Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "oauth2"
Just reached 100+!!
Anyhow. I started coding prettymuch 365 days ago. My mate decided to launch his company and figured it was a good idea to start it with good friends who knew fuck all at coding.
Fyi, the dude can code 15 hours straight everyday for about a year (no shit thats what i saw).
He also taught me webpack and rollup. Json schma forms，http requests redux， redux logic， and all the routing shit...he obliged me to i plement RR4 on release and is now making me overlook the merge requests of my other collegue (yes he made me a git pro，almost).
And now i have to work long distance by studying java， spring， oauth2 and start working on our api.
O yeah，and i went from microsoft to full on linux!!!
To be honest i thought i was gonna die this year. (Also have a kid on the way :)).
Devrant has been like going to the psychologist :) everytime shit hit the fan i realized every one has the same problems :)
Thanks to the community i can also now even give out nerd jokes :)
Just solved a bug I was trying to solve for hours.
Oh, the pleasure of closing 12 tabs at once without wanting to recover them for the next session.
Gonna have a good night's sleep.3
Marketing coworker: We MUST integrate with XYZ
Me: sure, they have a REST API and OAuth2. What part of our system do you want to integrate with XYZ?
coworker: Emmm... I don't know. Everything
Me: ...okay. What does XYZ even do?
coworker: Emmm... our customers use it, so we have to integrate with them.
Me: fine. I'm reading that XYZ has function ABC and PQR. Which one do our customers use?
coworker: ABC, definitely ABC
coworker: Our customers say nothing is working!
*looks into the problem*
Me: That's because they're using PQR and not ABC.
This kind of research is NOT my job, it's YOURS5
Seriously all examples I found use library that use library that use library to just build url encoded parameters like this
Got me 5 hours to dig going trough couple of github repos with implementation to see that shit at the end.
Seriously people !!!
Start thinking before you write single line.
I don’t want to download 10 dependencies and 100MB+ just to send 2 requests with url encoded parameters.
It’s in every - literally every language.
I know you’re stupid but please just try to understand how things work instead of copy paste another stackoverflow and medium snippet.4
That moment when you work the whole day to write a discord bot from scratch. No discord.py and other wrappers. Pure websockets, oauth2, https, json loads here and there. Understanding how the discord API works was a real challenge, but I did it :).
Most of my time was spent on discord's gateway connection and identification system.
The bot can renew its token, get all the guilds it is part of, all the channels and users of these guilds, send message and communicate with the gateway.
Tomorrow I will start connecting it to a voice channel and let it "speak". Thinking of combining text-to-speech with it, but I am not sure how well they are going to harmonize together.6
fuck it, i'm going to write a personal oauth2 service
pretty soon on websites you'll see a sign in with google button, and sign in with github button, and a sign in with danny button5
FYI. Copied from my FB stalked list.
Web developer roadmap 2018
Common: Git, HTTP, SSH, Data structures & Algorithms, Encoding
Back-end: PHP, Composer, Laravel > Nginx, REST, JWT, OAuth2, Docker > MariaDB, MemCached, Redis > Design Patterns, PSRs
DevOps: Linux, AWS, Travis-CI, Puppet/Chef, New Relic > Docker, Kubernetes > Apache, Nginx > CLI, Vim > Proxy, Firewall, LoadBalancer
The Instagram API sucks a Lot.
Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?
Fucking piece of shit5
I've been using the Square REST API and I spent one hour thinking there was something wrong in my code until I f** found that THEY were not following OAuth 2 guidelines, which made their workflow incompatible with the OAuth lib I was using, so I had to mark an exception for Square's OAuth from the rest of my OAuths. Specifically, RFC 6749 Section 4.2.2 and 5.1.
Hope this all gets solved in OAuth 2.1 pleeeaasseee1
Why are these SAMPLES NOT WORKING!?
It's supposed to just be reading and writing OAuth2 tokens from session.
I'm THIS CLOSE |__| to getting things working and I had to leave work. The fucking worst.
On the bright side, I think I finally understand how OAuth2 works. I need to write an article that actually explains it properly because I've had to read dozens to get a good grasp on it.2
Hello everyone! 👋
Work on Chaaat is going rapid so far. We got our own js.org domain – https://chaaat.js.org
We now need a designer help! All we need is to create a simple SVG icon we just can’t draw ourselves.
We are always open for contributors! If you’re intern or junior developer and you want a real world experience with NodeJS/Express, REST API, OAuth2, MongoDB and React/Redux stack with detailed code reviews from senior developer, we’re open for your contributions. No experience required.
