My client has a Dropbox folder with files they want to make available on their web site in a custom widget we're building. I understand how to use the Dropbox API v2 to get the list, but where does the OAuth access token come from?
Do I need to create a formal Dropbox app just to do this?
Does my client need to create an app since it's their Dropbox folder?
Is an "app" even necessary? I'm hoping it's not.
(The access token is protected behind an AWS Lambda function, in case you're wondering.)
Dropbox follows the oauth standard. So, to consume its rest api you have to create an access token for authorization.
You have to create an app on dropbox which gives you necessary details to create an access token. Your client won't need to create an app. You can create an app and use your client's credential to authorize to your app which create an access token. You can use in Dropbox API.
Follow the link after creating app to create access token :
https://www.dropbox.com/developers-v1/core/docs#oa2-authorize
Hope this helps!
Update:
For the scenario described in the question, the answer is to create an app in the client's account and use its generated access token. There is no need to create a full OAuth flow, nor does it need to be a production app.
Related
In AWS cognito there is an option in admin panel to create a new user by sending him an invitation with temporary password. It works good, but I need to implement exactly the same feature inside my application (react spa).
I am using aws-amplify-js but I can't see there any method which do that. In aws-sdk documentation I see adminCreateUser what is a function I need, but it requires developer credentials so I suppose I shouldn't use it in browser.
Any ideas how to implement this feature in proper way?
You can create a lambda and API endpoint to send the invitation. Of course, you should protect the API endpoint access using custom authorization to prevent non-authorized users to call this endpoint.
Visit the following for more info about the SDK:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminCreateUser-property
We are creating an app where every user has a designated dropbox folder which is located in a dropbox folder created only for the app. The user should have only access to his own folder.
The problem is with the created API access token you have access to all folders of all users. In our app we are able to restrict the access so the user has only access to his own folder but because the access token must be hard coded into the web app anyone could eventually get hold of it. With the access token they would have access to all user folders (and the client data would be unsecured).
So there are two possibilities:
We access Dropbox via PHP and restrict the access. The app gets the user folder per AJAX and the PHP script handles the restrictions. But there is no possibility to access Dropbox via PHP (in API v2).
The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities. And the company should always have access to all user folders.
Is there any possibility to encrypt and hide the access token in the javascript code? Or are there other ways to solve this problem?
As noted in the comments, you can't just hide the access token in JavaScript. While you can make it more difficult for an attacker to extract the token, you can't make it impossible. (Client-side apps, such as in browser JavaScript, fundamentally can't keep secrets.)
A few other notes:
But there is no possibility to access Dropbox via PHP (in API v2).
This isn't really true. While Dropbox does not offer an official PHP SDK for Dropbox API v2, you can still access Dropbox API v2 from PHP either using the HTTPS endpoints directly, or using a third party library.
The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. Accessing a single account like this isn't recommended.
I have used the Youtube-api and also created the oauth-clientId for some demo project. I also used the Client libraries (java & javascript) for uploading videos to my channel and i succeeded. But i don't want to share my login credentials and want my client users to upload videos to my channel. Is there any way, i mean documentation or procedure or youtube-implementations?
Assuming that you are using Java as you said. You should have a refresh token after your application has been authenticated.
The refresh token can be used to request a new access token. You should use this refresh token to allow others to upload to your channel. Note: To my knowledge you cant get a refresh token with the JavaScript client library due to security issues. You need to use a server sided language to do this.
For Refrence:
YouTube does not support service accounts so that wont work. API Key is only used for accessing public data so that wont work either.
I finally found an answer to my question and now my users[whom i give some authorizations] can directly upload to my youtube channel.
As per the comments i received for my question, i came to the conclusion that i have to do it at the server side because of the security issues.
The thing which came to rescue is namely Refresh Token.
I first created a simple application through which i logged & uploaded video [uploading is not necessary] into my youtube account and received the respected refresh token
Then i saved that refresh token through which i created a Credential object manually.
You can check the code provided by google :
UploadVideo.java
Credential credential = Auth.authorize(scopes, "uploadvideo");
This is what i replaced with this and obtained my own refresh token.Refresh token does not expire like normal access token, and is used to generate normal access token when needed. So, refresh token was the key to my question
Then at the backend, the only thing you have to do is just create the Credential manually. You can use this code
getCredential = new GoogleCredential.Builder()
.setJsonFactory(JSON_FACTORY)
.setTransport(HTTP_TRANSPORT)
.setClientSecrets(clientId, clientSecret)
.build()
.setRefreshToken(refreshToken)
// The refresh token here will be the same you received offline.
Here is the official google doc about this concept
Refreshing an access token (offline access)
Access tokens periodically expire. You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token.
If you use a Google API Client Library, the client object refreshes the access token as needed as long as you configure that object for offline access.
If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the user to Google's OAuth 2.0 server. In that case, Google's authorization server returns a refresh token when you exchange an authorization code for an access token. Then, if the access token expires (or at any other time), you can use a refresh token to obtain a new access token.
Requesting offline access is a requirement for any application that needs to access a Google API when the user is not present. For example, an app that performs backup services or executes actions at predetermined times needs to be able to refresh its access token when the user is not present. The default style of access is called online.
Server-side web applications, installed applications, and devices all obtain refresh tokens during the authorization process. Refresh tokens are not typically used in client-side (JavaScript) web applications.
I am creating a JavaScript app which runs in browser of the desktop user, I need to display some data from SharePoint Online site, how do I authenticate and get display data in the App?
What kind of data did you want to display? As far as I know, we can query the data from SharePoint online using Microsoft Graph API. To use this API, we need to register the app first and in this scenario, we can register a client app(refer to here).
Then we can use the ADAL.JS to authenticate the application. For a sample demonstrating basic usage of ADAL JS please refer to this repo.
And if you were developing an SPA app, we can use the OAuth 2.0 Implicit Grant protocol to obtain an ID token (id_token) from Azure AD. The token is cached and the client attaches it to the request as the bearer token when making calls to its web API back end.
No you can't do this using JavaScript. You should use the Client Object Model (CSOM) to achieve the same.
If you want to achieve the same please refer the url
https://github.com/nickvdheuvel/O365-ADALJS-examples/blob/master/Authenticate-an-Office-365-user-with-ADAL-JS/Authenticate-an-Office-365-user-with-ADAL-JS.html
Hope this information helps you.
I have a custom OAuth2 server that I set up in Rails using Doorkeeper. It works great with my Rails apps and NodeJS/AngularJS apps. I pass an account ID and redirect URI to the server, it sends back a code, which I then send again to get a token with user information.
I am trying to find a guide or basic code I can alter to allow it to login with my own server. Unfortunately I can't find any guides for this or standalone OAuth2 packages for Meteor that have documentation.