Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Just reached 100+!!
Anyhow. I started coding prettymuch 365 days ago. My mate decided to launch his company and figured it was a good idea to start it with good friends who knew fuck all at coding.
Fyi, the dude can code 15 hours straight everyday for about a year (no shit thats what i saw).
Since he taught me html css javascript(even if i still suck abit at js). He made me remake the whole bootstrap in react by adding this new lib styled-components and test everything(95% coverage :)).
He also taught me webpack and rollup. Json schma forms,http requests redux, redux logic, and all the routing shit...he obliged me to i plement RR4 on release and is now making me overlook the merge requests of my other collegue (yes he made me a git pro,almost).
And now i have to work long distance by studying java, spring, oauth2 and start working on our api.
O yeah,and i went from microsoft to full on linux!!!
To be honest i thought i was gonna die this year. (Also have a kid on the way :)).
Devrant has been like going to the psychologist :) everytime shit hit the fan i realized every one has the same problems :)
Thanks to the community i can also now even give out nerd jokes :)
(L)Devrant11 -
Just solved a bug I was trying to solve for hours.
Oh, the pleasure of closing 12 tabs at once without wanting to recover them for the next session.
Just priceless!
Gonna have a good night's sleep.3 -
Marketing coworker: We MUST integrate with XYZ
Me: sure, they have a REST API and OAuth2. What part of our system do you want to integrate with XYZ?
coworker: Emmm... I don't know. Everything
Me: ...okay. What does XYZ even do?
coworker: Emmm... our customers use it, so we have to integrate with them.
Me: fine. I'm reading that XYZ has function ABC and PQR. Which one do our customers use?
coworker: ABC, definitely ABC
...
coworker: Our customers say nothing is working!
*looks into the problem*
Me: That's because they're using PQR and not ABC.
This kind of research is NOT my job, it's YOURS5 -
Oauth2 examples.
Seriously all examples I found use library that use library that use library to just build url encoded parameters like this
client_secret=foo&code=bar
Got me 5 hours to dig going trough couple of github repos with implementation to see that shit at the end.
Seriously people !!!
Start thinking before you write single line.
I don’t want to download 10 dependencies and 100MB+ just to send 2 requests with url encoded parameters.
It’s in every - literally every language.
I know you’re stupid but please just try to understand how things work instead of copy paste another stackoverflow and medium snippet.4 -
That moment when you work the whole day to write a discord bot from scratch. No discord.py and other wrappers. Pure websockets, oauth2, https, json loads here and there. Understanding how the discord API works was a real challenge, but I did it :).
Most of my time was spent on discord's gateway connection and identification system.
The bot can renew its token, get all the guilds it is part of, all the channels and users of these guilds, send message and communicate with the gateway.
Tomorrow I will start connecting it to a voice channel and let it "speak". Thinking of combining text-to-speech with it, but I am not sure how well they are going to harmonize together.5 -
I'm convinced no one really understands OAuth2, probably not even the creators.
Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.
Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.15 -
> Startup: ok listen up, we got this super cool thing we want to do with Twilio. Doesn't get any easier: some calls to book a restaurant, you ask for booking data and save that on some db.
> iHateForALiving: I'm on it. We got a couple weeks of development, never worked with Twilio, but should be easy enough
> Startup: Hold it big guy, we can't just write code like this. There's this OTHER developer with a super cool framework he wrote himself, it supports OAuth2 and multitenancy, written in Huskell, microservices to authenticate several apps all working concurrently in our environment, some orchestrator, cloud computing on AWS, you're going to love it. There's this Postman project with 200-something calls (the ones I need for my project, one and only consumer for those APIs, are 5 including the login)
> iHateForALiving: You are aware you'll have approximately six clients and they'll pay some 30 bucks each per month, aren't you?
> Startup: You don't understand, this infrastructure is CRITICAL for the future of our company
> ffwd 6 months
> iHateForALiving: guys we had this 2 weeks project and it's taking months, I'm ready, what is going on there?