Part 1: https://devrant.com/rants/4298172/...
So we get this guy in a meeting and he is now saying "we can't have application accounts because that violates our standard of knowing who accessed what data - the application account anonamizes the user behind the app account data transaction and authorization"
And so i remind him that since it's an application account, no one is going to see the data in transit (for reference this account is for CI/CD), so the identity that accessed that data really is only the app account and no one else.
This man has the audacity to come back with "oh well then thats fine, i cant think of a bunch of other app account ideas where the data is then shown to non-approved individuals"
We have controls in place to make sure this doesnt happen, and his grand example that he illustrates is "Well what if someone created an app account to pull github repo data and then display that in a web interface to unauthorized users"
M******* why wouldnt you JUST USE GITHUB??? WHO WOULD BUILD A SEPARATE APPLICATION FOR THAT???
I swear I have sunk more time into this than it would have costed me to mop up from a whole data breach. I know there are situations where you could potentially expose data to the wrong users, but that's the same issue with User Accounts (see my first rant with the GDrive example). In addition, the proposed alternative is "just dont use CI/CD"!!!
I'm getting pretty pissed off at this whole "My compliance is worth more than real security" bullshit.
i wrote a website, a server in go, a small os in c, a game in js, a game and server and web scraper and other desktop apps in java, mobile apps with flutter, a website with php also, implemented aes in go, wrote a parser in java. done sysadmin stuff on my vps and pihole/openvpn/nextcloud on my rpi. learn about c vulnerabilities and used metasploit. attempted to write an interpreted language. did some led displays with arduino. currently learning tensorflow.
i have never...
- written a driver
- made a game with a game engine
- created a file encoding
- implemented an oauth2 server
- made an api
- worked with vr
what am i missing? i want to be a very well rounded dev.15
User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?
User: Why not?
Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???
FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly1
Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.4
I really wanna get into making Reddit bots but man, OAauth2 is really turning my head into a pretzel :(
anyone know a good tutorial?4
Introducing the cheat.sh discord bot!
Brought to you by @TheMiper and myself, this guy delivers the latest and greatest cheat sheets from @chubin's cheat.sh straight to your discord server.
We've been messing around with it for a while now, so we think it's time to share it with the world.
We're hosting the bot on heroku, so feel free to try it out, find bugs, give feedback, contribute etc.
We also need an avatar.
Invite link: https://discordapp.com/api/oauth2/...
Dude GoogleAuth is pure nonsense magic. On one line you get your auth-instance from gapi.auth2.init..
But then you render the auth-button with a static method aka gapi.signin2.render (which has some kind of success and error handlers, but don't worry, they fire randomly, they won't help you debug this api mess)
SOME-FUCKING-HOW this static signin2.rendershit knows of your auth2 instance and it works. But actually it makes no sense and is just a big mess of api-calls. Google, get your shit together, this ain't pretty.
Oh and forget your informative console.log.. this shit will get erased everytime you try something because of "Navigated to https://accounts.google.com/o/...". why ever the fuck this clears the console even tho it doesn't affect the top window. So preserve that fucking log and drown in a mass of bullshit.
In the end, as it is with everything, it somehow works. But FFS that's some weird api design Google has going on..4
Trying to use a coworker's new API endpoint and I keep getting an "OAuth2 Bearer Token missing" error, despite triple-checking that I set the Authorization header correctly... finally dig into the source code and I find out that all their endpoints require that the bearer token be put into the request body. The fuck?6
Fuck oauth2. Is it a framework or a specification? It fails at both. If it's a framework I want implementations that I can use. If it's a spec I want clear documentation with examples. Fails at both.6
#OAuth logic: Lets make OAuth1.0 simpler for clients.. TADA.. OAuth2.0.. OAuth1.0 looks simpler now??!!
To be a Java (or other business popular language) developer
* Java 6, 8 and features up to 14
* SQL + nosql
* Logging eg log4j2,
* Searching eg elastic stack
* Framework (at least 1, but hey, knowing 1 is lame..)
* Networking or at least base http knowledge
* Tomcat, jboss or other shit
* Aws, heroku, GCE or other SAAS/paas
* Rest, RPC, soap
* Business Hello World example
* Hexagonal Architecture
* 12 app factor
* Security, oauth2
* Eureka or consul as service Discovery
* Config server
* Hazel cast
* Endless story ...
Then we can start hello word app2
Back again to the horrow show.
We start with the integration. It’s a new project, let’s see how it works. First step: authentication. From the documentation it claims to be an oAuth2. Wait..why just 2 steps to authenticate?! Nevermind, we’ll contact them later. Let’s go on for now.
