For those looking for an example of how to pass the OAuth2 authorization (access token) in the header (as opposed to using a request or body parameter), here is how it&#39;s done:

    Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42

You can still use the Authorization header with OAuth 2.0.  There is a Bearer type specified in the Authorization header for use with OAuth bearer tokens (meaning the client app simply has to present (&quot;bear&quot;) the token).  The value of the header is the access token the client received from the Authorization Server.

It&#39;s documented in this spec: https://www.rfc-editor.org/rfc/rfc6750#section-2.1

E.g.:

       GET /resource HTTP/1.1
       Host: server.example.com
       Authorization: Bearer mF_9.B5f-4.1JqM

Where **mF_9.B5f-4.1JqM** is your OAuth access token.

I was designing a database for a site where I need to use a boolean datetype to store only 2 states, true or false. I am using MySQL.  
While designing the database using phpMyAdmin, I found that I have both the BOOLEAN datatype and the TINYINT datatype.  
I went through different articles, some said TINYINT is the same as BOOLEAN, no difference. Some say BOOLEAN is converted into TINYINT in MySQL.

MY question is, if they both are same why do there exist two? There should be only one of them.

Here is the reference to the articles I read:  
http://www.careerride.com/MySQL-BOOL-TINYINT-BIT.aspx  
http://dev.mysql.com/doc/refman/5.5/en/numeric-type-overview.html

BOOLEAN or TINYINT confusion

I am done with the project which connects to database (MySQL). Now I want to export the project as jar. But I don&#39;t know how to include its external dependencies? Is there any way of doing it in Eclipse or should I use any scripts for that?.

How to create a jar with external libraries included in Eclipse?

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences  between OAuth 1.0 &amp; 2.0, and I have some confusion on Authorization Header ([1.0][1] and 
[2.0][2]), OAuth 1.0 protocol parameters can be transmitted using the HTTP &quot;Authorization&quot; header, but I can&#39;t find this described in current OAuth 2.0 draft.

Does OAuth 2.0 supports authorization headers?

In OAuth 1.0 your header would look like:

    Authorization: OAuth realm=&quot;Example&quot;,
        oauth_consumer_key=&quot;0685bd9184jfhq22&quot;,
        oauth_token=&quot;ad180jjd733klru7&quot;,
        oauth_signature_method=&quot;HMAC-SHA1&quot;,
        oauth_signature=&quot;wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D&quot;,
        oauth_timestamp=&quot;137131200&quot;,
        oauth_nonce=&quot;4572616e48616d6d65724c61686176&quot;,
        oauth_version=&quot;1.0&quot;


  [1]: https://www.rfc-editor.org/rfc/rfc5849#section-3.5.1
  [2]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-27#page-8

OAuth 2.0 Authorization Header

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 &#x26; 2.0, and I have some confusion on Authorization Header (<a href="https://www.rfc-editor.org/rfc/rfc5849#section-3.5.1" target="_blank" rel="noopener noreferrer">1.0</a> and
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-27#page-8" target="_blank" rel="noopener noreferrer">2.0</a>), OAuth 1.0 protocol parameters can be transmitted using the HTTP "Authorization" header, but I can't find this described in current OAuth 2.0 draft.
Does OAuth 2.0 supports authorization headers?
In OAuth 1.0 your header would look like:
<pre><code class="hljs language-ini">Authorization: OAuth realm="Example",
 oauth_consumer_key="0685bd9184jfhq22",
 oauth_token="ad180jjd733klru7",
 oauth_signature_method="HMAC-SHA1",
 oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
 oauth_timestamp="137131200",
 oauth_nonce="4572616e48616d6d65724c61686176",
 oauth_version="1.0"
</code></pre>

I am building a registration form (passport-local as authentication, forms as form helper).

Because the registration only knows GET and POST I would like to do the whole handling in one function.

