By russjr08
Hi,
I’m trying to develop an Android DigitalOcean app, and I’m having a hard time with authorization.
Currently, I am using this library to access DigitalOcean’s API from Java. Here’s what I’m doing in terms of authentication:
- If no token is stored, open the login activity. ASK (I’m not prompting for specific credentials) the user to authorize the app.
- Upon clicking the button, a WebView comes up with the URL set to the URL that is given in the Apps & API page for my app.
- The user then logs into DigitalOcean, and DigitalOcean asks the user if they’d like to allow my app to read their information.
- User clicks yes, DigitalOcean redirects to callback URL with the token as a parameter. My app is configured to open the URL scheme, and extracts the token.
- I open up the main activity, the activity gets the token and passes it to the Java wrapper I’m using
- Finally, I try to grab the available droplets, and get an “Unable to authenticate you” error…
I pulled the token from the app and tried to manually use it in cURL with
curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer MyTokenFromAppHere' "https://api.digitalocean.com/v2/droplets?page=1&per_page=1"
I also get the unable to authenticate message. Now when I replace the token with a personal token, I get the expected response (a listing of my droplets).
So my main question is, what’s the difference between an OAuth API token, and a personal token? Surely I’m not supposed to ask the user to generate a personal token to plug into the app, right…?
Edit: Also, I tried basic authentication (-u “TokenHere:”) and still the same message.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
A “Personal Access Token” and one received via the oAuth flow are essentially the same thing just obtained in a different manner. We allow users to generate PATs in the control panel for use in things like scripts and single user applications rather than having to perform the oAuth dance.
How exactly are you requesting the token? There are two approaches to doing so, a server-side one and a client-side (a.k.a. the “implicit” flow). Check out this article for a good introduction to oAuth2.
For the server side flow, the initial request would look like:
https://cloud.digitalocean.com/v1/oauth/authorize?response_type=code
&client_id=CLIENT_ID
&redirect_uri=https://example.com/callback
&scope=read%20write
&state=RANDOM_STRING
This does not return an oAuth token, It returns an authorization code as part of the call back url. (E.g. https://example.com/callback?code=e2775a296abb3ad44798ab9&state=0807edf7d85e5d). A second request is then necessary to get the token. Like:
curl -X POST "https://cloud.digitalocean.com/v1/oauth/token?grant_type=authorization_code
&code=AUTH_CODE
&client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&redirect_uri=https://example.com/callback"
This will return a json object containing the actual token:
{
"access_token": "547cac21118ae7",
"token_type": "bearer",
"expires_in": 2592000,
"refresh_token": "00a3aae641658d",
"scope": "read write",
"info": {
"name": "Sammy the Shark",
"email":"sammy@digitalocean.com",
"uuid":"e028b1b918853eca7fba208a9d7e9d29a6e93c57"
}
}
This is useful as it also returns some user information and a refresh token. The drawback is that it requires sending your “client secret” which you do not want to have stored on a user’s device.
For a phone app, you’ll want to use the client side approach. The request would look like:
https://cloud.digitalocean.com/v1/oauth/authorize?response_type=token
&client_id=CLIENT_ID
&redirect_uri=https://example.com/callback
&scope=read%20write
This would return the token in the callback url:
https://example.com/callback#access_token=ACCESS_TOKEN
Hi there,
A quick update here, custom scopes for DigitalOcean API Tokens is now in beta!
This API token enhancement provides additional flexibility in protecting your cloud resources by letting you select only the necessary scopes.
Please fill out this form if you are interested in participating in the beta..
Custom scopes introduce more specific permissions, like creating Droplets or updating cloud firewalls. Using custom scopes lets you secure your workflows by granting only the permissions the token needs and restricting access to other resources and actions.
Generally, the CRUD scopes map to equivalent actions on the associated kind of resource:
-
Create scope lets you create the resource type and perform additive actions within that resource type. For example,
database:createlets you create database clusters and create new users or databases within that cluster. -
Read scope lets you view information about a resource by type and also view information that the resource returns. For example,
app:readlets you view App Platform apps and their logs. -
Update scope allows you modify a resource type and perform actions that would otherwise modify a resource. For example,
droplet:updatelets you power a Droplet on or off. -
Delete scope lets you delete a resource by type and perform actions that delete information about the resource type. For example,
database:deletelets you delete databases from a database cluster and remove existing users from a database.
Each custom scope correlates to one public API endpoint.
Best,
Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.