oauth2 | OAuth2 provider library for Go HTTP servers | OAuth library
kandi X-RAY | oauth2 Summary
kandi X-RAY | oauth2 Summary
Implements OAuth2 HTTP dancing in a somewhat strict manner. For instance:.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- authCodeGrant1 handles the authorization code grant1 .
- authCodeGrant2 handles the grant request
- AuthzHandler is the middleware handler for authz provider
- CreateGrant handles requests to create a grant .
- refreshToken fetches the token from the provider .
- RevokeToken revokes a token .
- Handler returns an http . Handler that handles OAuth2 requests .
- resource owner access token
- HTML renders a HTML template
- clientCredentialsGrant renders a client credentials grant .
oauth2 Key Features
oauth2 Examples and Code Snippets
public HttpServletRequest refreshToken(HttpServletRequest request, HttpServletResponse response, Cookie
refreshCookie) {
//check if non-remember-me session has expired
if (cookieHelper.isSessionExpired(refreshCookie)) {
public HttpServletRequest refreshTokensIfExpiring(HttpServletRequest httpServletRequest, HttpServletResponse
httpServletResponse) {
HttpServletRequest newHttpServletRequest = httpServletRequest;
//get access token from cookie
private boolean tryCreateSignatureVerifier() {
long t = System.currentTimeMillis();
if (t - lastKeyFetchTimestamp < oAuth2Properties.getSignatureVerification().getPublicKeyRefreshRateLimit()) {
return false;
}
Community Discussions
Trending Discussions on oauth2
QUESTION
I currently work on an legacy app which somewhat loosely implements an OAuth2 flow. In short, when the user logs in with username/password, he receives an access/refresh token pair. The access token expires after 20 minutes whereas the refresh token has a lifetime of 180 days.
Now when the client gets a HTTP 401 Unauthorized due to an expired access token, it will use the refresh token to obtain a new access/refresh token pair. At the same time, we invalidate the old token pair in our backends database (we simply delete the entry).
This has some major issues since our clients are mobile apps and it sometimes can happen that a response from our server is not received by the client. So after our backend saves the new token pair, which the client doesn't receive due to for example network problems, the client no longer can get a new token pair because he still only knows about the old - now invalid - refresh token.
I was wondering if what we are doing is correct or whether we actually should never remove old refresh tokens from the DB as long as they are not expired. Or should we for example remember the last 1 or 2 refresh tokens for a user so even if a new one was created, if the client doesn't receive the response from our server, he can still try one or two times again with the old refresh token.
Or should we simply never send out new refresh tokens when obtaining a new access token and always use the same refresh token?
Is there any best practice to follow or is this all personal taste? I mean we can't be the first ones to run into this issue of mobile clients loosing responses due to network issues, right? :)
...ANSWER
Answered 2022-Mar-11 at 09:08MEASURING MOBILE CONNECTIVITY OCCURRENCES
When there are mobile connectivity problems, I would expect the refresh token grant request
to fail. For the request to succeed and the response
to fail to reach the client (in such a small time window, eg 200ms) feels very much like an edge case.
I would aim to ensure good production logging around what is happening server side, so that you can be clearer about exact causes. It is easy to jump to the wrong conclusions otherwise.
ROTATING REFRESH TOKENS
The preferred behaviour from a security viewpoint is to revoke all tokens for the user when an old one is reused. However, the OIDC Specs indicate that this can cause usability problems in some setups, in which case other measures
may be appropriate.
Exact behavior is provider specific - some Authorization Servers store and flag old refresh tokens and may allow them to be reused for a time period configured against the client application.
SECURITY v USABILITY
If dealing with high worth data I would use the more secure option, but if mobile consumption data is not especially sensitive, using non-rotating refresh tokens might be an appropriate measure.
RELIABLE APPS
In some cases OAuth clients will get a 401 when using a refresh token, and in addition to the case you mention, there are other possible causes:
- Token signing or cookie encryption key renewal (in some setups)
- Infrastructure changes such as a load balancing failover to alternate site (in some setups)
Apps should always be coded reliably to deal with this, eg:
- When an API call fails with a 401, try to refresh the access token
- When a token refresh fails, eg with a 401 or an
invalid_grant
value in theerror
response field, the user must re-authenticate
Note that re-authentication is sometimes a single sign on event. To see how this looks, you can run my Demo Single Page App and click Expire Refresh Token
, then Reload Data
.