> Startup: someone killed our DB, the OTHER developer pushed on git the access credentials :(
THE FULL MOON IS DRAWING NEAR AND THE FUCKING WERECODERS STRIKE AGAIN! -
fuck it, i'm going to write a personal oauth2 service
pretty soon on websites you'll see a sign in with google button, and sign in with github button, and a sign in with danny button5 -
The Instagram API sucks a Lot.
Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?
Fucking piece of shit5 -
FYI. Copied from my FB stalked list.
Web developer roadmap 2018
Common: Git, HTTP, SSH, Data structures & Algorithms, Encoding
------
Front-end: HTML, CSS, JavaScript > ES6, NPM, React, Webpack, Responsive Web, Bootstrap
------
Back-end: PHP, Composer, Laravel > Nginx, REST, JWT, OAuth2, Docker > MariaDB, MemCached, Redis > Design Patterns, PSRs
------
DevOps: Linux, AWS, Travis-CI, Puppet/Chef, New Relic > Docker, Kubernetes > Apache, Nginx > CLI, Vim > Proxy, Firewall, LoadBalancer
------
https://github.com/kamranahmedse/...2 -
I've been using the Square REST API and I spent one hour thinking there was something wrong in my code until I f** found that THEY were not following OAuth 2 guidelines, which made their workflow incompatible with the OAuth lib I was using, so I had to mark an exception for Square's OAuth from the rest of my OAuths. Specifically, RFC 6749 Section 4.2.2 and 5.1.
However, after reading OAuth 2 guidelines, I became angry at THEM instead. The parameter `expires_in` should be the "lifetime in seconds" after the response. This will always be innevitably inaccurate, since we are not taking into account the latency of the response. This is, however, not a huge problem, since the shortest token lifetimes are of an hour (like f** Microsoft Active Directory, who my cron jobs have to check every ten minutes for new access tokens). Many workflows (like Microsoft, Square, and Python's oauthlib) have opted to add the `expires_at` parameter to be more precise, which marks the time in UTC. However, there's no convention about this. oauthlib and Microsoft send the time in Unix seconds, but Square does this in ISO 8601. At this point, ISO 8601 is less ambigious. Sending a raw integer seems ambiguous. For example, JavaScript interprets integer time as Unix _milliseconds_, but Python's time library interprets it as _seconds_. It's just a matter of convention, a convention that is not there yet.
Hope this all gets solved in OAuth 2.1 pleeeaasseee
1 -
Good morning to everyone, except that one Twitter dev who one day woke up and was like "YOU KNOW WHAT, MY APPLICATION WILL FEATURE BOTH OAUTH1 AND OAUTH2 ENDPOINTS, BUT SOME FEATURES WILL BE EXCLUSIVE TO EITHER OF THE TWO -NOT NECESSARILY THE MOST RECENT, JUST A RANDOM ONE-, AND ALSO THE OFFICIAL TWITTER LIBRARY WON'T COVER ALL THE ENDPOINTS SO PEOPLE WILL HAVE TO RESORT TO RAW HTTP REQUESTS INSTEAD OF USING MY SDK AND ALSO I'MMA MAKE DEVELOPERS FILL 2 VERY DETAILED FORMS, REQUIRING PERSONAL DATA AND ACTUAL REAL PHONE CALLS, JUST TO START DEVELOPMENT WITH 7 DIFFERENT AUTHENTICATION TOKENS, BECAUSE SOME REQUESTS WILL REQUIRE A DIFFERENT AUTHENTICATION METHOD THAN THE OTHER REQUESTS DESPITE ALL OF THEM PERTAINING TO THE SAME FUCKING ENTITY"
3 -
Why are these SAMPLES NOT WORKING!?
It's supposed to just be reading and writing OAuth2 tokens from session.