With other words I am searching after something like:

    exports.register = function(req, res){
        if (req.isPost) {
           // do form handling
        }
        res.render(&#39;user/registration.html.swig&#39;, { form: form.toHTML() });
    };

Express.js get http method in controller

I want to write a C program to generate a Get Request without using any external libraries. Is this possible using only C libraries, using sockets ? I&#39;m thinking of crafting a http packet(using proper formatting) and sending it to the server. Is this the only possible way or is there a better way ? 



How to make an HTTP get request in C without libcurl?

In the application I&#39;m trying to write, the main page (http://localhost:8675) has the following form:

    &lt;form action=&#39;/?joinnew&#39; method=&#39;post&#39;&gt;
      &lt;button&gt;Start&lt;/button&gt;
    &lt;/form&gt;

Here is the code in server.js:

    http.createServer(function(request, response) {
      var root = url.parse(request.url).pathname.split(&#39;/&#39;)[1];
      if (root == &#39;&#39;) {
        var query = url.parse(request.url).search:
        if (query == &#39;?joinnew&#39;) {
          var newRoom = getAvaliableRoomId(); // &#39;8dn1u&#39;, &#39;idjh1&#39;, &#39;8jm84&#39;, etc.
          // redirect the user&#39;s web browser to a new url
          // ??? How to do.  Need to redirect to &#39;http://whateverhostthiswillbe:8675/&#39;+newRoom
    ...
    }}}

I would love if there were a way to do it where I didn&#39;t have to know the host address, since that could be changing.

The &#39;http&#39; object is a regular require(&#39;http&#39;), NOT require(&#39;express&#39;).

How to redirect user&#39;s browser URL to a different page in Nodejs?

What is the difference between `Expires: 0` and `Expires: -1` in the HTTP response header? [RFC 2616][1] defines *invalid date formats, especially including the value &quot;0&quot;* as *already expired*. However, some servers (e.g. www.google.de) reply with `Expires: -1`.

Is there an advantage over using `-1` over `0` or is this even required for some broken HTTP clients?


  [1]: https://www.rfc-editor.org/rfc/rfc2616#section-14.21

HTTP Expires header values &quot;0&quot; and &quot;-1&quot;

I&#39;ve seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains.  The only place I&#39;ve seen someone suggest that same-origin policy does not apply to form posts, [is here][1].

I&#39;d like to have an answer from a more &quot;official&quot; or formal source.  For example, does anyone know the RFC that addresses how same-origin does or does not affect a form POST?

**clarification**: I am not asking if a GET or POST can be constructed and sent to any domain.  I am asking:

1. if Chrome, IE, or Firefox will allow content from domain &#39;Y&#39; to send a POST to domain &#39;X&#39;
1. if the server receiving the POST will actually see any form values at all.  I say this because the majority of online discussion records testers saying the server received the post, but the form values were all empty / stripped out.
1. What official document (i.e. RFC) explains what the expected behavior is (regardless of what the browsers have currently implemented).

Incidentally, if same-origin does not affect form POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary.  I say &quot;somewhat&quot; because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token, and then make an illicit POST which contains that same token.  Comments?

  [1]: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Cross Domain Form POSTing

On the website [https://code.google.com/apis/console][1] I have registered my application, set up generated **Client ID:** and **Client Secret** to my app and tried to log in with Google.
Unfortunately, I got the error message:

    Error: redirect_uri_mismatch
    The redirect URI in the request: http://127.0.0.1:3000/auth/google_oauth2/callback did not match a registered redirect URI
    
    scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
    response_type=code
    redirect_uri=http://127.0.0.1:3000/auth/google_oauth2/callback
    access_type=offline
    approval_prompt=force
    client_id=generated_id

What does mean this message, and how can I fix it?
I use the gem **omniauth-google-oauth2**.

  [1]: https://code.google.com/apis/console

Google OAuth 2 authorization - Error: redirect_uri_mismatch

I&#39;m developing a website that is primarily accessed via an app, and I want to use OAuth2 for user registration and authentication. Since it is an Android app I will start using Google&#39;s OAuth2 stuff, since it provides a decent UI on Android.

