Browser Authentication via HttpURLConnection

Question

Browser Authentication via HttpURLConnection

I am currently working on implementing the TMDb API . There is a method called User Authentication . I successfully completed Step 1

Step 1: Create Request Token
Start by calling the API on the new token method. This will return a new request token, which will be valid for 60 minutes. The token request is not allowed by the user at this stage. Request Identifiers API specification and the relationship between your application and user in step 2.

For step 1, I have the following code:

URL url = new URL("http://api.themoviedb.org/3/authentication/token/new?api_key=the_key"); HttpURLConnection connection = (HttpURLConnection) url.openConnection(); BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream())); StringWriter writer = new StringWriter(); String line; while ((line = reader.readLine()) != null) { writer.write(line); } reader.close(); Map<String, List<String>> headerFields = connection.getHeaderFields(); String callBackUrl = null; for(Map.Entry<String, List<String>> entry : headerFields.entrySet()) { if(entry.getKey() != null && entry.getKey().equals("Authentication-Callback")) { callBackUrl = entry.getValue().get(0); } }

It prints the callback URL in the console along with the request token (if I convert writer.toString() to a Json object).

But the second part is user authentication by username and password. The callback URL redirects the user to the TMDb login page. I tested it by copying the callback URL from the console to the browser.

Step 2 indicates that:

Step 2: Request authorization from the user
Once you have a valid request token, your application needs to open a web browser and send them to TMDb. The HTTP response when creating a new token will include an authentication-callback header, which you can easily use for redirection.
If the user does not log in to TMDb, they will be redirected to before you are asked to provide your permission to use your account. Once the user has granted your application permission to use their account, the browser-based part is complete and you can return them to your application.
Like a request for a new token, the approved response will include an authentication-callback header, which again is a convenient way to redirect the application back to the API and generate a real session identifier.

Now my question is: if I have a username and password, can I authenticate this user via HttpURLConnection or in any other way?

I tried this:

 url = new URL(callBackUrl); connection = (HttpURLConnection) url.openConnection(); connection.setRequestMethod("POST"); BASE64Encoder encoder = new BASE64Encoder(); String usernamepassword = "myusername" + ":" + "mypassword"; String encodedAuthorization = encoder.encode(usernamepassword.getBytes()); connection.setRequestProperty("Authorization", "Basic "+ encodedAuthorization); headerFields = connection.getHeaderFields(); for(Map.Entry<String, List<String>> entry : headerFields.entrySet()) { System.out.println(entry.getKey() + " : " +entry.getValue()); }

But in the console, I got:

 null : [HTTP/1.1 404 Not Found] Status : [404 Not Found] X-Frame-Options : [sameorigin] Date : [Tue, 28 Feb 2012 08:30:17 GMT] Vary : [Accept-Encoding] X-Cascade : [pass] Content-Length : [7835] X-XSS-Protection : [1; mode=block] Set-Cookie : [tmdb.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNGRkMjc5ODYwMjJmYWYwZDlmOGE5%0AOTVjY2E0NWFjMzhhYTRiOGFjOGJiYjQ5ZGFhNzExNDdkMGM4MWNhZGUyMEki%0ADWxhbmd1YWdlBjsARkkiB2VuBjsARkkiC2xvY2FsZQY7AEZJIgd1cwY7AEZJ%0AIg5sb2dnZWRfaW4GOwBGRg%3D%3D%0A; path=/; expires=Thu, 29-Mar-2012 08:30:17 GMT; HttpOnly] Content-Type : [text/html;charset=utf-8] Connection : [keep-alive] Server : [nginx] % 0AOTVjY2E0NWFjMzhhYTRiOGFjOGJiYjQ5ZGFhNzExNDdkMGM4MWNhZGUyMEki% 0ADWxhbmd1YWdlBjsARkkiB2VuBjsARkkiC2xvY2FsZQY7AEZJIgd1cwY7AEZJ% 0AIg5sb2dnZWRfaW4GOwBGRg% 3D% 3D% 0A; null : [HTTP/1.1 404 Not Found] Status : [404 Not Found] X-Frame-Options : [sameorigin] Date : [Tue, 28 Feb 2012 08:30:17 GMT] Vary : [Accept-Encoding] X-Cascade : [pass] Content-Length : [7835] X-XSS-Protection : [1; mode=block] Set-Cookie : [tmdb.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNGRkMjc5ODYwMjJmYWYwZDlmOGE5%0AOTVjY2E0NWFjMzhhYTRiOGFjOGJiYjQ5ZGFhNzExNDdkMGM4MWNhZGUyMEki%0ADWxhbmd1YWdlBjsARkkiB2VuBjsARkkiC2xvY2FsZQY7AEZJIgd1cwY7AEZJ%0AIg5sb2dnZWRfaW4GOwBGRg%3D%3D%0A; path=/; expires=Thu, 29-Mar-2012 08:30:17 GMT; HttpOnly] Content-Type : [text/html;charset=utf-8] Connection : [keep-alive] Server : [nginx]

As you can see:

 Status : [404 Not Found]

So, the last procedure is not fruitful.

Am I implementing authentication incorrectly?

I really appreciate your suggestion.

Thanks in advance.

+7

java http authentication

Tapas bose Feb 28 '12 at 8:42

source share

1 answer

Eli bishop · Accepted Answer · 2012-04-17T23:50:48+0000

I am not familiar with TmDB, but I read this page in the process of user authentication, and I think you misunderstood it.

They specifically declare that they do not want third-party applications to save user or password credentials or pass them in a request ("The advantage of this system is that we never pass a username or password to users through or require local storage from a third-party application" ) A page on callbackUrl is not something that you, a third-party application, should send anything; it is for man. The user sees this page, which asks: "Do you want to provide access to [the name of the third-party application]? If so, log in here." Your application cannot control this process; it is intentionally separate from you, so user credentials can never be intercepted or stored by you. Once the user approves you, you will be able to get an opaque token (session identifier), which you use instead of credentials.

This is basically the same idea as the tripartite OAuth; the main difference is that OAuth requires additional fields and signature calculations, so it’s easier. But this has nothing to do with HTTP basicauth.

I believe you want to do this:

Take step 1, just like you. But don't just grab the authentication-callback header; also parse the JSON response and get the value "request_token".
Make sure that the user has already allowed you by calling the new session API , passing the API key again along with the previously acquired "request_token". If you receive a successful response using "session_id", you are already logged in and you can skip the rest of the steps.
Otherwise, redirect the user (or open a browser if you are not already in one) to the URL specified in Authentication-Callback.
Now, since the login / approval process is separate from your application, how do you know when it finished? The documentation is unclear in this and does not describe any way to get notified about it (or do a redirect of TMDb back to your application). Perhaps you just need to poll the result (i.e. return to step 2) for a certain period of time.

Browser Authentication via HttpURLConnection

More articles: