oauth 2 | The Blog Pros

November 10, 2021

Codeless OAuth API and Email API Attachments

The OAuth API allows you to get the full benefits of third-party OAuth login but with a new Codeless block, your application can include login with the likes of Facebook, Twitter, Google, Amazon, LinkedIn, Discord, GitHub, Spotify, and more.

In addition to the OAuth API, Backendless has also added new functionality for adding email attachments via API, which is also now available in Codeless. Email attachments – PDFs, images, videos, etc. – can even be added to email templates using Codeless. Read on to learn more.

September 30, 2021

Token-Based Security Part 6: Setting Up Identity-Server UI

Introduction

We have been discussing different parts of various Authentication/Authorization requirement scenarios. We also covered some theory and saw some demo code regarding OAUTH, OIDC, Identity Server, etc.

In the previous post, we learned how to configure IdentityServer, AllowedScope of a client application, and how to make a PasswordTokenRequest for the scopes to UserInfo Endpoint.

September 1, 2021

Token-Based Security, OAuth, OIDC and IdentityServer4 – Part 3

Introduction

In the previous post in this series, we discussed token-based security, OAuth, and OIDC. We also configured IdentityServer4 with some configurations.

In this post, we will continue configuring IdentityServer4 and will also learn some of the client/server communication following OIDC flows.

August 18, 2021

OAuth 2.0 and OIDC Fundamentals for Authentication and Authorization

OAuth 2.0 is an industry standard for “delegated authorization” which is the ability to provide an application or client access to data or features offered by another app or service. OAuth 2.0 focuses on authorization and is not prescriptive about authentication. OpenID Connect (OIDC) adds a standards-based authentication layer on top of OAuth 2.0.

In this post, we will cover the fundamentals of OAuth 2.0 and OIDC for authentication and authorization. I will discuss two common flows, namely the Implicit Flow and the Authorization Code Flow.

August 12, 2021

Implementing Google OAuth to Use Google API in Cloudflare Workers

Recently I had the opportunity to build a small application that needed to authenticate and authorize a user using Google’s sign-in mechanism, and requests on their behalf data from a Google API.

I choose to implement this as a Cloudflare Worker as a serverless compute service leveraging Cloudflare key-value storage (KV) for session storage. The tooling from Cloudflare (wrangler) has evolved nicely since my first attempt at Cloudflare Workers, so I thought it was high time that I gave it another try.

March 23, 2021

Extracting Reddit Data to Airtable Using Byteline’s No-Code Platform

Introduction

In the world of information exchange, nerds and nitwits love Reddit alike. The popularity of Reddit is not only because of being an infinite source of user-generated content for pretty much every field of human knowledge but also for the fact that Reddit manages spam, unlike any other social media channels.

The prominence of Reddit is apparent with its sheer number of users who not only access informative content by visiting the site but also extract that info to be used with another source. To do so, Reddit offers an API that can be used to pull subreddit data of posts, comments, media, and votes. Though it sounds like a great idea, often there are challenges to convert the API skeleton into a full-fledged data churning machine. This is usually because using the Reddit API requires decent technical development skills before actually starting to use it for data extraction.

February 5, 2021

What Is Keycloak and What Does It Offer?

Application security is becoming a more and more important topic on a day-to-day basis. Unauthorized access to protected data can potentially cost millions of dollars in the form of various financial penalties. Almost every application needs some reliable tool to manage its users’ identities and accesses. There are a bunch of solutions on the market — both free and paid — that promise to provide such features. In today’s article, I will try to present you one of these tools, which as you probably guess from the title, will be Keycloak. I hope that this article will give you a better understating of its basics and why it may be profitable for you to get more familiar with it. As usual, I will start with a short description of what Keycloak exactly is.

Before we start — a quick disclaimer

January 10, 2021

OAuth 2: Pattern to Keep access_tokens Inside a Secured Zone at All Times

OAuth 2 has become a popular protocol to follow for authorizing users to access protected resources. A typical OAuth 2 scenario:

A user requests access to a protected resource managed by a resource server via a User Agent, typically the user's browser.
The resource server redirects the user via an HTTP redirect to an Authorization Endpoint managed by an Authorization Server that has an account for that user. The location of the redirect response has a field typically called redirect_uri.
The authorization server prompts the user for credentials to verify the user's identity. It might also confirm that the user is OK with allowing the user agent access to the resource held at the resource server.
The user enters credentials and confirms allowing access if required.
The authorization server verifies user credentials and sends an authorization_code value at the redirect_uri.
A service running at the redirect_uri sends POST request to a Token Endpoint managed by the authorization server with authorization_code.
Token endpoint validates the authorization_code, generates an access_token, and sends it back to redirect_uri in response.
Service at redirect_uri retries the initial HTTP request adding access_token as a query string parameter.
The resource server validates access-token and allows access to the protected resource.

Problem

Often in a single page application (SPA), we see that the UX layer is responsible for both the GET call to the authorization code endpoint as well as the POST call to the access token endpoint to exchange the authorization code with the access token. The SPA then uses this token to make back end, typically REST calls to the resource server.

January 9, 2021

Mulesoft and Slack Integration Using OAuth

The Mulesoft Slack Connector enables organizations to connect directly with the Slack API, permitting users access to the Slack functionality with seamless integration.

The lack of documentation to configure OAuth authentication for Slack connector makes it difficult for developers to use the connector with this security configuration. This article will guide developers to perform seamless integration with OAuth security.

December 30, 2020

OAuth2 Bearer Token Usage

I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating) specifications, as you can imagine. It is critical that they be written in such a way that two independent parties can build interoperable implementations without relying on each other’s code. With this in mind, let’s have a brief chat about OAuth2 Bearer Token Usage with a focus on the token’s encoding.

But first, let’s have a brief talk about what OAuth2 is.

December 21, 2020

API Authentication Methods: An Overview

Authentication can be complex, and developers are forced to work within the framework of the APIs they’re integrating to.

If you’re building internal integrations, you’ll likely encounter easier to manage tokens, if they’re even necessary at all. But for productized integrations, you’ll have to manage your users’ credentials and tokens to third-party systems, which adds complexity and means more time and effort on your plate.

November 24, 2020

Introduction To OAuth Framework

You must have heard this word Oauth if you are from a development background. It is because of its popularity, in a few past years technology has evolved a lot and so the security. With increasing concerns of security, a lot of frameworks and patterns came into the picture and Oauth was one of them. When developers started using Oauth, they found it very secure and useful, and with increasing popularity, so many organizations started using this.

Now, you will notice that millions of applications are now powered by the Oauth authorization framework. It's important that you know what it is all about and I think that's why you are reading this article.

November 23, 2020

Azure Resource Owner Password Credentials Flow

Introduction

Azure provides ROPC (Resource Owner Password Credentials) flow where the Application exchanges user credentials for accessToken and refresh token. There are a few important points to consider when planning to use ROPC flow.

1. This flow doesn't work with federated IDPs like Facebook, GitHub, Microsoft, etc., and works with local accounts only.

August 18, 2020

User Authentication With Amazon Cognito

Introduction

In this article, I will walk you through that what is Amazon Cognito service and how you can use this for your user management, authentication, and authorization. I will create a simple web application using AngularJS with login/sign-up functionality, and I will showcase how easy it is to make it full fledge application with all user management functions handled using Amazon Cognito.

Prerequisites

This article assumes that you have a basic understanding of web application development. This article doesn’t require you to have advanced skills in using Angular or AWS, but having familiarity with these technologies will help you to get most out of this. Here is a list of tools technologies I have used in this article.

July 29, 2020

How to Use Apache Shiro and OAuth 2.0 to Build a Secure Application

For those unfamiliar, Apache Shiro—a Java Security framework—performs authorization, authentication, and session management (along with many other functions) to help build more secure applications.

This post will show you how to use JAX-RS to build a simple Java REST application. JAX-RS is a set of interfaces so you’ll need to pick your implementation. In this post, we’ll be using Jersey—but you can use whatever implementation you prefer and none of these APIs are Jersey specific.

May 29, 2020June 19, 2020

OAuth 2.0 vs Session Management

There seems to be a lot of misinformation on when OAuth 2.0 (henceforth referred to as OAuth) is appropriate for use. A lot of developers confuse OAuth with web session management and hence end up using the wrong protocol/set of technologies. This, in turn, leads to security issues. This article will clarify when to use regular session management solutions and when to use any one of the OAuth flows.

The Most Important Difference

Ideally, we would like all authenticated communication to be long lived (to provide the best user experience). The difference between user session management and OAuth is the level of trust between the communicating parties.

March 23, 2020

Securing Legacy Apps With OAuth 2.0 and Spring Cloud Gateway

Do you find it painful to modernize your old, form-based logins? It doesn’t have to be that way. The lack of support in the underlying framework can make adding OAuth 2.0 support to legacy applications tough, but this blog post will show you a low-code way to use Spring Cloud Gateway and Okta to secure your legacy apps.

Learn how to set up Spring Cloud Gateway as a standalone application that proxies HTTP requests and handles OAuth before sending the request to your app.

November 20, 2019

Mule OAuth 2.0 Provider in Mule 4

Mule OAuth 2.0 Provider in Mule 4

First of all, thanks to MuleSoft for reducing and simplifying the steps to configure the Mule OAuth 2.0 policy by using Mule 4 components.

To apply the OAuth 2.0 policy, the below configuration needs to be done.