4

Is browser redirection necessary to get autorization and access token ? Is there a way how to get autorization programatically ? I am a bit suprised i found this in the OAuth2 google documentation :

https://developers.google.com/accounts/docs/OAuth2#scenarios > Chapter Installed Application

sequence begins by redirecting a browser (either a browser embedded in the application or the system browser) to a Google URL with a set of query parameters that indicate the type of Google API access the application requires...

We run small java utility app which contains username and password in config file to our google account. i would expect there will be way to get autorization and access token without any browser interaction (it`s a bit hard to do when we run it as a cron job on virtual server)...

Yusubov
  • 5,815
  • 9
  • 32
  • 69
Martin V.
  • 3,560
  • 6
  • 31
  • 47
  • Under no circumstance should you store a username and password in a config file. That is leaking credentials. For a cron job you may want to consider [client_credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) grant flow, which will trust your cron job as a known trusted, confidential client and will never prompt for passwords. – jrh Dec 13 '21 at 13:39

1 Answers1

1

It's about trusted path between credentials holder (user), and authentication entity (it can by google app's server, or openID or facebook...). Someone who uses OAuth, provides his credentials to server he trusts, and in turn this server not revealing any secret data about him, provides identity assurance for your app.

So you have to provide trusted path to Oauth porvider. This can be done by opening a simple http server within your app, and opening user browser pointing to it, and then authentication would be done using, browser, and after auth is finished your server would recvive OAuth response and your app could authenticate user.

That's the idea, I would not input my "global" credentials to some app, and trust it that it will not, copy and use them later on. You've registered within specific OAuth provider and only he should know, and recive your credentials.

damiankolasa
  • 1,508
  • 9
  • 8
  • How do popular android apps authenticate with their backends without going through a browser? Aren't they being less secure? – 11m0 Oct 24 '19 at 02:08