I'm THIS CLOSE |__| to getting things working and I had to leave work. The fucking worst.
On the bright side, I think I finally understand how OAuth2 works. I need to write an article that actually explains it properly because I've had to read dozens to get a good grasp on it.2 -
Hello everyone! 👋
Work on Chaaat is going rapid so far. We got our own js.org domain – https://chaaat.js.org
We now need a designer help! All we need is to create a simple SVG icon we just can’t draw ourselves.
We are always open for contributors! If you’re intern or junior developer and you want a real world experience with NodeJS/Express, REST API, OAuth2, MongoDB and React/Redux stack with detailed code reviews from senior developer, we’re open for your contributions. No experience required.
Cheers!11 -
User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?
Me: No
User: Why not?
Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???
User: Uhhhhh
FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly1 -
i wrote a website, a server in go, a small os in c, a game in js, a game and server and web scraper and other desktop apps in java, mobile apps with flutter, a website with php also, implemented aes in go, wrote a parser in java. done sysadmin stuff on my vps and pihole/openvpn/nextcloud on my rpi. learn about c vulnerabilities and used metasploit. attempted to write an interpreted language. did some led displays with arduino. currently learning tensorflow.
i have never...
- written a driver
- made a game with a game engine
- created a file encoding
- implemented an oauth2 server
- made an api
- worked with vr
what am i missing? i want to be a very well rounded dev.13 -
I really wanna get into making Reddit bots but man, OAauth2 is really turning my head into a pretzel :(
anyone know a good tutorial?4 -
Part 1: https://devrant.com/rants/4298172/...
So we get this guy in a meeting and he is now saying "we can't have application accounts because that violates our standard of knowing who accessed what data - the application account anonamizes the user behind the app account data transaction and authorization"
And so i remind him that since it's an application account, no one is going to see the data in transit (for reference this account is for CI/CD), so the identity that accessed that data really is only the app account and no one else.
This man has the audacity to come back with "oh well then thats fine, i cant think of a bunch of other app account ideas where the data is then shown to non-approved individuals"
We have controls in place to make sure this doesnt happen, and his grand example that he illustrates is "Well what if someone created an app account to pull github repo data and then display that in a web interface to unauthorized users"
...
M******* why wouldnt you JUST USE GITHUB??? WHO WOULD BUILD A SEPARATE APPLICATION FOR THAT???
I swear I have sunk more time into this than it would have costed me to mop up from a whole data breach. I know there are situations where you could potentially expose data to the wrong users, but that's the same issue with User Accounts (see my first rant with the GDrive example). In addition, the proposed alternative is "just dont use CI/CD"!!!
I'm getting pretty pissed off at this whole "My compliance is worth more than real security" bullshit. -
Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.2 -
Introducing the cheat.sh discord bot!
Brought to you by @TheMiper and myself, this guy delivers the latest and greatest cheat sheets from @chubin's cheat.sh straight to your discord server.
We've been messing around with it for a while now, so we think it's time to share it with the world.
We're hosting the bot on heroku, so feel free to try it out, find bugs, give feedback, contribute etc.
We also need an avatar.
Invite link: https://discordapp.com/api/oauth2/...
repo: https://github.com/PaperBag42/...
Enjoy!6 -
Fuck oauth2. Is it a framework or a specification? It fails at both. If it's a framework I want implementations that I can use. If it's a spec I want clear documentation with examples. Fails at both.6
-
Trying to use a coworker's new API endpoint and I keep getting an "OAuth2 Bearer Token missing" error, despite triple-checking that I set the Authorization header correctly... finally dig into the source code and I find out that all their endpoints require that the bearer token be put into the request body. The fuck?6
-
Dude GoogleAuth is pure nonsense magic. On one line you get your auth-instance from gapi.auth2.init..