SUMMARY
You cannot always guarantee no re-logins for 180 days in a distributed systems world. In terms of next steps, my preference would be to properly identify the cause and frequency of failures, and to see if reliability could be improved in the client application's code.
QUESTION
We have some apps (or maybe we should call them a handful of scripts) that use Google APIs to facilitate some administrative tasks. Recently, after making another client_id in the same project, I started getting an error message similar to the one described in localhost redirect_uri does not work for Google Oauth2 (results in 400: invalid_request error). I.e.,
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Request details:
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
redirect_uri: urn:ietf:wg:oauth:2.0:oob
How do I get through this error? It is important to note that:
- The OAuth consent screen for this project is marked as "Internal". Therefore any mentions of Google review of the project, or publishing status are irrelevant
- I do have "Trust internal, domain-owned apps" enabled for the domain
- Another client id in the same project works and there are no obvious differences between the client IDs - they are both "Desktop" type which only gives me a Client ID and Client secret that are different
- This is a command line script, so I use the "copy/paste" verification method as documented here hence the
urn:ietf:wg:oauth:2.0:oob
redirect URI (copy/paste is the only friendly way to run this on a headless machine which has no browser). - I was able to reproduce the same problem in a dev domain. I have three client ids. The oldest one is from January 2021, another one from December 2021, and one I created today - March 2022. Of those, only the December 2021 works and lets me choose which account to authenticate with before it either accepts it or rejects it with "Error 403: org_internal" (this is expected). The other two give me an "Error 400: invalid_request" and do not even let me choose the "internal" account. Here are the URLs generated by my app (I use the ruby google client APIs) and the only difference between them is the client_id - January 2021, December 2021, March 2022.
Here is the part of the code around the authorization flow, and the URLs for the different client IDs are what was produced on the $stderr.puts url
line. It is pretty much the same thing as documented in the official example here (version as of this writing).
ANSWER
Answered 2022-Mar-02 at 07:56steps.oauth.v2.invalid_request 400 This error name is used for multiple different kinds of errors, typically for missing or incorrect parameters sent in the request. If is set to false, use fault variables (described below) to retrieve details about the error, such as the fault name and cause.
- GenerateAccessToken GenerateAuthorizationCode
- GenerateAccessTokenImplicitGrant
- RefreshAccessToken
QUESTION
I implemented a rest authorization server that returns the public-key for a given keyId in the JWK format using the com.nimbusds:nimbus-jose-jwt:9.13
package. The code looks something like this:
ANSWER
Answered 2021-Sep-01 at 16:35The answer is to use String
for (de)serialization for those facing this problem. Why, you ask? According to the RFC, JWK is a string in the JSON format. While nimbusds:nimbus-jose-jwt
defines a JWK object, any APIs that return valid JWK (or JWKSet
) can assume that it's a string.
I also raised this issue with the developers of this package, and they recommended using String
or Map
for (de)serialization.
QUESTION
I am trying to write a function that will validate a Google id token.
The oauth2 package requires me to pass in the context when creating a new service, like this:
...ANSWER
Answered 2022-Mar-08 at 10:53try this : c.Ctx.Request.Context()
also don't use pointer in arg ctx
in function ValidateToken
because context.Context in stdlib is interface
QUESTION
I am using Spring Security along with Spring Authorization Server and experimenting with creating an auth server.
I have a basic flow allowing me to login with the pre-built login page (from a baledung guide - this is the code I'm working off ). I'm assuming this login page form comes from formLogin()
like so:
ANSWER
Answered 2021-Oct-07 at 20:54Re your comnent: "I'm attempting to build an Authorization Server":
Coding your own Authorization Server (AS) or having to build its code yourself is highly inadvisable, since it is easy to get bogged down in plumbing or to make security mistakes.
By all means use Spring OAuth Security in your apps though. It is hard enough to get these working as desired, without taking on extra work.
SUGGESTED APPROACH
Choose a free AS and run it as a Docker Container, then connect to its endpoints from your apps.
