Does OAuth 2.0 always require a browser in the flow

google-drive-apioauthoauth-2.0Security

Can I use OAuth 2.0 without a browser (or an embedded browser in my app) to perform nightly uploads?

Setup I have a refresh token and access token from provider console– Google Drive API

I wish to use Java SDK to use/reuse these to upload data without the requirement for any browser authorization once i have initially received my refresh/access tokens.

Best Answer

OAuth 2.0 requires a browser for user consent once

A browser is required, so that the user can agree to the request of the app to access the users data. After the user agreed on sharing the data with the app, the app can use the refresh token without a browser based flow.

Documented here: https://developers.google.com/accounts/docs/OAuth2WebServer

Alternative for non-browser apps

You may use the OAuth 2.0 for Devices flow: You app can act as a device which queries a code from google, displays it to the user, and asks the user to browse to a verification URL (e.g. with (system.out.println...).

So a browser is still needed, but your application itself doesn't need to provide a webpage to the user.

Related Solutions

How does the SQL injection from the “Bobby Tables” XKCD comic work

It drops the students table.

The original code in the school's program probably looks something like

q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')";

This is the naive way to add text input into a query, and is very bad, as you will see.

After the values from the first name, middle name textbox FNMName.Text (which is Robert'); DROP TABLE STUDENTS; --) and the last name textbox LName.Text (let's call it Derper) are concatenated with the rest of the query, the result is now actually two queries separated by the statement terminator (semicolon). The second query has been injected into the first. When the code executes this query against the database, it will look like this

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students; --', 'Derper')

which, in plain English, roughly translates to the two queries:

Add a new record to the Students table with a Name value of 'Robert'

and

Delete the Students table

Everything past the second query is marked as a comment: --', 'Derper')

The ' in the student's name is not a comment, it's the closing string delimiter. Since the student's name is a string, it's needed syntactically to complete the hypothetical query. Injection attacks only work when the SQL query they inject results in valid SQL.

^{^{Edited again as per dan04's astute comment}}

What’s the difference between OpenID and OAuth

OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).

OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.

The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.