But then you render the auth-button with a static method aka gapi.signin2.render (which has some kind of success and error handlers, but don't worry, they fire randomly, they won't help you debug this api mess)
SOME-FUCKING-HOW this static signin2.rendershit knows of your auth2 instance and it works. But actually it makes no sense and is just a big mess of api-calls. Google, get your shit together, this ain't pretty.
Oh and forget your informative console.log.. this shit will get erased everytime you try something because of "Navigated to https://accounts.google.com/o/...". why ever the fuck this clears the console even tho it doesn't affect the top window. So preserve that fucking log and drown in a mass of bullshit.
In the end, as it is with everything, it somehow works. But FFS that's some weird api design Google has going on..4 -
Urgh.. the amount of things you have to know as a developer.. it can get stressful and frustrating sometimes when (in-depth) technology knowledge is demanded from you (for instance, for a job position)..
It's like being a doctor, being a lifelong student.
A few examples of what I had to know during my career:
Java, .NET, Python, PHP, JavaScript/HTML5/CSS3, Sass/Less, Node.js, ReactJS, AngularJS, Vue.js, Cordova, Ionic, Android, design patterns, SOLID, databases (design, implementation, administration, both NoSQL and relational,..), deployment tools (Octopus, Jenkins,..), VCS, CI/CD, HTTP, networking, security (OAuth2, CORS, XSS, CSRF,..), algebra, algorithms, software testing, profiling, Linux, Unix, Windows, MS Office (advanced mail filtering,..), ITIL, IT Law (licensing and its implications when choosing a product, distribution right,..), server architecture,..
Sure yeah, I know, I've studied all that at university but.. it's been too long (almost a decade now). I have to revisit that knowledge.5 -
#OAuth logic: Lets make OAuth1.0 simpler for clients.. TADA.. OAuth2.0.. OAuth1.0 looks simpler now??!!
-
Why can't I wrap my head around laravel enough to build an authentication system I've built before 😖😡😠
External Login Service and my app would be an OAuth2 client receiving an id token...and no there isn't a third party integration for this login service5 -
Back again to the horrow show.
We start with the integration. It’s a new project, let’s see how it works. First step: authentication. From the documentation it claims to be an oAuth2. Wait..why just 2 steps to authenticate?! Nevermind, we’ll contact them later. Let’s go on for now.
They need a timestamp with microseconds precision. Here you are!
Nope. Come on! Take the damned timestamp! Nope. Let’s take a look at theirs. If it’s with milliseconds precision, WHY 7 digits after comma?!!!! We decided to contact them. And then.........their answer: we don’t know of any exact number of digits to represent milliseconds.
I see...so it’s arbitrary!!! What are you going to tell us next? One hour can be 3.14159265 minutes then?!!2 -
So I am redeveloping a website I made for work when I first started all this a year and a half ago. Part of the project was integrating with a marketing automation suite through an OAuth2 authenticated API - compounded by the fact that no one has heard of the thing, so there aren't plugins (wordpress last time, Drupal this time) or the ones that are there are woefully out of date/have no functionality.
Anyway, I've been dreading doing it. Last time it took me over a week (maybe two), and the solution was a total cludge fest - I had to do a load of stuff manually and it constantly broke anyway.
This time? Took me half a day, maybe less. All the user has to do is click a button and give the webpage permission in the automation suite (as you'd expect) and everything else is automated. It doesn't break, it doesn't fall over and it works very nicely.
It's the first time, apples to apples, I can see how far I have come, and I love it.
Now if only the API itself i am connecting to wasn't shite!2 -
Doing the Full Stack Nanodegree from Udacity
Using Google's oAuth Sign in in my Flask App, I realized that no matter what browser I use, I was unable to logout, Google always threw an error my way. I figured something must be wrong with my code..
Searched on Google, couldn't find anything relevant, gave up on first 4 results(not pages, yeah I'm that lazy!)
