OAuth is a specification for authorization OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows: The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The … Read more
State and nonce seem to be similar. But if you dig deep, you will find that they serve different purposes. State is there to protect the end user from cross site request forgery(CSRF) attacks. It is introduced from OAuth 2.0 protocol RFC6749. Protocol states that, Once authorization has been obtained from the end-user, the authorization … Read more
Spring Security 5 uses a modernized password storage, see OAuth2 Autoconfig: If you use your own authorization server configuration to configure the list of valid clients through an instance of ClientDetailsServiceConfigurer as shown below, take note that the passwords you configure here are subject to the modernized password storage that came with Spring Security 5. … Read more
When you use the Authorization code grant (OAuth2 for backend apps – &response_type=code), you must redirect the browser to the /auth endpoint – you cannot use XHR for that. The user will be redirected back after authentication. After redirecting to the /auth endpoint, user needs to see in an address bar that the page is … Read more
Posting my ultimate approach for posterity. As Tratcher pointed out, the AddGoogle middleware is not actually for a JWT authentication flow. After doing more research, I realized that what I ultimately wanted is what is described here: https://developers.google.com/identity/sign-in/web/backend-auth So my next problems were I could not rely on the standard dotnet core Jwt auth middleware … Read more
At the time of writing, Less Secure Apps is no longer supported by google. And you can’t use your google account password. You’re gonna have to generate a new app password. App passwords only work if 2-step verification is turned on. Follow this steps to get the app password Go to https://myaccount.google.com/security Enable 2FA Create … Read more
Well, I finally figured it out. Not sure if I misread the documentation or if there are missing links, but anyway. Fact is that when you sign a APK and then ask Google for a OAuth2 token, you have to register your signed app through the dev console. It’s a security measure based on the … Read more
Yes, OpenID Connect supports all OAuth 2.0 grant types including Resource Owner Password Credentials Grant and Client Credentials Grant. As we know, Authorization Code Grant and Implicit Grant are typical 3-legged flows including interaction between a client, an authorization server and a user. While the Resource Owner Password Credential Grant and Client Credential Grant are … Read more
I’ve had this issue for a while and came up with a proper solution. String token = GoogleAuthUtil.getToken(this, accountName, scopeString, appActivities); This line will either return the one time token or will trigger the UserRecoverableAuthException. On the Google Plus Sign In guide, it says to open the proper recovery activity. startActivityForResult(e.getIntent(), RECOVERABLE_REQUEST_CODE); When the activity … Read more