) -> API
TO BE:
(browser or any client) -> WebSite -> API
Then you can restirct access to the API, e.g. allow request only from localhost
I am trying to build an app in node.js that connects to Pinterest via its API. I can get an access token via Postman and test my app in single-user mode, but I am unable to incorporate OAuth2 to test my app for a second user. Every configuration of my code and settings at developer.pinterest.com yields the error "The provided redirect_uri ... does not match any of my registered redirect URIs."
I registered what I believe are correct callback URLs at developers.pinterest.com--many variants, with and without trailing slashes. My callback is hosted via https.
I tried calling Pinterest's auth URLs OAuth2 in my server code (node.js), and via browser address bar.
https://api.pinterest.com/oauth/?response_type=code&redirect_uri=https://www.outfinterest.com/auth/pinterest/callback/&client_id=5042375080944909391&scope=read_public&state=true
I attempted the auth from a browser logged into Pinterest as me, and from a browser logged in as a registered tester of my app.
What must I do to get Pinterest to accept my callback URL?
Do I need to submit my app for approval before I can authorize via OAuth2?
I resolved the problem by reducing the set URLs registered at developer.pinterest.com to just the one I need, then reloaded the page with the app settings.
I have a website hosted on azure. The website is expected to get opened only from the UWP application and should be prevented to get open from browser directly. I was checking deep linking Web-to-App approach. Are there any other options to do this?
The only way you could do this would be to setup some kind of client authorization mechanism in a way that the app would add some additional request headers to with authentication information that the server would check to verify that the client is indeed the app.
You should look into IdentityServer4 documentation, as they show how such functionality can be implemented. You could implement this yourself or use IdentityServer4 or some other tool in the respective language you use on your backend.
I am using multiple authentication providers and protocols(Oauth2, Open ID 2, SAML) for authentication which need client to be redirected to providers authentication URL. After successful authentication server will redirect client back to application server URL with user information/code/token in header.
This is already working fine in web browser, node webkit app and cordova as I can use window.open and then see the changes in the url or close the popup window after getting the access token.
Since this is not an extension I will not be able to use chrome.tabs. I tried chrome.window also and it also doesn't allow redirection.
Even webview allows to open an external url, but doesn't allow redirect.
I can't use chrome.identity as its just specific to Oauth 2. Sandbox also doesn't work.
Can someone please tell me if they have ever used Oauth, OpenID, SAML, redirections in chrome packaged apps without using the chrome.identity