id_token is a JSON Web Token (JWT). If you decode it, you&#39;ll see it contains multiple assertions, including the ID of the user. See [this answer][1] for more details.


  [1]: https://stackoverflow.com/a/13016081/1678199

The *id_token* is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There&#39;s an important [distinction 
between authentication and authorization](http://www.differencebetween.net/technology/difference-between-authentication-and-authorization/).) You will get *id_token* and *access_token*. 

The *id_token* value contains the information about the user&#39;s authentication. The ID token resembles the concept of an identity card, in a standard JWT format, signed by the OpenID Provider (OIDP). To obtain one, the client needs to send the user to their OIDP with an authentication request.

Features of the ID token:

1. Asserts the identity of the user, called subject in OpenID (sub).
2. Specifies the issuing authority (iss).
3. Is generated for a particular audience, i.e. client (aud).
4. May contain a nonce (nonce).
5. May specify when (auth_time) and how, in terms of strength (acr), the user was authenticated.
6. Has an issue (iat) and expiration time (exp).
7. May include additional requested details about the subject, such as name and email address.
8. Is digitally signed, so it can be verified by the intended
    recipients. May optionally be encrypted for confidentiality.

The ID token statements, or claims, are packaged in a simple JSON object:

    {
      &quot;sub&quot;       : &quot;alice&quot;,
      &quot;iss&quot;       : &quot;https://openid.c2id.com&quot;,
      &quot;aud&quot;       : &quot;client-12345&quot;,
      &quot;nonce&quot;     : &quot;n-0S6_WzA2Mj&quot;,
      &quot;auth_time&quot; : 1311280969,
      &quot;acr&quot;       : &quot;c2id.loa.hisec&quot;,
      &quot;iat&quot;       : 1311280970,
      &quot;exp&quot;       : 1311281970
    }


When I generate JAXB classes from an XSD, the elements with `maxOccurs=&quot;unbounded&quot;` gets a getter method generated for them, but no setter method, as follows:

    /**
     * Gets the value of the element3 property.
     * 
     * &lt;p&gt;
     * This accessor method returns a reference to the live list,
     * not a snapshot. Therefore any modification you make to the
     * returned list will be present inside the JAXB object.
     * This is why there is not a &lt;CODE&gt;set&lt;/CODE&gt; method for the element3 property.
     * 
     * &lt;p&gt;
     * For example, to add a new item, do as follows:
     * &lt;pre&gt;
     *    getElement3().add(newItem);
     * &lt;/pre&gt;
     * 
     * 
     * &lt;p&gt;
     * Objects of the following type(s) are allowed in the list
     * {@link Type }
     * 
     * 
     */
    public List&lt;Type&gt; getElement3() {
        if (element3 == null) {
            element3 = new ArrayList&lt;Type&gt;();
        }
        return this.element3;
    }

The method comment makes it crystal clear on how can I use it, but my question is as follows: &lt;br&gt;**Why doesn&#39;t JAXB just generate a setter, following the Java Beans rules?** I know I can write the setter method myself, but is there any advantage to the approach suggested in the generated getter method?

This is my XSD:

    &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
    &lt;schema xmlns=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:tns=&quot;http://www.example.org/DoTransfer/&quot; targetNamespace=&quot;http://www.example.org/DoTransfer/&quot;&gt;
    
        &lt;element name=&quot;CollectionTest&quot; type=&quot;tns:CollectionTest&quot;&gt;&lt;/element&gt;
        
        &lt;complexType name=&quot;CollectionTest&quot;&gt;
        	&lt;sequence&gt;
        		&lt;element name=&quot;element1&quot; type=&quot;string&quot; maxOccurs=&quot;1&quot; minOccurs=&quot;1&quot;&gt;&lt;/element&gt;
        		&lt;element name=&quot;element2&quot; type=&quot;boolean&quot; maxOccurs=&quot;1&quot; minOccurs=&quot;1&quot;&gt;&lt;/element&gt;
        		&lt;element name=&quot;element3&quot; type=&quot;tns:type&quot; maxOccurs=&quot;unbounded&quot; minOccurs=&quot;1&quot; nillable=&quot;true&quot;&gt;&lt;/element&gt;
        	&lt;/sequence&gt;
        &lt;/complexType&gt;
    
    
        &lt;complexType name=&quot;type&quot;&gt;
        	&lt;sequence&gt;
        		&lt;element name=&quot;subelement1&quot; type=&quot;string&quot; maxOccurs=&quot;1&quot; minOccurs=&quot;1&quot;&gt;&lt;/element&gt;
        		&lt;element name=&quot;subelement2&quot; type=&quot;string&quot; maxOccurs=&quot;1&quot; minOccurs=&quot;0&quot;&gt;&lt;/element&gt;
        	&lt;/sequence&gt;
        &lt;/complexType&gt;
    &lt;/schema&gt;

Why doesn&#39;t JAXB generate setters for Lists

I have a very basic `R` question but I am having a hard time trying to get the right answer. I have a data frame that looks like this:

``` species&lt;-&quot;ABC&quot;
 ind&lt;-rep(1:4,each=24)
 hour&lt;-rep(seq(0,23,by=1),4)
 depth&lt;-runif(length(ind),1,50)

 df&lt;-data.frame(cbind(species,ind,hour,depth))
 df$depth&lt;-as.numeric(df$depth)
```

What I would like it to select AND replace all the rows where `depth &lt; 10` (for example) with zero, but I want to keep all the information associated to those rows and the original dimensions of the data frame.

