Is oauth.js available as an Angular Factory, directive, etc?
It needs to be.

Hello,
I would like to show a spinner when a user attempts logging in, and hide it when they cancel by closing the provider's popup window. Is there an event that triggers when the popup is closed?

has anyone tried adding website to homescreen on android (chrome) and ios and than trying to login with facebook through this plugin? It fails while executing this function OAuth.popup

Is there an example of how to make a request using an oauth 1 provider, say, with twitter?

If I understand correctly, I need to sign each request with the consumer secret which I can't expose to the browser, so it looks like I still need to build a server side app. It seems oauth.io doesn't solve this problem, or am I missing something?

oauth.min.js works, but oauth.js seems broken?

I 'm trying to get access_token by code in php script:

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://oauth.io/auth/access_token');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, ['Content-type: application/json']);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, "code=$code&key=$public_key&secret=$secret_key");
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($curl); // << always is empty
curl_close($curl);

Maybe I misunderstood the documentation...

When using "for...in" loops with Javascript libraries which extends the Array.prototype, prototype properties are passed as keys and breaks Oauth.js.

For example:

On line 765...

for (k in extended_methods) {
    v = extended_methods[k];
    name_array = v.name.split('.');
    ...
}

and line 456...

for (k in client_states) {
    v = client_states[k];
    client_states[k] = v.replace(/\s+/g, "");
}

In these cases "v" is sometimes an extended Array.prototype property.

See explanation/solution:
http://stackoverflow.com/a/500531

Found while using oauth-js with ember-js.

using Oauth in a chrome extension requires executing it from the background page

in a background page, these lines do not work: https://github.com/oauth-io/oauth-js/blob/master/coffee/lib/oauth.coffee#L167-L174

if I could override the calculated wnd_settings via opts.wnd_settings (or whatever you think a good name for it would be), it would allow me to do the calculation elsewhere and pass along the correct values to OAuth.popup

I got it working by adding a few simple lines (between line 174 and 175)

if opts.wnd_settings
  wnd_settings = opts.wnd_settings
  delete opts.wnd_settings

If you'd like a pull request, I'd be happy to send one.

Thanks

I see that there is an option cache.expires_in that appears to accepted from the oauth callback. Is there a way to set that on the client side? Or is this something that the provider must pass back along with the callback?

result.post('/1.1/statuses/update.json', {
      data: {
        status: '!'
      }
    }).done(function(json){
    });

This code results "Could not authenticate you" error (code=32)
It's probably because Twitter API 1.1 requires escaping characters :! ( ) ' *

So I replaced encodeURIComponent() with fixedEncodeURIComponent() in oauth.js

function fixedfixedEncodeURIComponent (str) {
  return fixedEncodeURIComponent(str).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
}

But the result is same. Is this server-side problem?

Hello guys, have a problem with popup auth and IE

OAuth.popup('facebook', function(err, res) {
   .... <<  seems that it never comes here with IE10, IE9
}

'on-message' event not fired, no errors, no warnings etc.

Setup:

• auth server: oauth.io
• provider: Facebook
• response type: server-side (code)
• auth method: popup

Authentication leads to js error:

TypeError: request is undefined
oauth.js:116
 if (request.required)

Example:
http://jsfiddle.net/kj84e/2/
Just try to login via Facebook

Hi !

Thanks for oauth-js ! It is very convenient 👍

However, I see this in my call stacks:
/Users/antoine/projects/oauth-js/node_modules/browserify/node_modules/insert-module-globals/node_modules/process/browser.js. A bit weird, isn't it ?

Signin in with Facebook on the demo app at http://oauth-io.github.io/oauth-js/ returns this error:

This app is in sandbox mode. Edit the app configuration at
http://developers.facebook.com/apps to make the app publicly visible.

Is it possible to log the user out of Facebook using the access_token returned from oauth-js?

oauth-js/dist contains both an expanded and a minified version of the js source. When minifying the expanded version with other unrelated packages, the lack of a semicolon prevents a comma break from being placed properly. if using the minified version - which contains the semicolon - all proceeds as expected.

The odd require statements found in oauth.js are breaking browserify, as it sees them as modules to include and they don't actually exist. Lines 66-74:

config = require('../config');

Url = require("../tools/url");

Location = require('../tools/location_operations');

cookies = require("../tools/cookies");

cache = require("../tools/cache");

the error in the non compressed oauth.js file

the line 5067 : throw new Error();

cause my application to crash when lunching debug mode.

Jobber solution

comment the following lines of code 5066 to 5070

try {
    throw new Error();
} catch (e) {
    hasStacks = !!e.stack;
}

Everything seems to work just fine, I can call facebook and get my token back.
Only tested this solution in Ripple emulator for now.

