Using Oauth tickets across several services?

After talking with Brock Allen in the comments to the original post, I can’t really guarantee this is a good/safe solution, but this is the code I ended up using. (Note: a version of this code is available as a nuget package.) I created a IDataProtector implementation that uses AES: internal class AesDataProtectorProvider : IDataProtector … Read more

Google APIs Console – missing client secret

It seems that Google finally ditched the unnecessary client_secret for installable applications and is not yet up-to-date with their documentation. You should check if you already get an access_token in the initial OAuth request like it’s handled on Facebook. Another possibility would be to fall back to using a Simple API Access key. Update: First … Read more

How to specify refresh tokens lifespan in Keycloak

As pointed out in the comments by @Kuba Šimonovský the accepted answer is missing other important factors: Actually, it is much much much more complicated. TL;DR One can infer that the refresh token lifespan will be equal to the smallest value among (SSO Session Idle, Client Session Idle, SSO Session Max, and Client Session Max). … Read more

How to bypass entering authentication code to authorize my code everytime I use the YouTube Data API v3

Indeed there’s the possibility to save your credentials object the first time running successfully an OAuth authorization/authentication flow; then to load the credentials object from that file each time running the program for the n-th time, where n >= 2. Here is how I recommend to structure your code: import os, pickle from google_auth_oauthlib.flow import … Read more

“This app would like to: Have offline access” when access_type=online

I think G does this when your app requests a token and there is still a valid access or refresh token for the user for the scopes in question. The solution is to revoke tokens when you’re done with them (either on user logout or immediately after authenticating the user) by issuing this request:{token} … Read more

Error: invalid_request device_id and device_name are required for private IP

An alternative to editing a hosts file is to use the “Magic DNS” service or (see edit) is a magic domain name that provides wildcard DNS for any IP address.Say your LAN IP address is Using, resolves to resolves to resolves to resolves … Read more

Does OpenID Connect support the Resource Owner Password Credentials grant?

Yes, OpenID Connect supports all OAuth 2.0 grant types including Resource Owner Password Credentials Grant and Client Credentials Grant. As we know, Authorization Code Grant and Implicit Grant are typical 3-legged flows including interaction between a client, an authorization server and a user. While the Resource Owner Password Credential Grant and Client Credential Grant are … Read more