following this tutorial I tried to receive Access Token from my company's site but,
I also had to add headers to the POST method and since the author of the tutorial didnt, I had to do this on my own, but im super new to these things and dont know if i did it the right way. And because of that (possibly?) all i get is a 401 response here are all the files from my project : click me!
If anyone could help me, Id be greatful
I would suggest to use AppAuth-Android, and not implementing the authorization flow by yourself, which can be complicated.
AppAuth for Android is a client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
AppAuth handles the authorization flow (i.e. The performActionWithFreshTokens() method handles the token refreshing automatically).
You can follow Google's AppAuth-Android codelab, which demonstrates how to implement this library.
Hope it helps!
Related
I need to send post request to get token from here https://developers.google.com/android-publisher/authorization
But on step 4 I don't have client_secret
I have code / client_id / redirect_uri the JSON does not have it
The most recommended mobile solution is to use AppAuth libraries, which involves these 2 steps:
Use Authorization Code Flow (PKCE)
Login via System Browser (Chrome Custom Tabs)
In this case the request to get a token uses a runtime code_verifier rather than a client_secret. My blog posts and code sample may give you something to compare against, but mobile OAuth can be quite intricate.
Google Mobile OAuth
Google generally recommend AppAuth for mobile logins. The playmarket API is just a scope value, so I see no reason why it wouldn't work.
References to client secrets in the Playmarket page may just be incomplete documentation. I haven't used this particular API but have used similar Google resources.
Quick Next Steps I'd Recommend
Try running the Google AppAuth sample - this blog post of mine makes this very easy.
Then repoint the sample to your Google Auth Server and add the Playmarket scope. You should then get a token and be able to successfully access Playmarket resources.
If there are no problems, integrate the solution into your own app. If you run into usability problems, have a read of my blog posts.
Coding Aspects
Not sure what language you're using, but my Kotlin sample code uses the libraries with a modern async await syntax.
I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.
I am following this link to validate the token. It is mentioned in the link that for more than 100 requests we should follow below approach.
Using one of the Google API Client Libraries is the recommended way to validate Google ID tokens in a production environment.
The link provides code sample in Java. However I am trying to implement the same in Node.js. But did not find any help on this.
Can anybody help me in this?
I'm trying to setup a private oauth2-server for usage with Android. I don't want any 3rd party-server to authorize, so my question is how to do this?
I had a look at Apache Oltu, but I haven't been able to find any HowTo to setup the server. Are there any instructions available or could someone who already did this help me?
Furthermore, is there a better solution? I don't want to just provide user/pwd-authorization (or even digest), because it's about getting an user-specific file, which should be automatically synced once in a while without asking for a password again.
The Apache Oltu documentation contains some example code, which should help you understanding the basics. Then you should have a look at the integration tests, which contain code for nearly all use cases.
But you have to understand that Apache Oltu isn't a standalone solution. It's only a framework, which handles the network communication for OAuth authorization and resource requests. That means, you have to implement
your own persistence layer for storing tokens.
your own security interceptor which actually checks if the received token is valid. Oltu isn't integrated into the webserver, so you have to take care that requests don't bypass OAuth authorization.
your own user registration process.
I have an Android / GAE application. We need to validate the Android user against GAE using OAuth.
We're currently using the Signpost library for this.
We've run through lots of the samples out there and we do seem to get a correct token.
Our problem is once we go to use that token to on our site - we get a 401 - Authorization Failed. The trace from GAE is below:
##TRACE## APIBase:: authenticate() InvalidOAuthParametersError!
The client provided OAuth parameters with the request, but they are invalid.
We've tripple checked our consumer keys, and the other information and we don't know really where to do from here.
Does anyone have any Android to GAE examples that they've used successfully?
Thanks
I learned a lot from the Android2Cloud guys
You can see how they do it at http://code.google.com/p/android2cloud/