I am using

• visual studio 2013
• cordova project type
• ionic framework
• fresh oauth.io for browser
• I press F5 ( build and debug ) to lunch the app in the Ripple Emulator Nexus S

Scripts includes in index.html

<script src="scripts/ionic.bundle.js"></script>
<script src="scripts/oauth-browser.js"></script>
<script src="cordova.js"></script>
<script src="scripts/platformOverrides.js"></script>
<script src="scripts/index.js"></script>

When I open a Facebook oauth window FB gives me this message.

Is there a way of avoiding this without opening a giant window for the user?

Hey guys,

Sent you a contact message, but realized this may be a better place to mention this.

With the LinkedIn OAuth2 provider, API calls are rejected and return errors in IE9 only. Authorization via the popup still worked fine in IE9, but I seem to be unable to make any API calls. A complicated API get request like this failed:

result.get("/v1/people/~:(id,first-name,last-name,location,summary,specialties,positions,picture-url,public-profile-url,interests,skills,three-current-positions)?format=json")

Even the basic result.me() call failed too. Again, this worked fine in Chrome and even IE10. The error, whatever it is, appears to be limited to IE9.

And my apologies for the lack of an error description. IE9, as you guys probably now, is a pain in the ass to debug in. The error was generic though ("Your call was rejected", or something like that) and just triggered the fail callback.

Cheers,
Jamie

Hi,
I couldn't make OAuth to work with require, and then checked - it is adding OAuth and location_operations objects to global scope! and it's not possible to do something like

var OAuth = require('OAuth');

It would be cool if OAuth wouldn't polute global scope.

On url mismatch it should probably throw an more descriptive error instead of silently failing.

When using OAuth.popup() I get Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://oauth.io') does not match the recipient window's origin ('http://localhost:3000').

Browser info:

Google Chrome: 33.0.1750.152 (Official Build 256984) 
OS: Linux 
Blink: 537.36 (@169182)
JavaScript: V8 3.23.17.23

Appery.io is an online development framework for creating mobile apps. It's based on javascript/html. You can implement oauth.js by creating a server library and pasting in js code. There's a Test function that compiles the js code. The Test function reports the following error:

Script OAuth.io: ReferenceError: document is not defined ( @ 37 : 47 ) -> var results = /[#&]oauthio=([^&]*)/.exec(document.location.hash);

I'm a newbie. What is the issue? Is this an issue with Appery.io compiling standalone and not with a browser's context?

I've just found this bug while trying Oauth.io. The quickfix was simply to typecast the value with String() in the /dist JS code but you'll probably want to port it to your CoffeeScript source.

The issue is at https://github.com/oauth-io/oauth-js/blob/master/dist/oauth.js#L767

I fixed it locally changing it from:

client_states[k] = v.replace(/\s+/g, "");

to:

client_states[k] = String(v).replace(/\s+/g, "");

We go to great lengths to avoid using bloated libraries like jquery, because 99% of it's code ends up being delivered without being used, which is a huge waste.

Oauth.js currently requires that an entire jquery library be loaded, just to make a single ajax call.

Please remove jquery, as it is an unnecessary dependency.

I'm having a bit of trouble using OAuth.create with Twitter. When I call OAuth.create('twitter') when my tokens are cached, I'm able to use the result to make requests. However, when my tokens aren't cached, I grab the appropriate tokens from the server and call OAuth.create in the following way:

var twitterClient = OAuth.create('twitter', {oauth_token:twitterAuthData['oauth_token'],
oauth_token_secret:twitterAuthData['oauth_token_secret']}, true);

When I use the result to make a request, I get the following error:

ReferenceError: providers_api is not defined
at Object.http (http://localhost:9000/bower_components/oauth-js/dist/oauth.min.js:1:8869)
at Object.get (http://localhost:9000/bower_components/oauth-js/dist/oauth.min.js:1:10574)

Am I doing something wrong? Would appreciate any help... thanks!

Plzzz add ';' at the end of dist files, coz there is conflict with other libs:

...]},{},[8])

(function() {...

I am trying to make the following call to Paypal's REST API. I am getting HTTP Status code 415 in response. This happens when making the api call to the url '/v1/payments/payment'. It seems like the HTTP header is incorrectly sent? I am not entirely sure. I did not see any documentation that the result object allows setting HTTP headers. Please help. Thanks.

