Questions tagged [oauth-2.0]
OAuth (Open Authorization) is an open protocol framework to allow secure API authorization in a simple and standardized way for desktop, mobile and web applications. OAuth 2.0 is the second version of the OAuth protocol.
24,380
questions
836
votes
22
answers
304k
views
Why Does OAuth v2 Have Both Access and Refresh Tokens?
Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, ...
- 17.6k
669
votes
10
answers
285k
views
How is OAuth 2 different from OAuth 1?
In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1?
Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don't see many implementations of OAuth 2; most are ...
- 6,743
638
votes
48
answers
1.1m
views
Google OAuth 2 authorization - Error: redirect_uri_mismatch
On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google.
Unfortunately, I got the ...
- 47.4k
601
votes
9
answers
508k
views
What are the main differences between JWT and OAuth authentication?
I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple ...
- 13.9k
589
votes
10
answers
252k
views
How does OAuth 2 protect against things like replay attacks using the Security Token?
As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User's information from Site-B.
Site-A registers on Site-B, and obtains a Secret and an ID.
When User ...
- 18.2k
360
votes
8
answers
87k
views
Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
With the "Implicit" flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access.
With the "Authorization Code" flow however, ...
- 20k
310
votes
5
answers
254k
views
JWT refresh token flow
I'm building a mobile app and am using JWT for authentication.
It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as ...
- 5,927
297
votes
3
answers
110k
views
OAuth 2.0: Benefits and use cases — why?
Could anyone explain what's good about OAuth2 and why we should implement it? I ask because I'm a bit confused about it — here's my current thoughts:
OAuth1 (more precisely HMAC) requests seem ...
- 3,746
289
votes
13
answers
87k
views
What is the purpose of the implicit grant authorization type in OAuth 2?
I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the ...
- 2,893
289
votes
10
answers
141k
views
What is the purpose of a "Refresh Token"?
I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 50 minutes with a Refresh ...
- 7,445
227
votes
5
answers
620k
views
Using an authorization header with Fetch in React Native
I'm trying to use fetch in React Native to grab information from the Product Hunt API. I've obtained the proper Access Token and have saved it to State, but don't seem to be able to pass it along ...
- 5,246
224
votes
5
answers
119k
views
Why do access tokens expire?
I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a "refresh token" and a short lived "access token". Now every time the access token expires, ...
- 24.5k
219
votes
11
answers
115k
views
Refreshing OAuth token using Retrofit without modifying all calls
We are using Retrofit in our Android app, to communicate with an OAuth2 secured server. Everything works great, we use the RequestInterceptor to include the access token with each call.
However there ...
- 16.7k
210
votes
9
answers
75k
views
What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
OAuth 2.0 has multiple workflows. I have a few questions regarding the two.
Authorization code flow - User logs in from client app, authorization server returns an authorization code to the app. The ...
- 6,690
209
votes
6
answers
212k
views
How to validate an OAuth 2.0 access token for a resource server?
When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?
- 2,283
203
votes
4
answers
261k
views
JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference?
I'm working on implementing OAuth 2.0 JWT access_token in my authentication server. But, I'm not clear on what the differences are between the JWT aud claim and the client_id HTTP header value. Are ...
- 5,473
199
votes
4
answers
235k
views
What's a redirect URI? how does it apply to iOS app for OAuth2.0?
Beginner programmer here, please pardon ignorance & explanations will be really nice :)
I've tried to read the tutorials for a certain OAuth 2.0 service, but I don't understand this redirect URI.....
- 22.9k
170
votes
4
answers
120k
views
Google access token expiration time
When I obtain an access_token from the Google API, it comes with an expires_in value. According to the documentation, this value indicates "The remaining lifetime of the access token".
What are the ...
- 3,583
159
votes
29
answers
323k
views
How to obtain Signing certificate fingerprint (SHA1) for OAuth 2.0 on Android?
I'm trying to register my android app following the steps in https://developers.google.com/console/help/#installed_applications which leads me to follow
http://developer.android.com/tools/publishing/...
