I just recently building an plugin in which I need to integrate Google Login. I searched and found chrome.identity to authenticate user using google account but that does not work well.
So I came across a solution by using this code below
var manifest = chrome.runtime.getManifest();
var clientId = encodeURIComponent(manifest.oauth2.client_id);
var scopes = encodeURIComponent(manifest.oauth2.scopes.join(' '));
var redirectUri = encodeURIComponent('urn:ietf:wg:oauth:2.0:oob:auto');
var url = 'https://accounts.google.com/o/oauth2/v2/auth' +
'?client_id=' + clientId +
'&response_type=code' +
'&redirect_uri=' + redirectUri +
'&scope=' + scopes;
var RESULT_PREFIX = ['Success', 'Denied', 'Error'];
chrome.tabs.create({'url': 'about:blank'}, function(authenticationTab) {
chrome.tabs.onUpdated.addListener(function googleAuthorizationHook(tabId, changeInfo, tab) {
if (tabId === authenticationTab.id) {
var titleParts = tab.title.split(' ', 2);
var result = titleParts[0];
if (titleParts.length == 2 && RESULT_PREFIX.indexOf(result) >= 0) {
chrome.tabs.onUpdated.removeListener(googleAuthorizationHook);
chrome.tabs.remove(tabId);
var response = titleParts[1];
switch (result) {
case 'Success':
// Example: id_token=<YOUR_BELOVED_ID_TOKEN>&authuser=0&hd=<SOME.DOMAIN.PL>&session_state=<SESSION_SATE>&prompt=<PROMPT>
console.log("suc:"+response);
break;
case 'Denied':
// Example: error_subtype=access_denied&error=immediate_failed
console.log("denied:"+response);
break;
case 'Error':
// Example: 400 (OAuth2 Error)!!1
console.log("error:"+response);
break;
}
}
}
});
chrome.tabs.update(authenticationTab.id, {'url': url});
});
In which if I remove v2 from the url variable then it always gives error in the turn with id_token but if I add v2 then its success and return code.
So now I read google documentation which said that now create a post request using client_id and client_secret but I chrome app create credential on google console which does not have client_secret
Now what should I do ? Is there anything that I missed or do wrong here and I also came across one of the chrome extension Screencastify use google login.
Can anyone explain how they do it ?
There's an official OAuth tutorial here for Chrome extensions/apps which you can refer to.
There's another blog tutorial here:
Step 1: Copy library
You will need to copy the oauth2 library into your chrome extension root into a directory called oauth2.
Step 2: Inject content script
Then you need to modify your manifest.json file to include a content script at the redirect URL used by the Google adapter. The "matches" redirect URI can be looked up in the table above:
"content_scripts": [
{
"matches": ["http://www.google.com/robots.txt*"],
"js": ["oauth2/oauth2_inject.js"],
"run_at": "document_start"
}
],
Step 3: Allow access token URL
Also, you will need to add a permission to Google's access token granting URL, since the library will do an XHR against it. The access token URI can be looked up in the table above as well.
"permissions": [
"https://accounts.google.com/o/oauth2/token"
]
Step 4: Include the OAuth 2.0 library
Next, in your extension's code, you should include the OAuth 2.0 library:
<script src="/oauth2/oauth2.js"></script>
Step 5: Configure the OAuth 2.0 endpoint
And configure your OAuth 2 connection by providing clientId, clientSecret and apiScopes from the registration page. The authorize() method may create a new popup window for the user to grant your extension access to the OAuth2 endpoint.
var googleAuth = new OAuth2('google', {
client_id: '17755888930840',
client_secret: 'b4a5741bd3d6de6ac591c7b0e279c9f',
api_scope: 'https://www.googleapis.com/auth/tasks'
});
googleAuth.authorize(function() {
// Ready for action
});
Step 6: Use the access token
Now that your user has an access token via auth.getAccessToken(), you can request protected data by adding the accessToken as a request header
xhr.setRequestHeader('Authorization', 'OAuth ' + myAuth.getAccessToken())
or by passing it as part of the URL (depending on the server implementation):
myUrl + '?oauth_token=' + myAuth.getAccessToken();
Note: if you have multiple OAuth 2.0 endpoints that you would like to authorize with, you can do that too! Just inject content scripts and add permissions for all of the providers you would like to authorize with.
