Authenticate to google apps script given oauth access tokens - javascript

I have seen google apps script's tutorial to migrate from oAuthConfig to oauth1 here
But what if I have the access tokens with me already?
I checked the oauth1 library code here and could not find a way to include access token here.
Is there any alternative way?
Also note that I have 4 things with me: Consumer Key, Consumer Secret, Token and Token secret.(Note: I have 2 things in access token, not only a single token).

As mentioned here(read the Warning on that link), OAuth1 was shut down on April 20 this year. So I am assuming/hoping that you're using OAuth2 instead. If not, I would suggest you to migrate soon as possible.
When working with access tokens, it is important to remember that they have limited lifetimes. Hence, always remember to add them "programmatically". Depending on the API you're trying to access, access tokens are appended to the request as the value of the access_token query parameter of your request. Here are a couple of examples:
Plus API:
GET https://www.googleapis.com/plus/v1/people/userId?access_token=1/fFBGRNJru1FQd44AzqT3Zg
Youtube API:
https://www.googleapis.com/youtube/v3/channels?part=id&mine=true&access_token=ACCESS_TOKEN
So look up the Google Developers documentation for the particular API you're using for help on what the exact request will be like. Here are a few samples for using OAuth2 with Google App Script. Hope this helps.
EDIT:
A little correction. For OAuth1, the access token is passed using oauth_token. For clarity of how the process flows, refer to the subheadings 6.1 to 6.3.2 in this link and the former one for how it is done on Google's end.
Also, quoting this link:
"April 20, 2015: OAuth 1.0 is shut down. A static error page will be displayed on all requests. Make sure you have migrated well before this date."
If that hasn't already happened, it might happen anytime as currently OAuth1 is "officially" shut down.

Related

I need a way to get updated oauth tokens for google photos

I'm currently working on an application for myself in which I need access to my own photos/albums on Google Photos. I have gotten by using the oauth 2.0 token generated in the playground, but I'd like to get a more permanent solution that does not require me manually regenerating the token. Is this possible with Google Cloud? The app is meant to run in daemon, so this makes any option with consent pages unusable. The scopes I'm using are:
https://www.googleapis.com/auth/photoslibrary.sharing
https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata
https://www.googleapis.com/auth/photoslibrary.readonly
I have tried using the https://accounts.google.com/o/oauth2/token and https://accounts.google.com/o/oauth2/auth endpoints to generate one programatically, but the only minor success I had was /auth sending me to a consent screen. I've also looked at using the refresh token given by Google Oauth playground with no luck there either.
Just looking to see if there is anything that I am missing.. This is my first post on stackoverflow, so please let me know if you need any more information.
I was unable to make it an internal app as it was for personal use and not for an organization.
Solved this by first using the google api package to create my own access/refresh token for my oauth client, then calling the https://oauth2.googleapis.com/token endpoint each time to generate a valid access token. I hope this can be helpful to someone else!
According to the setup documentation, as long as your app is marked as internal, you should not need to verify the app and can use it without the consent screen.

LinkedIn: Javascript Token and validate user in server

I have been reading a lot of questions/answers about the LinkedIn login through javascript login and the validation of the user from backend. But I didn't find a solution that worked with current API.
I understood that the JS token is not the same as the Oauth Token and I don't need to save the token for the future use, I only need to validate the user before the signup on the website.
Once the user is authenticated, I'm going to request the basic profile user and api-standard-profile-request
IN.API.Profile("me").fields(
'id', 'first-name', 'last-name', 'email-address', 'api-standard-profile-request')
The apiStandardProfile returns me an object with an url (like this https://api.linkedin.com/v1/people/{id_user}) and an array with headers (like this name: "x-li-auth-token", value: "name:xxxx"). I haven't find in the official docs how to use this, but I receive every time an "Authentication Failed" with status code 200.
So, do I need to rewrite the authentication flow with Oauth2.0, or can I continue to use the Javascript login?
Thanks
P.S.: I found and read the old documentation from this old topic https://web.archive.org/web/20141028192415/https://developer.linkedin.com/documents/exchange-jsapi-tokens-rest-api-oauth-tokens.
I've had the same problem and the only way I found to use the JS token was to use the header oauth_token instead of an Authorization Bearer header when requesting something with Rest API:
POST https://api.linkedin.com/v1/people/~:(id,firstName,lastName,picture-url,email-address)?format=json
Headers {
'oauth_token': JS_TOKEN
}
The JS_TOKEN I'm reading on frontend from IN.ENV.auth.oauth_token.
I have also faced a lot of issues with LinkedIn APIs, I am recommending you to follow the latest development docs in Linkedin's developer site because LinkedIn had been changed their developer programme significantly after Feb 2015, so depending upon the old APIs will be a risk.
I believe following will help you to solve the issues,
Use this link to explore & test the APIs, including profile API.
This is the full list of parameters supported by profile API
If you only need public profile, add this public-profile-url as the comma separated parameter in the API.
https://api.linkedin.com/v1/people/~:(id,num-connections,picture-url,public-profile-url)?format=json
or for siteStandardProfileRequest, use following API
https://api.linkedin.com/v1/people/~?format=json
OAuth vs Javascript SDK:
Javascript SDK
Pros: Easy to integrate, less coding effort, no token management.
Cons - will not support iOS
OAuth
Pros: platform independent
Cons - Token managment, More coding effort