Google states that [&quot;You can choose to use Google&#39;s authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store.&quot;](https://developers.google.com/accounts/docs/OAuth2Login) which is what I want to do. *However* when I go through all their examples and whatnot, I can only find stuff about having a website *or* an app authenticate a user against Google&#39;s services.

And indeed, when I go to register my app (&quot;client&quot;) with Google&#39;s OAuth2 there are options for website clients and &quot;installed&quot; clients (i.e. a mobile app) but not both. I can create two separate clients but I read the OAuth2 draft and I think there will be a problem, which I will now explain.

Here&#39;s how I did envisage it working:

![OAuth2 flow diagram][1]

1. User asks MyApp to access his private data.
2. App uses Android&#39;s `AccountManager` class to request an access token for Google&#39;s APIs.
3. Android says to user &quot;The app &#39;MyApp&#39; wants access to your Basic Information on Google. Is this ok?&quot;
4. User says yes.
5. `AccountManager` connects to Google&#39;s OAuth2 server using the credentials stored on the phone, and asks for an access token.
6. Access token (which follows the green lines) is returned.
7. `AccountManager` returns the access token to MyApp.
8. MyApp sends a request to MySite for the user&#39;s private data, including the access token.
9. MySite needs to verify the user, using the access token. It validates the token [as described here](https://developers.google.com/accounts/docs/OAuth2Login#validatingtoken), with Google - &quot;Google, is this token valid?&quot;.
10. Now, what I *want* to happen is that Google says &quot;Yes, whoever gave it to you is indeed that user.&quot;, but what I think will actually happen (based on the OAuth2 draft and Google&#39;s documentation) is that it will say &quot;No way! That token is only valid for MyApp, and you&#39;re MySite. GTFO!&quot;.

So how should I do this? And PLEASE don&#39;t say &quot;Use OpenID&quot; or &quot;Don&#39;t use OAuth2&quot; or other similarly unhelpful answers. Oh and I would really like to keep using the nice `AccountManager` UI rather than crappy popup `WebView`s

  [1]: http://i.stack.imgur.com/3oDJt.png

# Edit

Provisional answer (I will report back if it works!) from Nikolay is that it should actually work, and Google&#39;s servers won&#39;t care where the access token came from. Seems a bit insecure to me, but I will see if it works!

# Update

I implemented this pattern with Facebook instead of Google and it totally works. The OAuth2 server doesn&#39;t care where the access token comes from. At least Facebook&#39;s doesn&#39;t, so I assume Google&#39;s doesn&#39;t either.

In light of that it is a very very bad idea to store access tokens! But we also don&#39;t want to have to hit Facebook/Google&#39;s servers to check authentication for *every* request since it will slow everything down. Probably the best thing is to add an additional authentication cookie for your site that you hand out when their access token is validated, but a simpler way is just to treat the access token like a password and store a hash of it. You don&#39;t need to salt it either since access tokens are really really long. So the steps above become something like:

9\. MySite needs to verify the user, using the access token. First it checks its cache of hashed valid access tokens. If the hash of the token is found there it knows the user is authenticated. Otherwise it checks with Google [as described here](https://developers.google.com/accounts/docs/OAuth2Login#validatingtoken), with Google - &quot;Google, is this token valid?&quot;.

10\. If Google says the access token is invalid, we tell the user to GTFO. Otherwise Google says &quot;Yes that is a valid user&quot; and we then check our registered user database. If that Google username (or Facebook id if using Facebook) is not found we can create a new user. Then we cache the hashed value of the access token.


Authenticating with OAuth2 for an app *and* a website

I&#39;m trying to register my android app following the steps in  https://developers.google.com/console/help/#installed_applications which leads me to follow 
http://developer.android.com/tools/publishing/app-signing.html.

However, I&#39;m not sure how to get the signing certificate fingerprint (SHA1). 

