I've created a web application using Node.js that relies on a google API (specifically the DCM/DFA reporting API). It redirects the user to login to their gmail account, and after a successful login redirects back to the web application.
Suddenly my company has told me that this web application needs to be restricted to internal use only, and that they won't host it on a public domain for security reasons.
Is there any way to get Oauth to redirect to the internal domain? When I try to set the redirect domain in the google developers console I get an error message that it is not valid. Is there anyway around this?
The sample redirect url you can add at Console and Code is:
http://localhost:8080/authcallback
(Remember to not add trailing / in url)
Related
So I work on a project where I have a Website that calls an API (both hosted on IIS), nothing special for now.
The website is configured with windows authentication allowing access to users within a group.
The API is configured with windows authentication only allowing access to the user defined as identity in the website's application pool.
I'm expecting that any user in the group calling the website would be able to see data on the website, and they won't be able to directly call the API.
However, what I get is that when calling a page of the website, the website receives a 401 error when it calls the API.
Am I missing something in the configuration ?
I hope this is clear for you.
Thank you for your upcoming help ! :)
Elyan
If you're using HTTP as a transport between your website and your API then you cannot restrict access to API from Postman or any other tool, including simple GET requests in browser. Any technically skilled enough user can open "Network" tab in Chrome debugger and see all requests that your site sended to the API.
So, I think you should do API request on server-side, on HTML page render step.
AS IS:
(browser or any client) -> WebSite AND (browser or any client) -> API
TO BE:
(browser or any client) -> WebSite -> API
Then you can restirct access to the API, e.g. allow request only from localhost
I am trying to build an app in node.js that connects to Pinterest via its API. I can get an access token via Postman and test my app in single-user mode, but I am unable to incorporate OAuth2 to test my app for a second user. Every configuration of my code and settings at developer.pinterest.com yields the error "The provided redirect_uri ... does not match any of my registered redirect URIs."
I registered what I believe are correct callback URLs at developers.pinterest.com--many variants, with and without trailing slashes. My callback is hosted via https.
I tried calling Pinterest's auth URLs OAuth2 in my server code (node.js), and via browser address bar.
https://api.pinterest.com/oauth/?response_type=code&redirect_uri=https://www.outfinterest.com/auth/pinterest/callback/&client_id=5042375080944909391&scope=read_public&state=true
I attempted the auth from a browser logged into Pinterest as me, and from a browser logged in as a registered tester of my app.
What must I do to get Pinterest to accept my callback URL?
Do I need to submit my app for approval before I can authorize via OAuth2?
I resolved the problem by reducing the set URLs registered at developer.pinterest.com to just the one I need, then reloaded the page with the app settings.
I have project with login function via google's account. To do this, I had to created Credentials for my application. After that, I add new Authorized JavaScript origins is my domain name, and authorized redirect uris is my url to function login with google, all of them is in Client ID for Web application tab.
When I setup my application in new domain, I have to type new domain and new uri into google console.
Now, I make my application setup in a new domain automatically, everything is ok. But I can't use login function via google, because I don't register new domain in google console. So I want to add new 'authorized redirect uris' and 'Authorized JavaScript origins' automatically when I setup my application.
My application is written by PHP. Anyone, who can help me? THANKS?
I've set up my SharePoint 2013 on prem site to accept authentication from Google and Windows Live. Windows Live login works for the most part. I've set up an ACS in Azure where I've specified the return URL after the user signs in. I have entered the same return URL in the Google Developers console.
However, after the user logs in to their Google account, they get the following error:
Error: redirect_uri_mismatch
Application: Test
You can email the developer of this application at: myemailaddress#copmany.com
The redirect URI in the request: https://mysite.accesscontrol.windows.net:443/v2/openid did not match a registered redirect URI.
Can anyone tell me what I am doing wrong here, especially since the return URLs are the same in Google Developer Console > Credentials, as well as Azure ACS > Relying party applications.
Edit: The redirect URL is https://subdomain.mydomain.com/_trust in both Google Developers Console and Azure ACS.
Thanks!
You'll note the page is being served by Google (with it's little broken robot thingy). So the problem is at their end.
Though it's not actually a problem but rather a security measure in that you have to explicitly enable the redirect url. Otherwise some level of hijinks may ensue, at your expense.
So you need to log into your Google developer console and add the redirect url of your Azure ACS account (not your web app / relying party) to the permitted redirect URLs.
So the image above is obviously after I had already entered the redirect Url.
Click the edit button and add it on a separate line.
And you're done.
Otherwise judging by your edit, it looks as though you have simply used the wrong url. You use the ACS callback URL not your website URL as the flow goes back through ACS which reissues the token in it's own format.
Is it possible to use SSL one one of the servlet-mappings in web.xml?
I have a site using GWT for browser access and mobile phones accessing the gae via simple HttpServletRequest in servlets.
The setup:
Browser GWT Access
For the site, the user log in via Google Account or Facebook. Then the user interacts with the site - no SSL setup here as I am using Google App Domain.
I guess the communication regarding user and password is safe in this senario with tokens etc. right?
Mobile Access
The user interacts with the Google App Engine(Java) from Mobile phones - the user and password is passed along each call. This I need to be SSL and safe.
I have seen thinks like this: using https sparingly in my GAEJ app
But I am not using RPC from the mobile access.
Any thoughts on this - Thanks in advance
Regards
Therefore I am thinking SSL on the Google Ap Engine, but is it posible in my scenario
Yes, it is possible to use ssl with appengine but you have to use the *.appspot.com domain, not your own domain name.
See the following link for information about securing specific urls in appengine in web.xml
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs
hth