And here's the actual github sample using those concepts.
Related
I'm working on auth between a Chrome Extension, Google Cloud Platform, and trying to send the id_token JWT to an AWS server to retrieve user data (and/or establish a session?).
My question is this -- how can I prevent chrome extensions with tabs permissions from reading the GET request or the redirected URI which has the fully-validated user JWT?
The JWT confirms that a user is who they are, but how do I know my Chrome Extension is the one making the request to my backend?
I have a few ideas:
Maybe I can make a private window that only my extension can control
Maybe I can somehow use the nonce or get the nonce from my server first
Maybe my chrome extension has a private key or some way to verify itself with my backend, which has the public key
Any help would be appreciated, it's difficult to research this specific scenario.
var url = 'https://accounts.google.com/o/oauth2/v2/auth' +
'?client_id=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.client_id) +
'&response_type=id_token' +
'&redirect_uri=' + encodeURIComponent(chrome.identity.getRedirectURL()) +
'&scope=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.scopes.join(' ')) +
'&nonce=' + Math.floor(Math.random() * 10000000);
chrome.windows.create({ url: 'about:blank' }, function ({ tabs }) {
chrome.tabs.onUpdated.addListener(
function googleAuthorizationHook(tabId, changeInfo, tab) {
if (tab.id === tabs[0].id) {
if (tab.title !== 'about:blank') {
console.log(url);
if (tab.title.startsWith(chrome.identity.getRedirectURL())) {
const id_token = tab.title.split('#')[1];
console.log(id_token);
} else {
console.error(tab.title)
}
chrome.tabs.onUpdated.removeListener(googleAuthorizationHook);
chrome.tabs.remove(tab.id);
}
}
}
);
chrome.tabs.update(tabs[0].id, { 'url': url });
});
I have a test user ID as test#gollahalliauth.onmicrosoft.com (without global admin rights) and I am trying to access Graph API for Azure AD.
Try 1 (Success)
I used Azure AD Graph Explorer, logged in with test#gollahalliauth.onmicrosoft.com and using the API https://graph.windows.net/gollahalliauth.onmicrosoft.com/users/test#gollahalliauth.onmicrosoft.com to get the contents. I was able to do this without any issue.
Try 2 (Fail)
I wrote a Go program with profile edit policy
import (
"crypto/rand"
"encoding/base64"
"fmt"
"golang.org/x/oauth2"
"os"
)
const AuthDomainName string = "https://gollahalliauth.b2clogin.com/gollahalliauth.onmicrosoft.com/oauth2/v2.0"
func main() {
conf := &oauth2.Config{
ClientID: os.Getenv("clientID"),
ClientSecret: os.Getenv("clientSecret"),
RedirectURL: "http://localhost:8080/callback",
Scopes: append([]string{"openid", "profile"}),
Endpoint: oauth2.Endpoint{
AuthURL: AuthDomainName + "/authorize?p=b2c_1_gollahalli_edit",
TokenURL: AuthDomainName + "/token?p=b2c_1_gollahalli_edit",
},
}
// Generate random state
b := make([]byte, 32)
rand.Read(b)
state := base64.StdEncoding.EncodeToString(b)
parms := oauth2.SetAuthURLParam("response_type", "id_token")
url := conf.AuthCodeURL(state, parms)
fmt.Println("AUth URL:",url)
}
This creates an auth URL to get the token. I used the id_token to access the graph API using Authorization: Barer id_token and I get an error as
{
"odata.error": {
"code": "Authentication_ExpiredToken",
"message": {
"lang": "en",
"value": "Your access token has expired. Please renew it before submitting the request."
}
}
}
Try 3 (Fail)
I tried adding User.Read in Azure AD B2C > Applications >
<application name> > Published scopes and used the full scope URL and now I get an error as Error: AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
I am not sure what the problem is here. Any idea as to how to get over this?
The AAD B2C is a specialized instance of AAD. You may consider it as a AAD tenant with some B2C extensions. Note: this is a separate tenant from your organization's main AAD tenant in which you've already created the B2C directory/feature!