I first used the Eclipse ADT plugin to export and create the keystore/key.
Then, I tried doing `keytool -list keystore mykeystore.keystore` and it gives me a MD5 Certificate fingerprint.  Do I need to redo the signing (meaning I can&#39;t use the eclipse export wizard)? 

Can I use a debug certificate first?

How to obtain Signing certificate fingerprint (SHA1) for OAuth 2.0 on Android?

When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?

How to validate an OAuth 2.0 access token for a resource server?

I created an mvc4 web api project using vS2012. I used following tutorial to solve the Cross-Origin Resource Sharing, &quot;http://blogs.msdn.com/b/carlosfigueira/archive/2012/07/02/cors-support-in-asp-net-web-api-rc-version.aspx&quot;. It is working successfully, and i post data  from client side to server successfully.

After that for implementing Autherization in my project, I used the following tutorial to implement OAuth2, &quot;http://community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged-implementation.aspx&quot;. This is help me for getting RequestToken on client side.

But when i post data from client side, i got the error,
     **&quot;XMLHttpRequest cannot load http://. Request header field Content-Type is not allowed by Access-Control-Allow-Headers.&quot;**

My **client side** code look like,


     function PostLogin() {
		var Emp = {};            
		Emp.UserName = $(&quot;#txtUserName&quot;).val();				
		var pass = $(&quot;#txtPassword&quot;).val();
		var hash = $.sha1(RequestToken + pass);
                $(&#39;#txtPassword&#39;).val(hash);
		Emp.Password= hash;
        Emp.RequestToken=RequestToken;
		var createurl = &quot;http://localhost:54/api/Login&quot;;
		$.ajax({
			type: &quot;POST&quot;,
			url: createurl,
			contentType: &quot;application/json; charset=utf-8&quot;,
			data: JSON.stringify(Emp),
			statusCode: {
					200: function () {
					$(&quot;#txtmsg&quot;).val(&quot;done&quot;);						
					toastr.success(&#39;Success.&#39;, &#39;&#39;);							
					}
					},
			error:
				function (res) {						
					toastr.error(&#39;Error.&#39;, &#39;sorry either your username of password was incorrect.&#39;);			
					}
			});
		};

My **api controller** look like,

        [AllowAnonymous]
        [HttpPost]
        public LoginModelOAuth PostLogin([FromBody]LoginModelOAuth model)
        {
            var accessResponse = OAuthServiceBase.Instance.AccessToken(model.RequestToken, &quot;User&quot;, model.Username, model.Password, model.RememberMe);

            if (!accessResponse.Success)
            {
                OAuthServiceBase.Instance.UnauthorizeToken(model.RequestToken);
                var requestResponse = OAuthServiceBase.Instance.RequestToken();

                model.ErrorMessage = &quot;Invalid Credentials&quot;;

                return model;
            }
            else
            {
                // to do return accessResponse

