Clarification: Mobile App = Native App As stated in other comments and a few sources online, implicit seems like a natural fit for mobile apps, however the best solution is not always clear cut (and in fact implicit is not recommended for reasons discussed below). Native App OAuth2 Best Practises Whatever approach you choose (there … Read more
Basically, refresh tokens are used to get new access token. To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework: Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access … Read more
This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why? Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token. Large … Read more
How OAuth 2.0 works in real life: I was driving by Olaf’s bakery on my way to work when I saw the most delicious donut in the window — I mean, the thing was dripping chocolatey goodness. So I went inside and demanded “I must have that donut!”. He said “sure that will be $30.” … Read more
So I’ve got an answer for you. In the OAuth request you can add hd=example.com and it will restrict authentication to users from that domain (I don’t know if you can do multiple domains). You can find hd parameter documented here I’m using the Google API libraries from here: http://code.google.com/p/google-api-php-client/wiki/OAuth2 so I had to manually … Read more
As hinted at by this post Error in chrome: Content-Type is not allowed by Access-Control-Allow-Headers just add the additional header to your web.config like so… <httpProtocol> <customHeaders> <add name=”Access-Control-Allow-Origin” value=”*” /> <add name=”Access-Control-Allow-Headers” value=”Origin, X-Requested-With, Content-Type, Accept” /> </customHeaders> </httpProtocol>
The access_token is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it: User must authenticate and returns a code to the API consumer (called the “Client”). The “client” of the API (usually your web server) exchanges the code obtained in #1 for … Read more
The current way to authenticate a user through their Google account is to use Google Sign-In for Assistant. Once they log in to your Action, you’ll get an id token which you can decode to get their Google ID, which you can use to look up their account in your datastore to get their access/refresh … Read more
At first, you shall detach all connections out of database. By default you use the development environment. Then try to reset database with the following: rake db:reset The rake db:reset task will drop the database and set it up again. This is functionally equivalent to rake db:drop db:setup. This is not the same as running … Read more
tl;dr: This is all because of security reasons. OAuth 2.0 wanted to meet these two criteria: You want to allow developers to use non-HTTPS redirect URI because not all developers have an SSL enabled server and if they do it’s not always properly configured (non-self signed, trusted SSL certificates, synchronised server clock…). You don’t want … Read more