You can access the B2C records through the AAD Graph API, in 2 steps:
acquire an AAD Graph token by providing the ClientID and ClientSecret to the AAD endpoint (e.g. https://login.microsoftonline.com/yourtenant.onmicrosoft.com).
connect to the AAD Graph REST endpoint (e.g. https://graph.windows.net/yourtenant.onmicrosoft.com/users?api-version=1.6) with the desired method (GET/POST/PATCH/DELETE), passing it the token obtained in step 1 in the Authentication header of the request.
The best example is probably the user migration tool provided by MS. The AAD B2C configuration is covered here and the sample code can be downloaded from the documentation page or directly from the Github project.
You should take a look to the SendGraphPostRequest method and its friends in B2CGraphClient.cs. The code uses ADAL to get the AAD Graph token, but you can also obtain it directly with REST requests. A simplified version in C# (you'll have to translate it yourself to GO, and maybe replace ADAL if it's not available in GO):
// NOTE: This client uses ADAL v2, not ADAL v4
AuthenticationResult result = aadAuthContext.AcquireToken(Globals.aadGraphResourceId, aadCredential);
HttpClient http = new HttpClient();
string url = Globals.aadGraphEndpoint + tenant + api + "?" + Globals.aadGraphVersion;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await http.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
object formatted = JsonConvert.DeserializeObject(error);
throw new WebException("Error Calling the Graph API: \n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
Clearly by the negative score, I haven't provided enough information - sorry about that. However, perhaps add comments to explain why rather than just marking it down?
2nd attempt at a description:
I would like to be able to connect to Spotify's web API interface (https://developer.spotify.com/web-api/) on a headless embedded platform (Arm based simple MCU with WiFi). The username and password would be hardcoded into the system, probably added at setup time with the help of a mobile device (providing a temporary user interface).
I want to be able to add tracks to a playlist, which requires an authentication token. Spotify's usual flow requires the embedded platform to host their webpage login, as described here (https://developer.spotify.com/web-api/authorization-guide/).
Is this possible to authenticate without the webpage?
I have seen here (https://developer.spotify.com/technologies/spotify-ios-sdk/token-swap-refresh/) that Spotify recommend mobile apps use a remote server to handle refreshing of tokens - perhaps that's a route?
Any pointers would be appreciated.
I don't think it is bad question. I am also working on a headless player that runs on a local network which makes the authorization flow a bit awkward. So this is not much of an answer, but let me explain how it can be done.
Your headless system needs to have a web interface that can redirect to the spotify authorization url and handle the callback. The problem is that you have to register the callback url on your spotify app. Say you register http://server1/spotify/auth/callback. Now the server1 needs to be accessible from the device doing the authorization, f.ex by adding it to /etc/hosts.
The good news is that refresh can be done without user intervention, so if you store the access token the user will only need to do this one time after installing.
I know that this is really late, but for anyone having the same issue...
I am working on something similar was mentioned above so I'll share what I know. I am creating a music player that could act as another device on my Spotify (using: https://developer.spotify.com/documentation/web-playback-sdk/) account as well be controlled by my custom webpage.
I have 3 parts to this: backend server, the SDK player webpage (for me: http://localhost:8080/#/pup/player), the frontend UI webpage
(all the code snippets are a part of a class)
The only way I was able to get it running was like so:
Start the backend server and initialize puppeteer
async initPup(){
this.browser = await puppeteer.launch({
headless: false, // This is important, because spotify SDK doesn't create the device when using headless
devtools: true,
executablePath: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", //I also have to use Chrome and not Chromium, because Chromium is missing support for EME keySystems (yes, I've tried bruteforcing chromium versions or getting Firefox to work using createBrowserFetcher())
ignoreDefaultArgs: ['--mute-audio'],
args: ['--autoplay-policy=no-user-gesture-required']
});
this.page = (await this.browser.pages())[0]; // create one page
if(this.page == undefined){
this.page = await this.browser.newPage();
}
this.pup_ready = true;
console.log(await this.page.browser().version())
}
Open your SDK player page with puppeteer and pass the ClientID and ClientSecret of your Spotify project (https://developer.spotify.com/dashboard/):
async openPlayer(){
// const player_page = "http://localhost:8080/#/pup/player"
if(this.pup_ready){
await this.page.goto(player_page + "/?&cid=" + this.client_id + "&csec=" + this.client_secret);
}
}
On the SDK player webpage save the cid and csec URL params to LocalStorage. This should be done when no ULR parameter named "code" has been given, because that's the authorizations code which will be generated in the next step.
