Please Let me Know how to accomplish my task, connecting to Oauth without any interaction of the user and also the Oauth should not be expire or any way to prevent it from expire.
it would be great if you can provide me detailed code in c#.
You can't accomplish what you're trying to accomplish. It's impossible.
Intuit requires that the user be involved in the OAuth process. They must click the [Connect to QuickBooks] button at least ONCE to go through the OAuth process and get the OAuth tokens.
Additionally, Intuit forces OAuth token expiration after 180 days. You can refresh/renew the token within 30 days of the expiration.
Please go read the documentation, where this is all very clearly explained:
https://developer.intuit.com
Related
I've spent a past couple weeks or so scouring through .Net Core docs and tutorials and now I'm building my first .Net Core web app. So the app basically consists of pulling data from an online API based on search parameters. Nothing spectacular. Now, my problem lies within OAuth2 the API uses to limit access to its data. It's my first time encountering OAuth2 and working with remote APIs in general, so as you might figure I've spent the last couple days going through OAuth documentation and learning about API consumption. The API I use to fetch data is Amadeus API and the duration of the access token I am granted is 30 minutes. So after banging my head for a couple days and trying to refresh my Access Token by all different kinds of means, I figured Amadeus doesn't even provide Refresh Token and I should basically use ClientId and ClientSecret to renew the access token when it expires or when it's close to expiring. My app doesn't have any user authentication and just serves to get data from the API.
So my questions are:
1) What is the best practice to renew Access Token if you are just granted ClientId and ClientSecret?
2) Is there a way to automate this process by using some in memory data and not relying on 401 response to check if my token has expired?
My guess was trying to use Outgoing request middleware to try and access request specific data or data stored in memory like, let's say, the time last Access token was generated and then deciding if I should renew it or not, before sending the request. My problem is I'm not very adept at this and I'm not sure if I can access my HttpClient instance inside this middleware and renew its token with HttpClient.SetBearerToken() method. I've tried using HttpContext as well but I'm not really sure how it works behind the scenes and Microsoft documentation that I've found for it is rather scarce. Thus another question would be:
3) Can I pass HttpContext to a custom middleware like in this case but use it to override a method like SendAsync() and then in conjunction with that, based on the intel I gather, use HttpClient.SetBearerToken() within that same middleware to update my transient HttpClient instance which is generated by HttpClientFactory?
Any help or advice is much appreciated !
1) What is the best practice to renew Access Token if you are just
granted ClientId and ClientSecret?
You cannot renew an Access Token without a Refresh Token. Your only option is to create a new Access Token which means going back thru the OAuth Authorization Flow.
2) Is there a way to automate this process by using some in memory
data and not relying on 401 response to check if my token has expired?
If you can hack the memory of a machine, maybe. However, using supported methods that will continue to work today and tomorrow, the answer is no.
3) Can I pass HttpContext to a custom middleware like in this case but
use it to override a method like SendAsync() and then in conjunction
with that, based on the intel I gather, use
HttpClient.SetBearerToken() within that same middleware to update my
transient HttpClient instance which is generated by HttpClientFactory?
I have no idea. Since the answer to #1 is no, you probably cannot. Note that setting a Bearer token does you no good if the token is expired. Tokens have a signature that you will not be able to defeat unless you have the Private Key or a million CPUs for a million years or a vulnerability/weakness is discovered.
Ok so this request is a little convoluted. Apologies ahead of time.
Firstly this is what I need:
Google signin (using: .AddGoogle() and this is working)
After signing in initially push user to another page where they must enter a PIN.
Verify that PIN against the database on the back-end. If it does not match return user to enter PIN again.
Once PIN is verified allow full access to the site (excluding enter PIN page).
After X minutes of inactivity (or if the browser is closed) log the user out immediately.
Next, this is what I think I need to do:
Use services.AddAuthentication(...).AddCookie(...).AddGoogle().
So I know that the cookie will have the expiration time embedded into it's contents, but I need some way of also making it expire when the session expires, and keep track of whether or not the PIN has been verified, hence:
Create my own middleware that creates a session cookie (if one does not exist) with a random string or number in it.
Modify whatever is happening in AddAuthentication with the following behaviour:
Have ASP.NET write out it's auth cookie with the session cookie's random value encrypted into it.