Spent 3 hours Debugging at different points, removing all the abstraction I've put in using various libraries (Bad move)
Finally it dawned on to me to check Udacity forum as well. It's a frickin cache/cookie thing. Tried the app in an incognito window, worked like a charm. Reverted code back with all the libraries, worked like a charm again!
FUCK YOU GOOGLE! In your attempts to track users, you're even making our work difficult!
(in hindsight, I should probably be better at asking/looking for help)1 -
Was working on OAuth2 in unity (first time oauth attempt)
Could not get my token for like a month... Then a friend was line per lining my code, ; =\= :
It worked after that :'(2 -
Anyone here implemented an oauth2 server in python?
I've been researching it for a fair bit, and it just seems like a giant swamp that I'd rather stay away from (ex: https://hueniverse.com/oauth-2-0-an...)
It also feels needlessly work intensive and (at least on the server side), underdocumented.
I'll probably be making my own custom solution.
Thoughts? -
I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.
I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)
How about you guys, how would you approach authentication? JWT/JWE? Sessions?6 -
Hey guys, perhaps some of you might be able to help me out.
My current task in my job is to implement an OAuth2 client in Android. I know there are a lot of out-of-the-box solutions for like Twitter, Facebook, Google etc. but I need to make it work with a generic OAuth2 server.
So I tried several frameworks for Android like AppAuth, Scribejava, etc. and most of them are buggy/outdated or aren't working with the Android version I have to use (API 24, Nougat).
I already asked for help in the android-dev IRC channel, but to no avail. Also looked up dozens of repositories on Github.
I'm rather desperate right now, because I'm running out of time :(
Any help/pointers are appreciated!
Thanks!1 -
Yo guys...i know it's been a long time since i made a rant or something like that.....but i was working on my discord bot......i am giving the link below....if u guys want to help me verify it then please invite it to your server.....thanks(advance ;))
https://discord.com/api/oauth2/... -
!rant
I'm currently working on a little side project in Go and I want to create a web page with an OAuth2 based login. So far the OAuth2 login works, but I need something to track a session afterwards.
Any suggestions? I'm pretty new to web development, especially in Go :)1 -
I've got this... thing. I built it when I first started with PHP. It's an OAuth2 system to pull form data from a service into a plugin, to make the rest of marketing's lives easier. It requires manually taking the initial received token and putting it into a database when doing the first auth. Occasionally it breaks and I have to try and remember the steps to get a replacement token to start the cycle over.
Someday I'll fix it, but for now... Let's fuck about with my browser for a few minutes to get the new token. -
I don't get keycloak. Anyone who has experience with it, please help.
We have what I would think is a common setup: a kubernetes cluster with a Spring boot api-gateway and keycloak as oauth2-provider.
The api-gateway needs an issuer-uri to keycloak for endpoint discovery, i.e. to configure a bunch of endpoints to keykloak for different purposes.
The two main purposes are: 1. to redirect the user to keycloak (must be an url reachable from outside the cluster, i.e. ingress) 2. to authenticate tokens directly with keycloak from within the cluster.
Keycloak can be configured to set some of these discovery endpoints to different values. Specifically it makes a separation between backfacing (system calls in cluster) and frontfacing (user call from browser) urls All seems good.
However, when using this setup, each time spring security authenticates a token against keycloak it says the "issuer" is invalid. This is because the issuer is the host on which the token was generated. This host was the one in the url which the user was redirected to i.e. the ingress.
It feels like there is no way around this except running keycloak outside the Kubernetes cluster, but surely there must be a way to run keycloak in the same cluster. What else is the purpose of keycloak having the concept of back- and frontfacing urls?1 -
I think I am too stupid for OAuth2. How do I handle this scenario: User deletes his account at the OAuth Provider. Lets say my own, Google, Microsoft, whaever. How do I handle data associated with the user then? I have some data which can be deleted then as it is not needed anymore.
Or is this not possible by design? If yes, this a perfect example on how to waste resources...8
Top Tags
Weekly Rant
View