I have a custom Node.js server using Express and PassportJS (for Google OAuth2.0 authentication). I want to build a Chrome extension that will authenticate through my Node.js server, but is still Google OAuth2.0. Additionally, if a user has signed into the website, the Chrome extension should also be signed in. What are steps I should take to accomplish this? I've taken a look at User Authentication docs but this is what confused me. My auth identity is Google since (client ID, secret are the same), but I'm authenticating through another server.
Related
The API is a backend to a Web app and mobile app. I don't need user authentication. I simply need a way to secure access to this API.
I just need to ensure only web app and mobile app can talk to this backend and no one else.
If you are indeed using Google Cloud Endpoints, what you want is easy to do.
You need to log into the developer console and go under API Manager -> Credentials. There you can generate access keys for each of your clients. Then you add those tokens to your endpoints using the provided annotations. You cloud endpoints will only serve requests that come from one of the clients you have specified.
I am developing applications on Google App Engine, and am looking into the OAuth2.0 details. My question is the following: if a hacker intercepts an OAuth2.0 access token, can he fake requests from one of the "Authorized JavaScript Origins" defined in the Google Cloud Console?
A bit more details if it is unclear: in the Google Cloud console, you can define a OAuth2.0 client id which you send with your javascript using Google's JS api (complete flow here). Part of the process is that you get an access token, which you then use to authenticate subsequent requests. As an extra layer of security, all requests need to come from a specific origin that you define in your cloud console (see image). So only requests from that domain are accepted.
But I am wondering, if a hacker did know to get hold of an access token from one of my users, the request would still need to come from the authorized origin.
Can that hacker then go to https://myapp.appspot.com, tweaks the javascript with for example chrome Javascript Console, and use the access token from the user to make malicious calls as if he was the user he stole the token from?
As I see it, then the request is coming from an authorized JS origin, and with a valid OAuth2.0 access token. What am I missing?
In the case of OAuth2.0 in appengine, the user is just giving the consent to the application to use the services oh his behalf only. But the real communication is between the JavaScript app which is running on the AppEngine and the Service Provider. User is not included in making the calls it is the app which makes call to the API on behalf of the user.
Please going through the below link to grab the whole concept
https://developers.google.com/api-client-library/python/guide/aaa_oauth
I need to implement authentication and authorization mechanism for my REST API. This is rest api is accessed from a mobile application and web application.
Mechanism I would like to implement:
So as per my understanding, I am using password based authentication. Mobile application or javascript web application sends username and password over HTTPS post request to obtain access token for limited time.
Problem
As access token expires every 1hr or so. End user is again requested to enter username and password. This is not acceptable.
If we increase the time of the token for longer period, then if someone gets handle on token they can have access to Rest API for more time. As the web application is javascript application, its easily available in plan text.
So I am trying to understand how are applications like facebook and twitter implement authorization for their native mobile applications. Do they remember access token for ever by storing in local storage. So that if some malicious application have root access to android phone can access the tokens.
What are the improvements to above mechanism to make it work for both for both standalone web application which is developed in javascript and android application?
Access tokens are indeed meant to be short lived. To maintain authorization for a long period of time, OAuth2 has something called "refresh tokens".
If the provider supports it (and both Google and Facebook do), the OAuth2 consumer can request a refresh token in addition to the access token during the initial flow (Google calls that "offline access" I believe). The access token is used normally but when it expires, the consumer can request a new access token using its credentials and the refresh token.
See Google's doc for more info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline.
My java/javascript web application is in development, and I hava a javascript application that communicates with my database (where I maintain my own userids) using ajax POST commands to a servlet container running on localhost, within a vmware machine. I want to be able to login using Google, Yahoo, and Facebook authentication, on this development setup, but in studying Facebook's OAuth 2.0 method, it looks like your web application has to hava a link to the facebook site, and provide a redirect link back to your own site when authentication is finished. This method won't work because facebook can't redirect to a localhost address and reach my machine, which doesn't have a web presence.
Do I have the same issues with OpenID and Google/Yahoo authentication?
Andy
Facebook OAuth works with localhost apps. This is because Facebook redirects the browser to the redirect_uri you supply in oauth, your browser knows where http://localhost is (I actually used a virtual host in apache & windows vhosts, don't know if you can enter localhost as website url in your app settings). Works perfectly
Google Oauth however, in my experience, doesn't work on local version. Somehow the site needed to be accessible from Google itself (not just the browser) for this to work, and it didn't, so it doesn't (I don't remember the exact details, sorry)
Don't know about the others
You could add DNS entries on your local machine so that mysite.com resolves to your local computer.
By doing this, you will be able to login from your local machine to do your tests.
In Windows, you can do this by editing the file:
C:\Windows\System32\drivers\etc\hosts
Add a new line:
127.0.0.1 mysite.com
Regarding OpenID, I am not sure if would accept logins from localhost URLs, but it will surely work after adding the entry in the hosts file and having a proper domain (even though it RESOLVES only on your computer).
The trick is that after login, Facebook or Google responds to your application with something like this: redirect the user to mysite.com as authenticated. Your browser then will resolve mysite.com as your machine and it is all working.
I am building a JavaScript SDK for our API. The API currently requires (2-legged) OAuth authentication. Obviously this isn't suitable for a JS SDK since the key and secret are in plain site (in the JS code).
Facebook only requires your app id when you init their JS SDK, so I would like to implement something similar (or of similar simplicity). When a developer requests a key we require their app's domain. I was thinking of detecting the IP address of the submitted domain (for example myclientapp.com has 192.168.0.0 IP). And then authenticating JavaScript requests by confirming the remote hosts IP address matches.
Is this the best/easiest way of doing this?
UPDATE: As Rup pointed out the remote IP will be the client and thus not match the apps URL's IP. So that's out. So to reiterate I'm looking for a solution that will allow me to enforce some form of authentication in my JavaScript sdk for my API that can't be spoofed by someone else (trying to be someone elses app).
Thanks,
Gavin
Authenticate the user instead.
Have the (claimed, but untrustworthy) app id passed into your init(), jsonp out to your domain, then either:
Return a code valid for making API requests with, if the user is logged in* and has already authorized the app.
Pop up a window to your site (or redirect, or whatever) to have the user login (if needed) and authorize the app.
You'll have control of the user experience during authentication, and can do some human verification of the app id (show the claimed logo, name, etc.).
This does assume that you even have a notion of users, like Facebook does.
*Check cookies, not all browsers accept them in response to ajax requests; but all browsers will send them.