Gmail JS API - OAuth2 Error invalid_scope

I am new to GMail JS API and I was trying to read gmail emails using Javascript according to the quickstart tutorial given explained on below link
https://developers.google.com/gmail/api/quickstart/js
I have followed all the instructions given on the page but I am getting below
error
did I miss something???
Please help me resolve this error
Thanks in advance!!!
You may refer with this thread. Make sure that you are authenticated to the API properly.
To do this, there are two ways:
use OAuth - the Server redirects the user to google's servers, where they can login, grant permission to your app, and pass a token back to
you
Service Accounts. These are a little bit more complicated:
First, you'll have to setup an app (done)
second, you'll have to setup a service account. This is how your app authenticates to google. you've done that, and the certificate
you've got contains the private key to authenticate
third, the user needs to grant your application access to act on behalf of them. This is the point you haven't done yet.
Also, as stated here, certain scopes simply aren't supported for the oauth2 for devices flow.
Additional references:
Invalid scope error when trying to access gmail api
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
OAuth invalid scope

How to make a web API private

I have an API that I would like to restrict access to. I can provide access keys and check them with each request, but I'm not sure how far this is really going to go.
The API is used by applications, but it is also used by a web app which someone can just view the source of. If they did, they would have the key and could easily make API calls.
Is there a more reliable way to secure access? I'm not sure what the standard practice here is.
Edit: After thinking about it, I could use a two-prong approach. The web app can use POST with CSRF, and applications can use API keys. Any other ideas, or is this a generally accepted solution? (Note, this still wouldn't work for third-party web apps.)
Your API is never private since it's used by a web app which I am assuming is available to the general public. If this is the case, there really is no impetus to secure it since anyone and everyone would have access to the API.
If on the other hand, this web app is only available to registered users, you can use a token system to check for authorization. When the user successfully logs in, you pass back a token (usually something 20 to 30 characters long). Every API request would require a valid token. Tokens can be set to expire automatically (using a database job) X hours after creation if your application requires higher security thresholds. If security isn't a big issue, they can be renewed automatically every time a request is made.
This is essentially a two tiered approach. Temporary tokens are generated for users to directly connect to your API so that permanent credentials are never sent to the client. Predefined keys are given to third party developers who build applications on top of your API and have their own back-end.
If it's your API you can simply do this.
1) Insert the following code into your API file(s)
$authToken = "APItoken"; //variables
if( !isset($_REQUEST["authToken"]) || $_REQUEST["authToken"] != $authToken )
die("Need auth token");
2) You will now need to GET/POST/PUT the URL like this:
http://www.yoursite.com/api1.php?authToken=APItoken&nextParam=&paramAfterThat=
If this helped please mark it as the answer
EDIT:
Nevermind, read it wrong. Updating answer in a few minutes.

No Authentication Pop up with Tumblr Like <a> link

As of now I am building out a custom Tumblr page which is basically aggregating post content into 1 page.
Problem is, we can't use the Tumblr tags for the Like, we have successfully gotten the Reblog to work, but when ever I try and use an hrefed to this pattern,
'http://www.tumblr.com/like/'+oath+'?id='+id'
and /unlike/ for unliking the post.
I can't get anything but an access denied page to come up.. Shouldn't I at least be seeing an authentication pop-up of some kind? Not sure what else to do here. Need to get this LIKE functionality working, and using the Tumblr {like button} is not an option since we aren't using a {posts block} rather pulling all our content in via JSON API.
Found an answer!
So let me break it down for you all.. I am just going to run down all the issues and caveats that were discovered while I was hacking away at the Tumblr API. In most cases you will not find any of these answers on the inter webs. If you do, they most likely will just be my answers to my own questions that I posted to the Forums.
A Tumblr Application is defined by any page template either hosted
by Tumblr or not that will be using the Tumblr API. Applications
must be registered with Tumblr at:
https://www.tumblr.com/oauth/apps
All Tumblr Applications upon creation are given a set of keys for
accessing the Tumblr API. OAuth Consumer Key aka API Key Secret Key
The Tumblr API is divided mainly into two different types of
methods. The third being “Tagged” which is for pulling tagged posts
from the Blog or the User.
“Blog Methods” which only require the submission of the Consumer
Key. “User Methods” which require a full OAuth signed request which
meets the OAuth 1.0a Protocol. The “User Likes” returns a maximum of
50 records at a time. This is not documented in the Tumblr API
docs.
Currently the Tumblr API documentation directs developers to use one of the many open source API clients. However, all these clients seem to be Server Side applications. For providers, such as Tumblr, which support only OAuth1 or OAuth2 with Explicit Grant, the authentication flow needs to be signed with a secret key that may not be exposed in the browser.
HelloJS gets round this problem by the use of an intermediary webservice defined by oauth_proxy. This service looks up the secret from a database and performs the handshake required to provision an access_token. In the case of OAuth1, the webservice also signs subsequent API requests.
HelloJS - http://adodson.com/hello.js/ is the only client-side Oauth library that was available and free. There are many services out there that charge on a per-api hit basis to serve as a proxy.
The HelloJS OAuth Proxy is available at: https://auth-server.herokuapp.com/
Login to the OAuth Proxy is done using one of the following social account credentials: Google, Windows Live, Facebook, or Yahoo.
OAuth Proxy serves as a secure “man in the middle” allowing for the “Secret Key” to be securely stored while still allowing for Client-Side OAuth authentication.
HelloJS features a special Tumblr Module - http://adodson.com/hello.js/demos/tumblr.html
HelloJS utilizes the new Javascript Promises asynchronous functions specification - https://www.promisejs.org/
Javascript Promises have some unique rules when it comes to passing objects received from an asynchronous AJAX call.
With everything is done in the callback.
What jQuery calls a promise is in fact totally different to what everyone else calls a promise.
Hope this helps for future Tumblr integrations.
John

Categories

Resources