OAuth.initialize('myoauthiotoken');

OAuth.popup('paypal').done((function(_this) {
  return function(result) {
    console.log('result', result);
    return result.post({
      url: '/v1/payments/payment',
      data: {
        intent: 'sale',
        payer: {
          payment_method: 'paypal'
        },
        transactions: [
          {
            amount: {
              currency: 'USD',
              total: '5.69'
            }
          }
        ],
        redirect_urls: {
          return_url: 'https://oauth.io/auth',
          cancel_url: 'https://oauth.io/auth'
        }
      }
    }).done(function(response) {
      return console.log('payment response', response);
    });
  };
})(this));

I get a 500 server error when calling the .me() method with a result object obtained from Oauth.create. It works fine logging in directly with Oauth.popup.

Code:

result = OAuth.create('github', { access_token: 'TOKEN'});
result.me()
    .done(function(user) {
        console.log(user);
    })
    .fail(function(error) {
      console.error(error);
    });

The fail callback is triggered but error is undefined so there's not much I can do to diagnose the problem.

I´m trying to use oauth client to upload media to Twitter using 1.1 API but I´m receiving 404 if I use the result.post method:

r.post('/1.1/media/upload.json', {
      data: {
        media: imgBase64
      }
    })

I receive:

Failed to load resource: the server responded with a status of 404 (Not Found)
https://oauth.io/request/twitter/%2F1.1%2Fmedia%2Fupload.json

I know that media/upload.json uses diferent domain as endpoint:
upload.twitter.com

more details here: https://dev.twitter.com/rest/reference/post/media/upload

Seeing twitter avatar images returned with http, which throws a Chrome security warning in the console when using https. Twitter serves these images over https, just need to update the response to use it.

i'm testing this out in chrome and safari on an iphone but it's not working. in chrome the popup opens in another tab but once you authenticate it redirects to the following url and it doesn't load the users info. this works perfectly fine in chrome on a desktop. nothing happens when clicking login in safari.

https://andrew.easypparking.com/apps/mobile/oauth/test.php (only worry about the Get My Info ... buttons. the other ones don't do anything)

https://andrew.easypparking.com:6284/?state=bu__RValV6RLCOYV2i0kyhyh6tA&scope=openid+phone&code=hhossDe8oSlBvNjVLLspXuxlQNJxXewggkQqIhZryEv2exYUFs-gWpkDH5aqavEnuMoLyNl81qOZcAFn3VvLW6Svd5v4d-6Gz4VNSUCLIYrYidjK-UbTGagvgd5bjnTv489myYxzwmHsW5BFh6MYzSvY0KfFINv1j0UzdnP-PoeaNBP4

i can see in the log when it makes that request that it's talking to the redis server. it inserts all of the normal stuff that the desktop version does such as the access tokens. it makes the following log when i request that page: "hgetall" "st:bu__RValV6RLCOYV2i0kyhyh6tA"

also after about five minutes the same request returns the following:

Invalid format
state: invalid or expired

these are the last redis logs that happen with the desktop request but not the mobile request at the end after hgetall:

1407333812.111335 "hget" "a:keys" "lWulcF7hOR6M74ojZCKk5sle6RQ"
1407333812.111710 "get" "a:1:secret"
1407333812.112169 "del" "st:TrbK5FaRQkmyojEsqpUNU17cD-Y"
1407333812.122992 "hget" "a:keys" "lWulcF7hOR6M74ojZCKk5sle6RQ"
1407333812.123476 "hget" "a:keys" "lWulcF7hOR6M74ojZCKk5sle6RQ"
1407333812.123957 "smembers" "a:1:domains"
1407333812.124229 "mget" "a:1:k:twitter" "a:1:ktype:twitter"

Once i restart the server I get the first on or two attempts "Bad parameters format" as response from OAuth.popup()

The URL is the popup looks something like this:

https://oauth.io/auth?code=80a534965e81a5746e563ed57f4683e9&state=ZJYHVAvt%20DXFlsXcql2MDAEGj9Y

thx for help

I assume the method should be "isLogged()" not "isLoggued()"

Hi,
I got this error when I forgot to initialize the OAuth object and didn't specified a callback function
Uncaught TypeError: undefined is not a function: file :oauth.js:183

I thought this solution, but I do not know if it's the best:
viniciusdacal@a1a469f

When using pop up mode, the window displayed is blank.

In IE8 this is the error

It's been available for a while now

http://developer.linkedin.com/documents/authentication

I am trying to get access tokens for any Google based provider however whenever I authenticate I get an access_token but no refresh_token. I have chosen offline for the access_type but still no joy.

Am I being a moron? I have tried looking through the documentation for a solution but it barely covers anything related to the refresh token.

https://github.com/bower/bower.json-spec requests main property files to be non-minified. Please update bower.json to use dist/oauth.js instead of dist/oauth.min.js for the main property.

