Java – browser authentication via httpurlconnection
At present, I am studying the implementation of tmdb API There is a method called user authentication I have successfully implemented step 1
For step 1, I have the following code:
URL url = new URL("http://api.themoviedb.org/3/authentication/token/new?api_key=the_key");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
StringWriter writer = new StringWriter();
String line;
while ((line = reader.readLine()) != null) {
writer.write(line);
}
reader.close();
Map<String,List<String>> headerFields = connection.getHeaderFields();
String callBackUrl = null;
for(Map.Entry<String,List<String>> entry : headerFields.entrySet()) {
if(entry.getKey() != null && entry.getKey().equals("Authentication-Callback")) {
callBackUrl = entry.getValue().get(0);
}
}
It prints the callback URL and request token in the console (if I convert writer. Tostring() to a JSON object)
But the second part is user authentication of user name and password The callback URL redirects the user to the login page of tmdb I have tested the callback URL by copying and pasting it from the console to the browser
Step 2 Description:
Now my question is: if I have a user name and password, can I authenticate the user through httpurlconnection or any other way?
I tried this:
url = new URL(callBackUrl);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
BASE64Encoder encoder = new BASE64Encoder();
String usernamepassword = "myusername" + ":" + "mypassword";
String encodedAuthorization = encoder.encode(usernamepassword.getBytes());
connection.setRequestProperty("Authorization","Basic "+ encodedAuthorization);
headerFields = connection.getHeaderFields();
for(Map.Entry<String,List<String>> entry : headerFields.entrySet()) {
System.out.println(entry.getKey() + " : " +entry.getValue());
}
But on the console, I get:
null : [HTTP/1.1 404 Not Found] Status : [404 Not Found] x-frame-options : [sameorigin] Date : [Tue,28 Feb 2012 08:30:17 GMT] Vary : [Accept-Encoding] X-Cascade : [pass] Content-Length : [7835] X-XSS-Protection : [1; mode=block] Set-Cookie : [tmdb.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNGRkMjc5ODYwMjJmYWYwZDlmOGE5%0AOTVjY2E0NWFjMzhhYTRiOGFjOGJiYjQ5ZGFhNzExNDdkMGM4MWNhZGUyMEki%0ADWxhbmd1YWdlBjsARkkiB2VuBjsARkkiC2xvY2FsZQY7AEZJIgd1cwY7AEZJ%0AIg5sb2dnZWRfaW4GOwBGRg%3D%3D%0A; path=/; expires=Thu,29-Mar-2012 08:30:17 GMT; HttpOnly] Content-Type : [text/html;charset=utf-8] Connection : [keep-alive] Server : [Nginx]
As you can see:
Status : [404 Not Found]
So the final procedure was not productive
Am I implementing authentication in the wrong way?
I appreciate your advice very much
Thank you in advance
Solution
I am not familiar with tmdb, but I have read this page during their user authentication. I think you misunderstood it
They make it clear that they do not want third-party applications to store username / password credentials, Or pass it in the request ("the advantage of this system is that we never pass the user's user name or password over the air or ask a third-party application to store it locally"). The page in the callback URL is not you. The third-party application should publish anything; it is for human use. The user sees this page and asks "do you want to grant it to you?" Access to [Third Party application name]? " If yes, please log in here ". Your application cannot control the process; it is deliberately separated from you, so you will never intercept or store the user's credentials. Once the user approves you, you will be able to obtain the opaque token (session ID) you use instead of your credentials
This is basically the same as the three legged OAuth; The main difference is that OAuth requires some additional fields and signature calculation, so it is simpler But it has nothing to do with HTTP basicouth
I believe what you want to do is:
>As you are doing, do step 1 But don't just grab the authentication callback header; It also parses the JSON response and obtains the value of "request_token". > By calling the new session API, check whether the user has authorized you, and pass the API key and the previously obtained "request_token" again If you use "session_id" to get a successful response, you are authorized and you can skip the remaining steps. > Otherwise, redirect the user (or open the browser if you are not already in the browser) to the URL specified in authentication callback. > Now, since the login / approval process is separate from your application, how do you know when it will be completed? The documentation is unclear and does not describe any way for you to be notified about it (or redirect tmdb back to your application) It may be necessary to poll the results within a reasonable time interval (i.e. return to step 2)