Only accept an ASP.NET auth cookie if the cookie's embedded expiration time has not passed AND the auth cookie's embedded session random string matches the session cookie.
Have ASP.NET auth redirect to the PIN page if no PIN is recorded in the cookie and then forward the request to the appropriate page once the PIN is accepted and recorded back into the auth cookie.
My question is am I right about needing to write my own middleware? Will I need to entirely replace AddAuthentication with my own middleware or can I get what I need by making my own middleware to supplement what AddAuthentication is doing already?
In experimenting one of the things I've had trouble with is if I logout a user in the middleware before authentication (when I detect the session cookie is missing) I can't signal to the authentication mechanism to redirect back to google sign-in, and the user just gets an error and has to refresh.
Additionally, if I am on the right track: How can I create a middleware that will inject a value into the auth ticket before it's created; verify that value; and remove the auth ticket cookie and/or signal to the auth middleware that it should not process the cookie stored in the context's request, and should instead redirect to the google sign-in?
EDIT: So I tried to do some reading on my own. I'm looking at OAuthHandlers and claims, maybe there is some way to utilize this? I'm still investigating but any direction is welcome.
As it is generally said: you should not be writing your own authentication.
Since you didn't mention Identity, I'll assume you are not using it. I would recommend using .Net's Identity as it easily covers the problems you have. As of Identity 2.0, external login(Facebook, Twitter, Google) and 2FA functionality are included as a part of this library. This is the defacto authentication system for .Net, and adding it is not too difficult.
The actual implementation of Identity goes beyond the scope of the question so here's a link to help you get started: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x
Google API OAuth 2.0 servcie Account C# ( drive api)
I am only targeting ONE Service Account.
I am looking in authenticating to a service account.
following this example:
Google example
As far I can understand, the token is permanent not 1h like other authentication type. Yet there is no mention of the token in the code.
Do I have to store this token? or do I have to request it every time I want to create the service, using the certificate?
Is the "service" creation code the same as described every time I need it. Or is this just for the very first time I request access to this account?
As I've commented, the article "Using Google Drive API with C#" part 1 and part 2, shows how to store the refresh token and use it to authenticate in the name of app.
It's also warning about the limitations of the service account, in many cases "useless" as you said.
Here's another one implementation of IDataStore.
Hope that help you! =)
Google offers a few options for authenticating users. One of them is Service Accounts which provides more secure communication between your app and Google server while authenticating users.
Normally, if you use Google oAuth library in server side, a shared key is used to authenticate user and to get a token which includes access_token, toke type, refresh_token, expire time. In this case, user should give you permissions.
However, when you use Service account, user is not involved and service account is used for authentication. In this case, in first time, you should use Service Account to get a token and store it in your DB. That way, you will be able to use it next time while sending API calls. And of course, for security reasons, this access token will expire. In this case, you will use refresh_token which returns when you get token for the first time. With using refresh token, you will be able get a new access token.
I cannot find the information on this question in an accurate manner, and is becoming a bit problematic to me. Hopefully someone can help guide me to the right direction. Do I have to use OAuth authentication to hit the analytic's API for all of our accounts, or can I just use a shared key? every example, and only finding examples for java script, but none for .NET, show it using a autho type authentication for authenticating the user. We are not allowing any public users to hit our accounts though, only our development team. So what do I need to go about this?
Each member of your dev team is gong to have to accept the Oauth in order to login. Oauth is based on the User that logs in. Not the google analytics account itself.
I am running a workflow service which automatically posts messages from some blogs on a facebook page. But now facebook deprecate the offline_access permission and I need to find a solution if my application does not run for example 60 days and the access token expired.
I need to find a way to get a new access token with given username and password without user intervention...
Maybe someone of you have a good idea
If your service make timed requests to the Facebook API, you won't need to worry about the token expiration. So, if you request some status or a specific FQL on a timed interval, your token will be extended and will let you post anytime you want.
This solution is a workaround. Even you try to do that, you won't cover all the scenarios. The better way is to mantain the user connected to your app, verifying some constant content day-by-day. With this behavior, you will have an access token for every entrance of the user.
Hope it works.