oauth - Exchanging a google idToken for local openId token c# -


i using github project https://github.com/openiddict/openiddict-core great. stuck procedures should be, or how implement them, when user uses external identity provider, example, use google.

i have angular2 app running, aspnet core webapi. local logins work perfectly, call connect/token username , password, , accesstoken returned.

now need implement google external identity provider. have followed steps here implement google login button. opens popup when user logins in. code have created google button.

// angular hook allows interaction elements inserted // rendering of view. ngafterviewinit() {     // check if google client id in pages meta tags     if (document.queryselector("meta[name='google-signin-client_id']")) {         // converts google login button stub actual button.         gapi.signin2.render(             'google-login-button',             {                 "onsuccess": this.ongoogleloginsuccess,                 "scope": "profile",                 "theme": "dark"             });     } }  ongoogleloginsuccess(loggedinuser) {     let idtoken = loggedinuser.getauthresponse().id_token;      // here can pass idtoken server , validate }

now have idtoken google. next step on google pages found here says need validate google accesstoken, can do, how exchange accesstoken have google, , create local accesstoken can used on application?

the next step on google pages found here says need validate google accesstoken, can do, how exchange accesstoken have google, , create local accesstoken can used on application?

the flow you're trying implement known assertion grant. can read this other post more information it.

openiddict supports custom grants, can implement in token endpoint action:

[httppost("~/connect/token")] [produces("application/json")] public iactionresult exchange(openidconnectrequest request) {     if (request.ispasswordgranttype())     {         // ...     }      else if (request.granttype == "urn:ietf:params:oauth:grant-type:google_identity_token")     {         // reject request if "assertion" parameter missing.         if (string.isnullorempty(request.assertion))         {             return badrequest(new openidconnectresponse             {                 error = openidconnectconstants.errors.invalidrequest,                 errordescription = "the mandatory 'assertion' parameter missing."             });         }          // create new claimsidentity containing claims         // used create id_token and/or access token.         var identity = new claimsidentity(openidconnectserverdefaults.authenticationscheme);          // manually validate identity token issued google,         // including issuer, signature , audience.         // then, copy claims need "identity" instance.          // create new authentication ticket holding user identity.         var ticket = new authenticationticket(             new claimsprincipal(identity),             new authenticationproperties(),             openidconnectserverdefaults.authenticationscheme);          ticket.setscopes(             openidconnectconstants.scopes.openid,             openidconnectconstants.scopes.offlineaccess);          return signin(ticket.principal, ticket.properties, ticket.authenticationscheme);     }      return badrequest(new openidconnectresponse     {         error = openidconnectconstants.errors.unsupportedgranttype,         errordescription = "the specified grant type not supported."     }); }

note you'll have enable in openiddict options:

// register openiddict services, including default entity framework stores. services.addopeniddict()     // register entity framework stores.     .addentityframeworkcorestores<applicationdbcontext>()      // register asp.net core mvc binder used openiddict.     // note: if don't call method, won't able     // bind openidconnectrequest or openidconnectresponse parameters.     .addmvcbinders()      // enable token endpoint.     .enabletokenendpoint("/connect/token")      // enable password flow, refresh     // token flow , custom grant type.     .allowpasswordflow()     .allowrefreshtokenflow()     .allowcustomflow("urn:ietf:params:oauth:grant-type:google_identity_token")      // during development, can disable https requirement.     .disablehttpsrequirement();

when sending token request, make sure use right grant_type , send id_token assertion parameter, , should work. here's example postman (for facebook access tokens, works same way):

enter image description here

that said, have extremely careful when implementing token validation routine, step particularly error-prone. it's important validate everything, including audience (otherwise, your server vulnerable confused deputy attacks).


-

Comments

Post a Comment

Popular posts from this blog

python - How to insert QWidgets in the middle of a Layout? -

Image
i'm using qt framework build graphical user interface. use qgridlayout position qwidgets neatly. gui looks this: my application regularly adds new widgets gui @ runtime. these new widgets not added @ end of qlayout, somewhere in middle. the procedure bit cumbersome. applied on figure above, need take out widg_c , widg_d , ... qgridlayout. next, add widg_x and widg_y , , put other widgets again. how remove widgets qgridlayout: for in reversed(range(mygridlayout.count())): self.itemat(i).widget().setparent(none) ### as long you're dealing small amount of widgets, procedure not disaster. in application display lot of small widgets - perhaps 50 or more! application freezes second while procedure ongoing, annoying user. there way insert widgets somewhere in qlayout, without need take out other widgets? edit: apparently solution qvboxlayout simple. use function insertwidget(..) instead of addwidget(..) . docs can found link: http://doc.qt.io/qt-5/qboxlayou
Read more

python - serve multiple gunicorn django instances under nginx ubuntu -

i need serve 2 webs apps (django) on gunicorn under different domain names using nginx on ubuntu. started using tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-16-04 it worked fine 1 using that. tried same thing second gives me 502 gateway second domain. tried following tutorial: http://michal.karzynski.pl/blog/2013/10/29/serving-multiple-django-applications-with-nginx-gunicorn-supervisor/ i'm @ part run gunicorn start script: sudo bin/gunicorn_start i response: starting webuildblack root traceback (most recent call last): file "/home/devin/webuildblack/bin/gunicorn", line 7, in <module> gunicorn.app.wsgiapp import run importerror: no module named 'gunicorn.app'; 'gunicorn' not package you have named program gunicorn.py gunicorn -package. rename file , remove gunicorn.pyc file.
Read more

module - Prestashop displayPaymentReturn hook url -

i new prestashop developer , trying create paymentmodule. have got show payment method can not proceed purchase because not know hot works. does know should redirect run hooddisplaypaymentreturn method? i happy if explain me complete navigation map make purchase. anyway, can find relation between hooks , pages? when have new module payment rely on simplest provided prestashop: bankwire. inside can find 3 hooks. hookpayment: public function hookpayment($params) { if (!$this->active) return; if (!$this->checkcurrency($params['cart'])) return; $this->smarty->assign(array( 'this_path' => $this->_path, 'this_path_bw' => $this->_path, 'this_path_ssl' => tools::getshopdomainssl(true, true).__ps_base_uri__.'modules/'.$this->name.'/' )); return $this->display(__file__, 'payment.tpl'); } hookdisplaypaymenteu: public fun
Read more