If you need to customize logins, use a plugin model, write a small amount of code, then deploy a JAR file or two to the Docker container.
This will get you up and running very quickly. Also, since Spring Security is standards based, you are free to change your mind about providers, and defer decisions on the final one.
EXAMPLE IMPLEMENTATION
Curity, along with other good choices like Keycloak or Ory Hydra are Java based and support plugins:
QUESTION
I searched a lot how to authenticate/authorize Google's client libraries and it seems no one agrees how to do it.
Some people states that I should create a service account, create a key out from it and give that key to each developer that wants to act as this service account. I hate this solution because it leaks the identity of the service account to multiple person.
Others mentioned that you simply log in with the Cloud SDK and ADC (Application Default Credentials) by doing:
...ANSWER
Answered 2021-Oct-02 at 14:00You can use a new gcloud feature and impersonate your local credential like that:
QUESTION
I am working on a simple web app for learning purposes using Angular for the frontend and Java Spring for the backend. I don't have a particular problem that I want you guys to help me out with, instead I have a question about OAuth2 authentication.
I have registered my Angular SPA in Azure AD (Authorization Code Flow + PKCE), I set up roles and everything is working okay. My question is what do I do when authenticated users ping my backend? My backend has no information about the users.
I thought of a solution to make a web filter, and every time an authenticated user pings any endpoint requiring the user to be authenticated, to check the database if the user exists (through the username), and save him if he does not exist. I'm pretty sure this will work, but I don't think this is the best solution, considering my web filter will have to read from the databases for every single HTTP request that comes in, and write to the database occasionally (if the user logs in for the first time).
I shouldn't be worried about performance issues because I'm building this strictly for learning purposes, but nevertheless I want to do this the right way. I tried googling this in multiple ways, but I guess I'm not using the right keywords to find what I'm looking for. Any opinion or advice would be much appreciated! Thanks!
EDIT: I followed this article to achieve the OAuth2 + OIDC authentication and authorization, my security config in the backend is the same: https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
...ANSWER
Answered 2022-Feb-10 at 15:47Post the discussion with clarity on the requirements. If you want to use have the following:
- Accept an Azure AD logged in user to consumer your web service
- You would want to check if the user exists in your application database with minimal network latency.
With the requirement of not always hitting your Database, one option is to use a cache.
The ideal solution for this cache to work is:
- Ensure the cache is checked for every HTTP Request using Web Filter
- Make sure the cache is always updated with the latest users being logged in via Azure AD
Example:
Implement a CacheService.java
QUESTION
I have some trouble configuring my Windows to work with az
command line tools. I have tested multiple configuration. One on locally installed system and one with windows based docker container. I get the same error on both system.
In case I issue the following command:
...ANSWER
Answered 2022-Jan-31 at 15:27Finally I was able to resolve the issue as follows:
I've found the following documentation:
Setting up certificates for Azure CLI on Azure Stack Development Kit
The basic idea is to find the python installation used for Azure CLI and update the related certificate file.
In my case the Azure CLI was installed with python on the following location:
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe
And using the command, that was suggested, returned as follows:
QUESTION
I'm trying to figure out how to setup a login via Discord Oauth2 while using Dapper as my ORM.
Microsoft has a guide here that I have followed to setup all of my stores. I infact can call CreateAsync()
method and a user gets created in my database, so I believe that side of things is completely setup.
My issues lie within external login. Below you will find what I have tried.
Program.cs:
...ANSWER
Answered 2022-Jan-29 at 17:34Firstly... We need to take a look at the implementation of the internal method GetExternalLoginInfoAsync inside SignInManager.cs and take note of all the conditions that could possibly lead to null being returned.
I will provide my answer as comments within the code below:
QUESTION
I have the following handler
...ANSWER
Answered 2022-Jan-27 at 18:41When you use the swagger:parameters
annotation, go-swagger treats that structure as the description of all the parameters to an API endpoint, that includes headers, query params, and the body. So you need a structure that defines all these types of parameters, and another structure to define the actual body structure. Thus, as far as I know, there is no way to get rid of the second struct that includes the body, because a body is not the only parameter to an API.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install oauth2
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page