I have try the following but this does not work.

``` df[df$depth&lt;10]&lt;-0 ```

Any suggestions?

Replacing values from a column using a condition in R

I just got the following result when I tried to do oauth2 to googleapi. Only one thing: I couldn&#39;t find what is id_token used for in [documentation][1].

    {
      &quot;access_token&quot;: &quot;xxxx&quot;,
      &quot;token_type&quot;: &quot;Bearer&quot;,
      &quot;expires_in&quot;: 3600,
      &quot;id_token&quot;: &quot;veryverylongstring&quot;,
      &quot;refresh_token&quot;: &quot;abcdefg&quot;
    }

  [1]: https://developers.google.com/accounts/docs/OAuth2WebServer#handlingtheresponse

what is id_token google oauth

I just got the following result when I tried to do oauth2 to googleapi. Only one thing: I couldn't find what is id_token used for in <a href="https://developers.google.com/accounts/docs/OAuth2WebServer#handlingtheresponse" target="_blank" rel="noopener noreferrer">documentation</a>.
<pre><code class="hljs language-json">{
 "access_token": "xxxx",
 "token_type": "Bearer",
 "expires_in": 3600,
 "id_token": "veryverylongstring",
 "refresh_token": "abcdefg"
}
</code></pre>

In OAuth 1.0, 2-legged is pretty easily: Simply send the request as usual and omit the `access_token` header.

Things seems to have changed in OAuth 2.0 (drastically, as I found out today :)). In OAuth 2.0, the request no longer has headers such as the nonce, consumer key, timestamp etc. This is just replaced by:

    Authorization: OAuth ya29.4fgasdfafasdfdsaf3waffghfhfgh

I understand how 3 legged authorizations work in OAuth 2.0 and the application flows. But how does 2-legged work in 2.0? Is it possible to design an API that can support both 2-legged and 3-legged OAuth 2.0?

I have been searching for information regarding this, but I have been finding a lot of stuff on 2-legged for 1.0 and almost nothing for 2.0.

How does 2-legged oauth work in OAuth 2.0?

OAuth 2.0 has multiple workflows. I have a few questions regarding the two.

 1. **Authorization code flow** - User logs in from client app, authorization server returns an authorization code to the app. The app then exchanges the authorization code for access token.
 1. **Implicit grant flow** - User logs in from client app, authorization server issues an access token to the client app directly.

What is the difference between the two approaches in terms of security? Which one is more secure and why? 

I don&#39;t see a reason why an extra step (exchange authorization code for token) is added in one work flow when the server can directly issue an Access token.

Different websites say that Authorization code flow is used when client app can keep the credentials secure. Why?

What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?

I am trying to implement delegated authorization in a Web API for mobile apps using OAuth 2.0. According to specification, the implicit grant flow does not support refresh tokens, which means once an access token is granted for an specific period of time, the user must grant permissions to the app again once the token expires or it is revoked. 

I guess this is a good scenario for some javascript code running on a browser as it is mentioned in the specification. I am trying to minimize the times the user must grant permissions to the app to obtain a token, so it looks like the Authorization Code flow is a good option as it supports refresh tokens. 

However, this flow seems to rely heavily on a web browser for performing the redirections. I am wondering if this flow is still a good option for a mobile app if a embedded web browser is used. Or should I go with the implicit flow ?  



What&#39;s the right OAuth 2.0 flow for a mobile app

I saw this question up before, but only for rspec. I haven&#39;t created test yet because it&#39;s too advanced for me but one day soon i will! :P

I get this error when I try to sign-up/login into my app. I used devise to create user and also *omniauth2* to sign-in with *google*.

**this is the error**

    ActiveRecord::StatementInvalid at /users/auth/google_oauth2/callback
    PG::UndefinedTable: ERROR:  relation &quot;users&quot; does not exist
    LINE 5:              WHERE a.attrelid = &#39;&quot;users&quot;&#39;::regclass
                                            ^
    :             SELECT a.attname, format_type(a.atttypid, a.atttypmod),
                         pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod
                  FROM pg_attribute a LEFT JOIN pg_attrdef d
                    ON a.attrelid = d.adrelid AND a.attnum = d.adnum
                 WHERE a.attrelid = &#39;&quot;users&quot;&#39;::regclass
                   AND a.attnum &gt; 0 AND NOT a.attisdropped
                 ORDER BY a.attnum

I tried `rake db:migrate`, but it already is created: in schema table users exist. Has anyone got this error before?

**database.yml**

config=/opt/local/lib/postgresql84/bin/pg_config

    development:
      adapter: postgresql
      encoding: unicode
      database: tt_intraweb_development
      pool: 5
      username: my_username
      password:

    test:
      adapter: postgresql
      encoding: unicode
      database: tt_intraweb_test