                return model;
            }

        } 

My **webconfig** file look like,

     &lt;configuration&gt;
       &lt;configSections&gt;   
       &lt;section name=&quot;entityFramework&quot;    type=&quot;System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=4.4.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089&quot; requirePermission=&quot;false&quot; /&gt;
      &lt;section name=&quot;oauth&quot; type=&quot;MillionNodes.Configuration.OAuthSection, MillionNodes, Version=1.0.0.0, Culture=neutral&quot;/&gt;
      &lt;sectionGroup name=&quot;dotNetOpenAuth&quot; type=&quot;DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth.Core&quot;&gt;
      &lt;section name=&quot;messaging&quot; type=&quot;DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core&quot; requirePermission=&quot;false&quot; allowLocation=&quot;true&quot; /&gt;
      &lt;section name=&quot;reporting&quot; type=&quot;DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core&quot; requirePermission=&quot;false&quot; allowLocation=&quot;true&quot; /&gt;
    &lt;/sectionGroup&gt;
    &lt;/configSections&gt;
    &lt;oauth defaultProvider=&quot;DemoProvider&quot; defaultService=&quot;DemoService&quot;&gt;
    &lt;providers&gt;
      &lt;add name=&quot;DemoProvider&quot; type=&quot;MillionNodes.OAuth.DemoProvider, MillionNodes&quot; /&gt;
    &lt;/providers&gt;
    &lt;services&gt;
      &lt;add name=&quot;DemoService&quot; type=&quot;MillionNodes.OAuth.DemoService, MillionNodes&quot; /&gt;
    &lt;/services&gt;
    &lt;/oauth&gt;
    &lt;system.web&gt;
     &lt;httpModules&gt;
       &lt;add name=&quot;OAuthAuthentication&quot; type=&quot;MillionNodes.Module.OAuthAuthenticationModule, MillionNodes, Version=1.0.0.0, Culture=neutral&quot;/&gt;
      &lt;/httpModules&gt;
     &lt;compilation debug=&quot;true&quot; targetFramework=&quot;4.0&quot; /&gt;
    &lt;authentication mode=&quot;Forms&quot;&gt;
      &lt;forms loginUrl=&quot;~/Account/Login&quot; timeout=&quot;2880&quot; /&gt;
    &lt;/authentication&gt;
    &lt;pages&gt;
      &lt;namespaces&gt;
        &lt;add namespace=&quot;System.Web.Helpers&quot; /&gt;
        &lt;add namespace=&quot;System.Web.Mvc&quot; /&gt;
        &lt;add namespace=&quot;System.Web.Mvc.Ajax&quot; /&gt;
        &lt;add namespace=&quot;System.Web.Mvc.Html&quot; /&gt;
        &lt;add namespace=&quot;System.Web.Optimization&quot; /&gt;
        &lt;add namespace=&quot;System.Web.Routing&quot; /&gt;
        &lt;add namespace=&quot;System.Web.WebPages&quot; /&gt;
      &lt;/namespaces&gt;
    &lt;/pages&gt;
	&lt;/system.web&gt;
	&lt;system.webServer&gt;
     &lt;validation validateIntegratedModeConfiguration=&quot;false&quot; /&gt;      
      &lt;modules&gt;
          &lt;add name=&quot;OAuthAuthentication&quot;     type=&quot;MillionNodes.Module.OAuthAuthenticationModule, MillionNodes, Version=1.0.0.0, Culture=neutral&quot; preCondition=&quot;&quot; /&gt;
     &lt;/modules&gt;
     &lt;httpProtocol&gt;
      &lt;customHeaders&gt;
        &lt;add name=&quot;Access-Control-Allow-Origin&quot; value=&quot;*&quot; /&gt;
        &lt;/customHeaders&gt;
      &lt;/httpProtocol&gt;
    &lt;/system.webServer&gt;
	&lt;dotNetOpenAuth&gt;
    &lt;messaging&gt;
      &lt;untrustedWebRequest&gt;
        &lt;whitelistHosts&gt;
          &lt;!-- Uncomment to enable communication with localhost (should generally not activate in production!) --&gt;
          &lt;!--&lt;add name=&quot;localhost&quot; /&gt;--&gt;
        &lt;/whitelistHosts&gt;
      &lt;/untrustedWebRequest&gt;
    &lt;/messaging&gt;
    &lt;!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. --&gt;
    &lt;reporting enabled=&quot;true&quot; /&gt;
  &lt;/dotNetOpenAuth&gt;
&lt;/configuration&gt;
  
  

Content Type	Original Author	Original Content on Stackoverflow
Question	JKhuang	View Question on Stackoverflow
Solution 1 - Http	Jonathan	View Answer on Stackoverflow
Solution 2 - Http	Scott T.	View Answer on Stackoverflow

OAuth 2.0 Authorization Header

Http Problem Overview

Http Solutions

Solution 1 - Http

Solution 2 - Http

How to create a jar with external libraries included in Eclipse?

BOOLEAN or TINYINT confusion

Attributions