Something like:
var auth_code = url_params_array.find(x=>x.param.includes("code")); // try to get the auth code
var c_id = url_params_array.find(x=>x.param.includes("cid")); //get cid
var c_sec = url_params_array.find(x=>x.param.includes("csec")); //get csec
var token = undefined;
if(auth_code == undefined){ // the auth code is not defined yet and it has to be created
//SAVING CLIENT ID and CLIENT SECRET
c_id = c_id.value;
c_sec = c_sec.value;
window.localStorage.setItem("__cid", c_id)
window.localStorage.setItem("__csec", c_sec)
//GETTING THE AUTH CODE
var scope = "streaming \
user-read-email \
user-read-private"
var state = "";
var auth_query_parameters = new URLSearchParams({
response_type: "code",
client_id: c_id,
scope: scope,
redirect_uri: "http://localhost:8080/#/pup/player/",
state: state
})
window.open('https://accounts.spotify.com/authorize/?' + auth_query_parameters.toString()); // tak the puppeteer to the spotify login page
}
Login on the spotify page using your credential to create the auth token. I had to use https://www.npmjs.com/package/puppeteer-extra-plugin-stealth to bypass CAPTCHAS
async spotifyLogin(mail="<YOUR_SPOTIFY_MAIL>", pass = "<YOUR_SPOTIFY_PASSWORD") {
var p = this.page = (await this.browser.pages())[1] // get the newly opened page with the spotify
//await p.waitForNavigation({waitUntil: 'networkidle2'})
await p.focus("#login-username"); // put in the credentials
await p.keyboard.type(mail);
await p.focus("#login-password");
await p.keyboard.type(pass);
await p.$eval("#login-button", el => el.click());
(await this.browser.pages())[0].close(); // close the old SDK page
await sleep(1000) // wait to be redirected back to your SDK page
//
this.page = (await this.browser.pages())[0];
this.auth_code = await this.page.evaluate( (varName) => window.localStorage.getItem(varName), ["__auth"] ) // here is ave the auth token as a property of the class instance as well
}
Once you're redirected to SDK page again you already have cid and csec and now also the auth token.
if(auth_code == undefined)
//... (this is already in step 3)
}else{
// GETTING CID and C SECRET AGAIN
c_id = window.localStorage.getItem("__cid")
c_sec = window.localStorage.getItem("__csec")
// SAVING THE AUTH CODE
auth_code = auth_code.value;
window.localStorage.setItem("__auth", auth_code)
}
Generate a token on the backend.
async genToken():Promise<void>{
//Pretty much coppied from: https://developer.spotify.com/documentation/web-playback-sdk/guide/
var authOptions = {
url: 'https://accounts.spotify.com/api/token',
headers: {
'Authorization': 'Basic ' + (Buffer.from(this.client_id + ':' + this.client_secret).toString("base64"))
},
form: {
code: this.auth_code,
redirect_uri: "http://localhost:8080/#/pup/player/",
grant_type: 'authorization_code'
},
json: true
};
var token;
var refresh_token;
await request.post(authOptions, function(error, response, body) { // also get the refresh token
if (!error && response.statusCode === 200) {
token = body.access_token;
refresh_token = body.refresh_token;
}
});
while (!token && !refresh_token){ // wait for both of them
await sleep(100)
}
this.token = token; // save them in the class instance properties
this.refresh_token = refresh_token;
}
Lastly the puppeteer fills in a html field with the token generated in step 6 on the SDK site and presses a button to start the SDK player.