As a temporary work-around, for people who have grunt-wiredep, you can add an overrides object to your package's bower.json file. An example would be:

// bower.json
"overrides": {
  "oauth-js": {
    "main": ["dist/oauth.js"]
  }
}

I am using server side flow from the oath.io/documentation.
I am using angularjs
I do not have jQuery (but looks like your script loads it)
I refresh the sessionId cookie upon login
The call to success.get('/me') fails because get is undefined

OAuth.popup(provider, {'state': $scope.csrf}, function(err, success) {
  if (err) {
    console.error('Error from provider' + err);
    return;
  }

  console.log(success);

  //Success Code
  userFactory.verifyAuth(success.code).then(function(verified){
    console.log(verified);
    //if we succeeded load the content
    success.get('/me').done(function(data) {
      console.log(data);
    });
  }, function(error){
    console.error('Error verifying auth response' + error);
    return;
  })

get is undefined because sendCallback returns on line 141

    if ( ! request)
        return opts.callback(null, res);

Should i be doing this request on the server?
If so what should I be talking to and what headers/content should I be sending?

Hi,

oauthio is working fine in my app in production mode. after all the js files are concatted and minimized in to single file (DesktopInit.min.js). I get the following error:

Uncaught TypeError: undefined is not a function DesktopInit.min.js:1./lib/oauth DesktopInit.min.js:1i DesktopInit.min.js:1e DesktopInit.min.js:1(anonymous function) DesktopInit.min.js:1(anonymous function) DesktopInit.min.js:1(anonymous function) DesktopInit.min.js:1

Any ideas?

Hi - I think your app rocks, I'm playing around with it some and was trying to get authenticated with a dropbox app...

I followed the steps, threw together a dummy page on my localhost to test it out but after hitting the "allow" button it forward me to a success page and never redirects to my app url.

What am I doing wrong? I've tried both the pop up and redirect methods and see the same behavior both ways.. Anyone else experiencing this behavior?

Dummy code in my test page is (Using the popover method):

<!DOCTYPE html>
<html>
<head>
    <title>Testing!</title>
    <meta charset="utf-8" />
</head>
<body>
  <div>
    <input id="auth" type="button" value="Authenticate">
  </div>

    <script src="./assets/js/oauth.min.js" type="text/javascript" charset="utf-8"></script>
    <script type="text/javascript" charset="utf-8">

      OAuth.initialize('f4rnzE6DeHWQ4P_mmH_5Nfxqro8');
      var button = document.getElementById('auth');
      button.onclick = function(){

        OAuth.popup('dropbox', function(error, result) {
          if (err) {
            console.log(err); // do something with error
            return;
          }
          console.log("result");
          console.log(result); // do something with result
        });

      }

    </script>
</body>
</html>

Hey, maintainer(s) of oauth-io/oauth-js!

We at VersionEye are working hard to keep up the quality of the bower's registry.

We just finished our initial analysis of the quality of the Bower.io registry:

7530 - registered packages, 224 of them doesnt exists anymore;

We analysed 7306 existing packages and 1070 of them don't have bower.json on the master branch ( that's where a Bower client pulls a data ).

Sadly, your library oauth-io/oauth-js is one of them.

Can you spare 15 minutes to help us to make Bower better?

Just add a new file bower.json and change attributes.

{
  "name": "oauth-io/oauth-js",
  "version": "1.0.0",
  "main": "path/to/main.css",
  "description": "please add it",
  "license": "Eclipse",
  "ignore": [
    ".jshintrc",
    "**/*.txt"
  ],
  "dependencies": {
    "<dependency_name>": "<semantic_version>",
    "<dependency_name>": "<Local_folder>",
    "<dependency_name>": "<package>"
  },
  "devDependencies": {
    "<test-framework-name>": "<version>"
  }
}

Read more about bower.json on the official spefication and nodejs semver library has great examples of proper versioning.

NB! Please validate your bower.json with jsonlint before commiting your updates.

Thank you!

Timo,
twitter: @versioneye
email: [email protected]
VersionEye - no more legacy software!

(sorry about the reiteration between here and email)

It would be fantastic to get an example of the full flow: from unauthenticated to authenticated to actually using an api - that is, making a request. There's a big question mark of what to do once you have the proper tokens, and I've found no information or examples of what that is.

How do I get Facebook App Public key??

Help would be greatly appreciated

How can I include additional query string parameters using the Oauth.popup() function?

I would like to include additional scopes not listed in the Oauth.io project dashboard and also an included_grant_scope option.

I see where you can pass an options object to the popup window, but I would like to include custom parameters to the request itself.

Thank you

I wanted to use callback instead of popup but I'm getting this error is this intentional?

Is it possible to set the secure flag (https://www.owasp.org/index.php/SecureFlag) on the oauthio_provider_* cookie when the site is served over https? Maybe have this be an option, if you don't want to automatically detect if https or not.