They need a timestamp with microseconds precision. Here you are!
Nope. Come on! Take the damned timestamp! Nope. Let’s take a look at theirs. If it’s with milliseconds precision, WHY 7 digits after comma?!!!! We decided to contact them. And then.........their answer: we don’t know of any exact number of digits to represent milliseconds.
I see...so it’s arbitrary!!! What are you going to tell us next? One hour can be 3.14159265 minutes then?!!2
Why can't I wrap my head around laravel enough to build an authentication system I've built before 😖😡😠
External Login Service and my app would be an OAuth2 client receiving an id token...and no there isn't a third party integration for this login service5
Doing the Full Stack Nanodegree from Udacity
Using Google's oAuth Sign in in my Flask App, I realized that no matter what browser I use, I was unable to logout, Google always threw an error my way. I figured something must be wrong with my code..
Searched on Google, couldn't find anything relevant, gave up on first 4 results(not pages, yeah I'm that lazy!)
Spent 3 hours Debugging at different points, removing all the abstraction I've put in using various libraries (Bad move)
Finally it dawned on to me to check Udacity forum as well. It's a frickin cache/cookie thing. Tried the app in an incognito window, worked like a charm. Reverted code back with all the libraries, worked like a charm again!
FUCK YOU GOOGLE! In your attempts to track users, you're even making our work difficult!
(in hindsight, I should probably be better at asking/looking for help)1
So I am redeveloping a website I made for work when I first started all this a year and a half ago. Part of the project was integrating with a marketing automation suite through an OAuth2 authenticated API - compounded by the fact that no one has heard of the thing, so there aren't plugins (wordpress last time, Drupal this time) or the ones that are there are woefully out of date/have no functionality.
Anyway, I've been dreading doing it. Last time it took me over a week (maybe two), and the solution was a total cludge fest - I had to do a load of stuff manually and it constantly broke anyway.
This time? Took me half a day, maybe less. All the user has to do is click a button and give the webpage permission in the automation suite (as you'd expect) and everything else is automated. It doesn't break, it doesn't fall over and it works very nicely.
It's the first time, apples to apples, I can see how far I have come, and I love it.
Now if only the API itself i am connecting to wasn't shite!2
Anyone here implemented an oauth2 server in python?
I've been researching it for a fair bit, and it just seems like a giant swamp that I'd rather stay away from (ex: https://hueniverse.com/oauth-2-0-an...)
It also feels needlessly work intensive and (at least on the server side), underdocumented.
I'll probably be making my own custom solution.
Was working on OAuth2 in unity (first time oauth attempt)
Could not get my token for like a month... Then a friend was line per lining my code, ; =\= :
It worked after that :'(2
I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.
I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)
How about you guys, how would you approach authentication? JWT/JWE? Sessions?6
Hey guys, perhaps some of you might be able to help me out.
My current task in my job is to implement an OAuth2 client in Android. I know there are a lot of out-of-the-box solutions for like Twitter, Facebook, Google etc. but I need to make it work with a generic OAuth2 server.
So I tried several frameworks for Android like AppAuth, Scribejava, etc. and most of them are buggy/outdated or aren't working with the Android version I have to use (API 24, Nougat).
I already asked for help in the android-dev IRC channel, but to no avail. Also looked up dozens of repositories on Github.
I'm rather desperate right now, because I'm running out of time :(
Any help/pointers are appreciated!
Yo guys...i know it's been a long time since i made a rant or something like that.....but i was working on my discord bot......i am giving the link below....if u guys want to help me verify it then please invite it to your server.....thanks(advance ;))
I'm currently working on a little side project in Go and I want to create a web page with an OAuth2 based login. So far the OAuth2 login works, but I need something to track a session afterwards.
Any suggestions? I'm pretty new to web development, especially in Go :)1
I've got this... thing. I built it when I first started with PHP. It's an OAuth2 system to pull form data from a service into a plugin, to make the rest of marketing's lives easier. It requires manually taking the initial received token and putting it into a database when doing the first auth. Occasionally it breaks and I have to try and remember the steps to get a replacement token to start the cycle over.
Someday I'll fix it, but for now... Let's fuck about with my browser for a few minutes to get the new token.
I think I am too stupid for OAuth2. How do I handle this scenario: User deletes his account at the OAuth Provider. Lets say my own, Google, Microsoft, whaever. How do I handle data associated with the user then? I have some data which can be deleted then as it is not needed anymore.
Or is this not possible by design? If yes, this a perfect example on how to waste resources...8