// this function gets called after the button gets pressed
async function main(){
console.log(window.localStorage.getItem("__cid")) // print out all the data
console.log(window.localStorage.getItem("__csec"))
console.log(window.localStorage.getItem("__auth"))
console.log(getToken())
const player = new Spotify.Player({ // start the sporify player
name: 'Home Spotify Player',
getOAuthToken: cb => cb(getToken())
});
player.connect().then(()=>{ // connect the player
console.log(player)
});
window.player = player;
}
function getToken(){
return document.getElementById("token_input").value;
}
You are done. Next step for me at least was communicating using another UI page to the backend puppeteer to control the SDK page (play/pause/skip etc.) This process is pretty "hacky" and not pretty at all but if you just have a little personal project it should do the job fine.
If anyone would be interested in the whole code I might even upload it somewhere, but I think this read is long-enough and overly detailed anyway.
The proper way for this would be to use the device authorization grant flow - Spotify does this already for its TV applications, but they seem to block other applications from using it. It is possible to find clientIds online that are working with this, but it is not supported by Spotify.
I explained how this works and requested that they enable it in a supported way for custom applications in this feature request - please upvote the idea there if you find it useful.
That said, it is also possible to implement your own device authorization grant flow by hosting an extra server between your device and Spotify. That server should
host an authorize and a token API endpoint
host a user-facing page where the user can enter the user code
a callback page for Spotify to redirect the user after login
I believe this is how https://github.com/antscode/MacAuth implements it:
When the device calls the authorize, the server should generate a record containing the device_code and user_code and send them back in the response. The server should keep the record for later.
When the user enters the user_code in the user-facing page, the server should redirect the user to Spotify to login, and after login the user should be redirected to the server's callback page. At that moment the server can fetch credentials from Spotify's token endpoint using the data it received in the callback. The server should store the credentials it received in the record of the user_code.
The device can poll the server using the device_code for the availability of the tokens using the token endpoint.
I am doing external login (Facebook, Twitter, Microsoft) using MVC 5 OWIN Identity 2, which works great, but I need to access a mobile services with this credential, I have read that to this I need a access token, so I get the access token and try to pass it to the mobile services, but always has this error:
Facebook: Error:
The Facebook Graph API access token authorization request failed with HTTP status code 400
Microsoft: Error:
Invalid token format. Expected Envelope.Claims.Signature.
The method that I am trying to use with mobile services is:
await mobileservi.LoginAsync(MobileServiceAuthenticationProvider.[ProviderName], token);
I read on this link:
http://msdn.microsoft.com/en-us/library/dn296411.aspx
So I am using a JObject() to pass the access token
The format of the token that I most pass:
For Microsoft is:
token.Add("authenticationToken", _accessToken);
{"authenticationToken":"<authentication_token>"}
For Facebook is:
token.Add("access_token", _accessToken);
{"access_token":"<access_token>"}
But I do not have the format for Twitter.
Now according to Azure Mobile Services documentation, I most use the azure mobile services URL on my apps for any of this providers, but if I do this, I receive an error of incorrect URL when redirecting to the provider log in page.
I read this post with OAuth:
http://blogs.msdn.com/b/carlosfigueira/archive/2013/06/25/exposing-authenticated-data-from-azure-mobile-services-via-an-asp-net-mvc-application.aspx
It has to be something like this for MVC 5 OWIN Identity 2.