- 1,705
157
votes
3
answers
261k
views
What are Bearer Tokens and token_type in OAuth 2?
I'm trying to implement the Resource Owner & Password Credentials flow from the OAuth 2 spec. I'm having trouble understanding the token_type value that gets sent back with a valid response. In ...
- 114k
146
votes
5
answers
84k
views
OAuth 2.0 vs Auth0
What is the difference between OAuth 2.0 and Auth0? Which one should I use to develop the authentication system?
- 2,017
143
votes
9
answers
102k
views
Difference between OAuth 2.0 "state" and OpenID "nonce" parameter? Why state could not be reused?
OAuth 2.0 defines "state" parameter to be sent in request by client to prevent cross-site request attacks. Same is mentioned in OpenID spec for "nonce". Apart from the fact that "nonce" is returned in ...
- 3,674
142
votes
6
answers
136k
views
Where to store the refresh token on the Client?
My SPA application uses the following architecture (source):
This assumes that my client application knows about the refresh token, because I need it to request a new access token if no user ...
- 15.4k
138
votes
6
answers
163k
views
Do Keycloak Clients have a Client Secret?
Does keycloak client id has a client secret? I tried to create a client in keycloak admin but I was not able to spot client secret.
Is it auto generated? Where can I get the secret?
- 3,349
137
votes
4
answers
172k
views
How to implement oauth2 server in ASP.NET MVC 5 and WEB API 2 [closed]
First I'll sketch my project:
For my internship I need to add functionality to an existing system. A 3rd party client must be able to access data from AX Webservices once he is authorised by the user ...
- 2,713
132
votes
8
answers
123k
views
Where can I find a list of scopes for Google's OAuth 2.0 API? [closed]
The example I'm working with specifies the scope in the OAuth request as:
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile
...
- 54.2k
130
votes
7
answers
339k
views
Correct way to set Bearer token with cURL
I get my bearer token from an API end point and set the following:
$authorization = "Bearer 080042cad6356ad5dc0a720c18b53b8e53d4c274"
Next, I want to use cURL to access the secure endpoint ...
- 6,055
128
votes
2
answers
57k
views
OAuth Authorization vs Authentication
OAuth terminology has been bothering me a long time now. Is OAuth Authorization as some would suggest or is it Authentication?
Correct me if I'm wrong but I have always read Authorization as being ...
- 1,483
122
votes
5
answers
227k
views
Error :Request header field Content-Type is not allowed by Access-Control-Allow-Headers
I created an mvc4 web api project using vS2012. I used following tutorial to solve the Cross-Origin Resource Sharing, "http://blogs.msdn.com/b/carlosfigueira/archive/2012/07/02/cors-support-in-asp-net-...
- 1,367
122
votes
8
answers
68k
views
What is intent of ID Token expiry time in OpenID Connect?
In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to request a new access token.
The ID ...
- 6,113
119
votes
9
answers
96k
views
How can I revoke a JWT token?
I am using Spring Security OAuth2 and JWT tokens. My question is: How can I revoke a JWT token?
As mentioned here
http://projects.spring.io/spring-security-oauth/docs/oauth2.html, revocation is done ...
- 2,029
116
votes
7
answers
171k
views
Is there any JSON Web Token (JWT) example in C#?
I feel like I'm taking crazy pills here. Usually there's always a million library and samples floating around the web for any given task. I'm trying to implement authentication with a Google "Service ...
- 7,807
115
votes
10
answers
318k
views
How do I get an OAuth 2.0 authentication token in C#
I have these settings:
Auth URL (which happens to be a
"https://login.microsoftonline.com/...") if that helps.
Access Token URL "https://service.endpoint.com/api/oauth2/token"
ClientId "abc"
...
- 1,501
113
votes
5
answers
82k
views
What's the right OAuth 2.0 flow for a mobile app
I am trying to implement delegated authorization in a Web API for mobile apps using OAuth 2.0. According to specification, the implicit grant flow does not support refresh tokens, which means once an ...
