I am building a frontend client for Jira and am running into some conflicting authentication methods I think.
I have setup the OAuth2 authentication method for logging in and hitting the Jira API. I have a button on a login page that redirects to Jira, you log in, hit "allow" and are redirected to my app. This step completes fine, I have a token and a secret and can make api calls just fine.
Next, I make an api call to get the user data, which returns fine. One of the pieces of data is a set of avatar urls. I put one of the urls into my site's markup. Here is where the problem begins.
If my browser session that I used to login is still active, I get an avatar. BUT if not, I get an "anonymous" avatar from Jira.
All the while, my OAuth token/api calls all seem to return fine.
This makes sense as Jira is using cookie based auth and I am not. So if that cookie dies in my browser, the call to the image will fail.
My ultimate question is how to handle this? Is this my responsibility to put an expiration on the token? What happens if they select "Stay logged in"? I don't think I get that knowledge on the OAuth side.
I kind of feel like I am missing something but I cannot figure out what. This seems like a problem that has been fixed or isn't even really a problem.
One solution would be just to switch to a cookie based authentication but OAuth seems more secure.
I've also tried directly hitting it from my server but that also yields an anon avatar. As does a curl with the access token. Maybe I didn't provide it in the correct way?
Any thoughts or ideas on this would be greatly appreciated. Thanks in advance.
Related
I'm experiencing the same issue as the one mentioned here, for which there was no conclusive answer: Asp.Net Owin authorized request works in Incognito mode but not "normal" Chrome
I am unable to comment on that question as I do not have the reputation to allow but was going to ask whether it is something to do with the fact that my project includes both Web Forms and Web API and there is a conflict going on with the authorization cookie.
Has anyone else come across this issue?
Thanks
For the benefit of anyone else with the same issue:
It was indeed due to forms authentication being enabled at the same time as OWIN bearer tokens.
If you are logged in via forms authentication, then try to call a web api end-point in the same browser, it uses the cookie information which gets recognized by Web Api authorization.
In incognito, there is no such cookie so behaves as expected.
How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.
I'm using Django Rest Framework and Token Authentication. Everything works great so far.
http://www.django-rest-framework.org/api-guide/authentication#tokenauthentication
But I'm realizing that anyone could create a third party app that hooks into my API. There'd be no way for me to detect it or stop it.
Am I missing something? I followed the directions, and I:
Send "username=blah&password=blah" to https://example.com/api/auth/, and receive a Token in return. Anyone could do this from a third party app.
That token is passed in the authentication header to retrieve data from the API. Anyone could do this if they have their user token.
Even if a user knows their own Token, I only want them to be able to access the API through the official native app.
1. How do I secure my API (using Token authentication) and make sure that only MY apps can connect to it?
2. Could I include some kind of secret key in a header? I'm using HTTPS in production, are headers as well as form data (username/password) interceptable/readable? (By the person running the app).
Still learning, thank you.
Perhaps I don't understand you question fully, but:
yes, everyone with a username and a password in your application can create tokens, if you added obtain_auth_token to your urlconfig (what you don't have to).
So you can:
only give your apps username and password
or deactivate the obtain_auth_token view and create the tokens in the admin or manually.
To answer your HTTPS question:
HTTPS encryption is between the client and the server and lies between TCP and HTTP. So everyone in between (a man in the middle) can't see any headers, data, or even the path. When using SNI the hostname (Host header) is visible, but nothing else.
Hope this helps a little.
I am trying to integrate SAML with ColdFusion 9 Enterprise. The problem I am facing is related to the SAML request I am doing. I am using CFLOCATION to make the request. When I am making the request the request to the server is made as GET request, and I SAML server expects it to be a POST request, which eventually ends up no matching the tokens sent from my server to SAML server.
I am not sure what is causing this. I also tried make the request using the CFHTTP making redirect = "yes" in this case it would not redirect to the url and would not give any error in firebug or in SAML tracer.
Can any one please help me?
eagerly waiting for a response.
Thank you :)
If the server receiving the SAML requires a POST, then a GET will not suffice, obviously. Since you are doing a <cflocation>, I'm assuming you're trying to redirect the user (and their browser) after building the SAML assertion to the screen.
You either have to:
a) Build your SAML as a form, and include Javascript to force the form to "post" (submit) after it shows on the page.... or
b) You can leave the form on the screen, typically with the SAML assertion embedded in a hidden field, probably named "samlResponse", and let the user click a Submit button to actually go.
YOU (the CF server) can't push the SAML for them. The user has to do it, either with an automated form post via Javascript or by allowing the user to submit the form manually.
Start there, report back.
I am using Facebook login integration on my asp.net site. What I want is that when a user logs off the site, I want him to also log off the FB application, but not Facebook itself. If I call FB.logout(), it logs off FB as well as the app.
I guess what I want is to lose the acess_token cookie for the app, but I can't figure it out.
FB.api({ method: 'Auth.revokeAuthorization' });
I dont think that is possible as the login for both the application and FB is done using FB credentials..
In case you want to de-authorize the user from your application you can issue an HTTP DELETE request to /PROFILE_ID/permissions to revoke authorization for an app.
I'm not sure this is a good idea. Even if you removed the session for your website, if they are still logged into facebook, they may as well still be logged into your website. They are essentially the same thing. You need to log them out of facebook to ensure their security on your site, otherwise it just takes someone sharing the pc or cookie sniffing, to get access to their account on your site
edit: also, if you just want to delete the cookie, you can simply do this with javascript.