On the Startuo.Auth.cs file, I have this configure to get the access token for each provider:
Microsoft:
var MicrosoftOption = new MicrosoftAccountAuthenticationOptions()
{
ClientId = "0000000048124A22",
ClientSecret = "c-gTye48WE2ozcfN-bFMVlL3y3bVY8g0",
Provider = new MicrosoftAccountAuthenticationProvider()
{
OnAuthenticated = (context) =>
{
context.Identity.AddClaim(new Claim(("urn:microsoftaccount:access_token", context.AccessToken, XmlSchemaString, "Microsoft"));
return Task.FromResult(0);
}
}
};
Twitter:
var twitterOption = new TwitterAuthenticationOptions()
{
ConsumerKey = "ConsumerKey",
ConsumerSecret = "ConsumerSecret",
Provider = new TwitterAuthenticationProvider()
{
OnAuthenticated = (context) =>
{
context.Identity.AddClaim(new Claim("urn:tokens:twitter:accesstoken", context.AccessToken));
context.Identity.AddClaim(new Claim("urn:tokens:twitter:accesstokensecret", context.AccessTokenSecret));
return Task.FromResult(0);
}
}
};
Facebook:
var facebookOption = new FacebookAuthenticationOptions()
{
AppId = "AppId",
AppSecret = "AppSecret",
Provider = new FacebookAuthenticationProvider()
{
OnAuthenticated = (context) =>
{
context.Identity.AddClaim(new Claim("urn:facebook:access_token", context.AccessToken, XmlSchemaString, "Facebook"));
return Task.FromResult(0);
}
}
};
On the externalLoginCallback, this is how a retrieve the access token
string email = null;
string accessToken = null;
ClaimsIdentity ext = await AuthenticationManager.GetExternalIdentityAsync(DefaultAuthenticationTypes.ExternalCookie);
switch (login.LoginProvider)
{
case "Facebook":
accessToken = ext.Claims.First(x => x.Type.Contains("access_token")).Value;
break;
case "Twitter":
accessToken = ext.Claims.First(x => x.Type.Contains("accesstoken")).Value;
break;
case "Microsoft":
accessToken = ext.Claims.First(x => x.Type.Contains("access_token")).Value;
break;
}
Later I store this value on a session variable, this value is the one that I use to pass as the access token.
So I have no idea what to do, can anyone please help me?
OK, I found what I was doing wrong, in order to respect the authorization flow, I must have APP ID and APP Secret that I register on my app (Google, Facebook, Microsoft, Twitter), on my mobile service. This is the important part, the register URL in the app must be the URL of the web site, after doing this, everything work fine
I want to include facebook login functionality in my chrome extension. I have included
connect.facebook.net/en_US/all.js file in popup.html. But not working.
i m using code
window.fbAsyncInit = function() {
// init the FB JS SDK
FB.init({
appId: 'APP_ID', // App ID from the App Dashboard
//channelUrl : '//www.example.com/', // Channel File for x-domain communication
status: true, // check the login status upon init?
cookie: true, // set sessions cookies to allow your server to access the session?
xfbml: true // parse XFBML tags on this page?
});
// Additional initialization code such as adding Event Listeners goes here
console.log(FB);
};
// Load the SDK's source Asynchronously
(function(d, debug) {
var js, id = 'facebook-jssdk', ref = d.getElementsByTagName('script')[0];
if (d.getElementById(id)) {
return;
}
js = d.createElement('script');
js.id = id;
js.async = true;
js.src = "http://connect.facebook.net/en_US/all" + (debug ? "/debug" : "") + ".js";
ref.parentNode.insertBefore(js, ref);
}(document, /*debug*/false));
but getting error
Refused to load the script 'http://connect.facebook.net/en_US/all.js' because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:".
I use the following code and it works, without damaging the CSP
function loginfacebook()
{
chrome.windows.create(
{
'url': "https://www.facebook.com/dialog/oauth?client_id=yourclientid&redirect_uri=https://www.facebook.com/connect/login_success.html&scope=email&response_type=token"
}, null);
chrome.tabs.query({active:true}, function(tabs){
tabid = tabs[0].id;
chrome.tabs.onUpdated.addListener(function(tabid, tab)
{
var cadena = tab.url;
if (cadena != null)
{
var resultado = cadena.match(/[\\?&#]access_token=([^&#])*/i);
}
if (resultado != null)
{
token = resultado[0];
token = token.substring(14);
storagetoken(token);
};
});
As the error message says, the Facebook script isn't CSP-compliant. I haven't looked at that script, but if you can't modify it and fix the CSP issues, you have a couple options in general for dealing with such scripts:
Put it in a sandboxed iframe.
Put the script in a <webview>.
Unfortunately, the point of that Facebook script is likely to set a cookie after FB authentication, and that cookie would stay in either the iframe or the webview, so neither of these approaches will end up with the required cookie in your main app. You'll have to figure out a way to transmit the product (cookie) of the FB login operation to your app, likely through postMessage. If you do that legwork and succeed, please post your results somewhere, such as in a sample app on GitHub.