Possible authorization OAuth 2.0 without browser?

Good evening. Please tell me how and is it possible to log in via OAuth 2.0 client applications (WinForms, WPF and is possible) without using a browser and entered username and password?
September 19th 19 at 00:07
2 answers
September 19th 19 at 00:09
Solution
The vendor can allow the user for a username and password, and convert it into an access token (token accsss). But, as a rule, for security reasons, no one gives that possibility.

Try: if grant_type is password, then the user data can be passed parameters for username and password when obtaining the access token. Or use a grant_type equal to client_credentials, then the user data must be transmitted in the HTTP header Authorization (if using HTTPS is a more secure method than password).

For example, if Facebook allowed you to do it, then request the access token could be:
https://graph.facebook.com/oauth/access_token?client_id=123&client_secret=abc&
grant_type=password&username=pupkin&password=000


In my library there is no possibility to change grant_type outside, but inside to change. For Example, InstagramClient.cs, in the constructor to specify GrantType:

base.GrantType = GrantType.ClientCredentials;

Continue to use the client:

var client = new InstagramClient
(
 "9fcad1f7740b4b66ba9a0357eb9b7dda", 
"3f04cbf48f194739a10d4911c93dcece"
);
client.ReturnUrl = "http://oauthproxy.nemiro.net/";
client.Username = "aleksey";
client.Password = "Frif#dser#23dssd@Dsdfjjfsi";
var accessToken = client.AccessToken;

And the server will answer:
{"code": 400, "error_type": "OAuthException", "error_message": "Invalid grant_type"}

A bad example :P

But Facebook, surprisingly, returned the access token:
var client = new FacebookClient("1435890426686808", "c6057dfae399beee9e8dc46a4182e8fd");
client.Username = "aleksey";
client.Password = "a6lGmDZsCb1SuHsIQw89ZqK9";
var accessToken = client.AccessToken;

But I doubt that the vendor just allows it to use anyone, in real conditions, without any restrictions. Certainly have a tough test to pass the moderator.
September 19th 19 at 00:11
A more versatile option? If you need not log in to Facebook, such as instagram?
Protocol one, the page addresses are different, and application settings.

Common that you need to specify the grant_type equal to password or client_credentialsand pass login and user name.

Now in your response to show an example. - rene_Mohr commented on September 19th 19 at 00:14
Just parameter grant_type have instagram I haven't seen. I doubt that it provides such opportunities without prompting. - Sadye_Pagac57 commented on September 19th 19 at 00:17
: this is at the Protocol level. Updated my answer. Yes, Instagram does not allow you to use client_credentials and the more password. So using OAuth in any way. You can contact the support to know for the few they allow you to do and what you need to become favourites. - rene_Mohr commented on September 19th 19 at 00:20
As the saying goes, "Nice try, but no" :) To favourites I am not, so this option is excluded.
Although I would option browser would, but the fact is that the application needs to maintain multiple sessions, and be able to use both in the context of a single application. Maybe there are thoughts how to implement this?

And for the library thank you, it is still useful ;) - Sadye_Pagac57 commented on September 19th 19 at 00:23
: the access token can be saved. If you want to use multiple accounts, just to lay down some markers in the app settings.

When obtaining the access token, specifically Instagram, gets the user name. Try here. It is possible when you save the token in your application, link it with the received username. Even a photo of user himself to copy. And just to show the list of authorized users in your application, as it is done in Windows, when a single computer simultaneously multiple users logged in. - rene_Mohr commented on September 19th 19 at 00:26
That is exactly what was intended, but the WebBrowser stores the session somewhere at home. Ie when re-attempt authentication will use the existing session. - Sadye_Pagac57 commented on September 19th 19 at 00:29
: the process of obtaining access token is separate. When the user enters the username and password in the browser, the provider returns the authorization code. Use this code to obtain an access token. The authorization code is disposable. Marker more tenacious.

The authorization code may be displayed on the website or be passed to the callback address.

Recently did a video on integrating with Dropbox. The process of working with other providers will be similar. Autorisoes through the browser, derived from the authorization code, access token, save the token and use the API. - rene_Mohr commented on September 19th 19 at 00:32
I finally understood what you call the token :)
Well, at the moment, made using WebRequest and WebResponse. Works token pulls.
The only thing not figured out is how to get the information about Selaginella the user?
Documentation Instagram, all this information is displayed if login via Server-Side. But how to get the same thing using Client-Side?
Search option by name is not taken. - Sadye_Pagac57 commented on September 19th 19 at 00:35
some suppliers can save cookies. You can clean them after authorization. Either the option "remember me" forcibly to remove (if any). - rene_Mohr commented on September 19th 19 at 00:38
: treatment options of the cookies in the WebBrowser it is possible here to look. - rene_Mohr commented on September 19th 19 at 00:41
: user data retrieved through the API. Each provider its own API. Together with the Instagram access token returns basic information, additional queries are required. - rene_Mohr commented on September 19th 19 at 00:44
By the way, can implement in my library the same authorization by login/password. It works, provided that the application is disabled a forced Server-Side authorization. Really don't know how this contradicts the idea of Oauth, but in some cases can be useful.
But I'm not about cookies. I mean, in the last stage of authentication through Server-Side returns an Oauth Token which instagram also throws information about the person (https://instagram.com/developer/authentication/ section Server-Side, the last stage). Now, when you login via Server-Side this information is not available. The only way to get is through the search?
Question specifically for API instagram, I understand you know him. - Sadye_Pagac57 commented on September 19th 19 at 00:47
: I worked with all API clients which have done. Instagram have a fairly simple API.

Authorization by login and password - this is what I wrote in the answer? Or client authorization grant_type to token value? This is for JavaScript, awkward and makes no sense. I have under Server Side is done. - rene_Mohr commented on September 19th 19 at 00:50
No, not what you wrote. Using WebRequest and WebResponse. In the process each was redirected just take out the cookies code autorizatii etc.
Thus it is possible as Server-Side and Client-Side. In the end, made using Server-Side using signed headers (Signed Calls) - so the limits more.
In General, my question was completely shot ) the Bad thing is that my bike quite a curve, though, and goes... - Sadye_Pagac57 commented on September 19th 19 at 00:53

Find more questions by tags OAuthC#