- 3,879
111
votes
25
answers
129k
views
PG undefinedtable error relation users does not exist
I saw this question up before, but only for rspec. I haven't created test yet because it's too advanced for me but one day soon i will! :P
I get this error when I try to sign-up/login into my app. I ...
- 1,447
109
votes
12
answers
157k
views
How to Logout of an Application Where I Used OAuth2 To Login With Google?
In my application, I implemented Google signout using jsapi.
I used the url https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxxxxx to connect to Google and then https://www.googleapis.com/...
- 1,325
107
votes
8
answers
236k
views
Using Postman to access OAuth 2.0 Google APIs
I am trying to access Proximity Google API using Postman chrome app. I have followed tutorials on postman and google dev website but I'm still getting 401 error message.
What am I doing?
Step 1 - ...
- 2,109
106
votes
4
answers
50k
views
Is a Refresh Token really necessary when using JWT token authentication?
I'm referencing another SO post that discusses using refresh tokens with JWT.
JWT (JSON Web Token) automatic prolongation of expiration
I have an application with a very common architecture where my ...
- 9,104
106
votes
3
answers
31k
views
client secret in OAuth 2.0
To use google drive api, I have to play with the authentication using OAuth2.0. And I got a few question about this.
Client id and client secret are used to identify what my app is. But they must be ...
- 5,132
104
votes
3
answers
220k
views
OAuth 2.0 Authorization Header
I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 & 2.0, and I have some confusion on Authorization Header (1.0 and
2.0), OAuth 1.0 ...
- 1,543
104
votes
6
answers
83k
views
Restrict Login Email with Google OAuth2.0 to Specific Domain Name
I can't seem to find any documentation on how to restrict the login to my web application (which uses OAuth2.0 and Google APIs) to only accept authentication requests from users with an email on a ...
- 2,202
102
votes
5
answers
20k
views
What's the point of refresh token?
I have to confess I've had this question for a very long time and never really understood.
Say an auth token is like a key to a safe; when it expires it's not usable anymore. Now we're given a magic ...
- 2,760
99
votes
18
answers
154k
views
How to refresh token with Google API client?
I've been playing around with the Google Analytics API (V3) and have run into som errors. Firstly, everything is set up correct and worked with my testing account. But when I want to grab data from ...
- 1,001
95
votes
4
answers
85k
views
How to specify refresh tokens lifespan in Keycloak
Keycloak refresh token lifetime is 1800 seconds:
"refresh_expires_in": 1800
How to specify different expiration time? In Keycloak admin UI, only access token lifespan can be specified:
- 10k
90
votes
10
answers
219k
views
Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman
I have followed this article to implement an OAuth Authorization server. However when I use post man to get a token, I get an error in the response:
"error": "unsupported_grant_type"
I read ...
- 14.5k
90
votes
3
answers
178k
views
How to identify if the OAuth token has expired?
My iOS mobile app consumes services that are implemented with the OAuth2.0 protocol. The OAuth access token comes along with a refresh token and an expires_in field. I saved the refresh token and ...
- 1,735
89
votes
3
answers
49k
views
What is the difference between OAuth based and Token based authentication?
I thought that OAuth is basically a token based authentication specification but most of the time frameworks act as if there is a difference between them. For example, as shown in the picture below ...
- 18.4k
89
votes
3
answers
68k
views
where is devise implementation of "authenticate_user!" method?
Where is devise implementation of authenticate_user! method?
I have been looking for it and have not found it so far.
- 34.5k
89
votes
2
answers
15k
views
OAuth v2 communication between authentication and resource server
I'm having some troubles understanding how OAUTH-v2 works.
The OAuth version 2 spec reads:
Accessing Protected Resources
The client accesses protected
resources by presenting the access
token to the ...
- 4,332
88
votes
14
answers
100k
views
Salesforce Authentication Failing
I am trying to use OAuth authentication to get the Salesforce Authentication Token, so I referred wiki docs, but after getting authorization code, when I make a Post request with 5 required parameters,...
- 3,545