      pool: 5
      username: my_username
      password:
    
    production:
      adapter: postgresql
      encoding: unicode
      database: tt_intraweb_production
      pool: 5
      username: my_username
      password:

PG undefinedtable error relation users does not exist

To use google drive api, I have to play with the authentication using OAuth2.0. And I got a few question about this.

 1. Client id and  client secret are used to identify what my app is. But they must be hardcoded if it is a client application. So, everyone can decompile my app and extract them from source code. **Does it mean that a bad app can pretend to be a good app by using the good app&#39;s client id and secret?** So user would be showing a screen that asking for granting permission to a good app even though it is actually asked by a bad app? If yes, what should I do?  Or actually I should not worry about this?

 2. 
In mobile application, we can embedded a webview to our app. And it is easy to extract the password field in the webview because the app that asking for permission is actually a &quot;browser&quot;. **So, OAuth in mobile application does not have the benefit that client application has not access to the user credential of service provider?** 


client secret in OAuth 2.0

I&#39;m trying to set a web service that needs the user&#39;s Google Latitude info, so I&#39;m using Google OAuth to get the user authorization stuff.

However, when trying to set the redirection URI in the Google APIs Console for a web application client ID I get a message error if I try to set it to &#39;http://PUBLIC_IP/&#39;.

I need to test it with non local users (thus localhost can&#39;t be used), so I would like to know if having a web domain is mandatory in order to use Google&#39;s OAuth. If not, how can I solve this issue?

Can a public IP address be used as Google OAuth redirect URI?

Is there is a way I can force the **google account chooser** to appear even if the user is logged in just with one account.

I have tried by redirecting to this URL:

    https://accounts.google.com/AccountChooser?service=lso&amp;continue=[authorizeurl]

and it seems to work, but I don&#39;t know if there are any other conditions in which it might fail.


![enter image description here][1]


  [1]: http://i.stack.imgur.com/GWLSa.png

Force google account chooser

I try to make a web page for youtube video upload, therefore I try to get the client id from google api console, and in the api console it shows something like this:

    Client ID: 533832195920.apps.googleusercontent.com
    Redirect URIs: http://bobyouku.ap01.aws.af.cm/testyoutube.php
    https://developers.google.com/oauthplayground


However when I try to test my account using the following URL:

https://accounts.google.com/o/oauth2/auth?client_id=533832195920.apps.googleusercontent.com&amp;redirect_uri=http%3A%2F%2Fbobyouku.ap01.aws.af.cm%2Ftestyoutube.php&amp;scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube&amp;response_type=code&amp;access_type=offline


It gives out the result of invalid_client. Even when I try it on oauth2 playground, same fail occurs

So anyone knows what&#39;s happen?

invalid_client in google oauth2

Let&#39;s say that I have a web app (&quot;mydriveapp&quot;) that needs to access Drive files in a background service. It will either own the files it is accessing, or be run in a Google Account with which the owner has shared the documents. 

I understand that my app needs a refresh token, but **I don&#39;t want to write the code to obtain that** since I&#39;ll only ever do it once.

**NB. This is NOT using a Service Account.** The app will be run under a conventional Google account. Service Account is a valid approach in some situations. However the technique of using Oauth Playground to simulate the app can save a bunch of redundant effort, and applies to any APIs for which sharing to a Service Account is unsupported.



How do I authorise an app (web or installed) without user intervention?

I try to implement google oauth, following the [Google OAuth2ForDevices](https://developers.google.com/accounts/docs/OAuth2ForDevices). 

My App is registered on Google Cloud Console, as native App. When I try to follow the OAuth2ForDevices using Google Chromes - Advanced Rest Client Application, I get the json response with the user_code and verfication_url. Opening the verfication_url and enterering the user_code, leads to the follwoing Error: 

&gt; invalid_client: no support email
&gt; Error 400

I tried this with 2 registred Apps on Google Cloud Console. Both leading to the same error. 

**Anys hints, how to solve this? Do I have to register a `support email` somewhere in google cloud services?**

Content Type	Original Author	Original Content on Stackoverflow
Question	kitokid	View Question on Stackoverflow
Solution 1 - Oauth 2.0	vlatko	View Answer on Stackoverflow
Solution 2 - Oauth 2.0	Nouman Dilshad	View Answer on Stackoverflow

what is id_token google oauth

Oauth 2.0 Problem Overview

Oauth 2.0 Solutions

Solution 1 - Oauth 2.0

Solution 2 - Oauth 2.0

Replacing values from a column using a condition in R

Why doesn't JAXB generate setters for Lists

Attributions