OAuth 2.0 strategies for Chrome Extensions - javascript

I'm building a Chrome extension that adds features to Gmail.
To accomplish this, I need oauth 2.0 access to the Google Contacts and Gmail APIs.
Originally I was using a technique/library outlined here: OAuth 2.0 in Chrome Extensions
That was working fine with the Contacts API, but I couldn't figure out how to get it to work with the very new Gmail API. It seems to send the oauth request as uri parameters, each parameter prefaced with 'oauth'. It also appears to be around 4 years old, last updated about two years by looking at the HEAD.
I then moved on the chrome.identity API, using the chrome.identity.getAuthToken() flow for google accounts. This worked awesome... for the chrome account that's linked to the currently logged in Gmail account. If a user logs into a different gmail account that doesn't match the address of the currently logged in chrome account, all my REST interactions go kaput. Which they should.
So I've moved on to using chrome.identity.launchWebAuthFlow() method, which seems to be the updated version of the first method / library I had tried. The problem here is that an access token seems to be limited to just an hour before requiring a re auth? (Meaning pop up UI, etc) Not ideal for an app used over the course of a workday.
Has anyone here managed to gain long term access tied to more than one email address for an extension?
At this point it seems my best option is just making sure I have helpful UI modals to either
A. make sure the user is logged into chrome under the same address they are logged into gmail under
or
B. Have helpful UI convincing users that reauthorizing every hour is necessary for security. (not terrible, still annoying).
Thanks in advance for any insight!

Related

I need a way to get updated oauth tokens for google photos

I'm currently working on an application for myself in which I need access to my own photos/albums on Google Photos. I have gotten by using the oauth 2.0 token generated in the playground, but I'd like to get a more permanent solution that does not require me manually regenerating the token. Is this possible with Google Cloud? The app is meant to run in daemon, so this makes any option with consent pages unusable. The scopes I'm using are:
https://www.googleapis.com/auth/photoslibrary.sharing
https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata
https://www.googleapis.com/auth/photoslibrary.readonly
I have tried using the https://accounts.google.com/o/oauth2/token and https://accounts.google.com/o/oauth2/auth endpoints to generate one programatically, but the only minor success I had was /auth sending me to a consent screen. I've also looked at using the refresh token given by Google Oauth playground with no luck there either.
Just looking to see if there is anything that I am missing.. This is my first post on stackoverflow, so please let me know if you need any more information.
I was unable to make it an internal app as it was for personal use and not for an organization.
Solved this by first using the google api package to create my own access/refresh token for my oauth client, then calling the https://oauth2.googleapis.com/token endpoint each time to generate a valid access token. I hope this can be helpful to someone else!
According to the setup documentation, as long as your app is marked as internal, you should not need to verify the app and can use it without the consent screen.

Is it possible to retrieve the URL from Chrome Customs Tabs after the user has authenticated within a NativeScript-Vue Mobile App?

I have created an app that generates user api keys using a discourse site. They are returned as an encrypted payload as a parameter within the return url.
Initially I was using WebView which worked fine but wouldn't allow users to login using Google due to security risks and this is a very important part of the app. I need to be able to read the payload parameter and store that in the app for making API calls.
I have tried multiple NativeScript plugins including AdvancedWebView, AwesomeWebView and investigated many others that don't seem to reach my requirements.
Is what i'm asking possible in NativeScript-Vue? If not how would I do it?

Can I use the Facebook JS SDK without also adding the Facebook Impressions tracker?

I'm currently working on an AngularJS application. The application as it blatantly ignores whether or not you accepted any cookie consent and just places trackers. I am to remove all trackers until a user has accepted the cookie policy.
The application also requires the SDK from Facebook to import some user data (Facebook login required). However, the kit from Facebook that the app currently retrieves also places a Facebook Impression tracker (at least according to Ghostery). The policy allows any external code that is necessary for any functionality the application provides. I am not convinced however that this tracker falls within that range.
My question therefore is, is it possible to retrieve a version of the Facebook JavaScript SDK that does not also place a tracker?

Get connections Linkedin not working [duplicate]

Anyone is having problems retrieving Likendin connections with new apps?
With old apps my hybridauth app is retrieving connections just fine. While with new apps (I created 3 different apps) I keep getting Access to connections denied
When authenticating I got the correct scopes on likedin login screen(r_basic_profile, r_network, w_messages, r_emailaddresses)
Im using free plugin http://wordpress.org/plugins/wp-social-invitations/ which uses hybridauth
This is a recent problem with the linked. They have stopped providing member connection in their recent API change. Now you have to obtain a partner certificate in order to access member connection information. Even my production application has stopped this functionality to work. We might be removing linked from our application as it is of no use now with so much of restrictions.
Linkedin api changed recently, that's the reason scopes are not longer working
The get connections API in linked in has been deprecated follow this link to get the API' that are allowed as part of developers program right now.

PhoneGap and OAuth2

I am developing a PhoneGap application and require my users to sign in through Google with OAuth2. Is this possible directly through JavaScript? I have almost no experience with JavaScript (and jQuery).
What are the options? I have thought of a cumbersome alternative which involves posting the username/password to an application I have hosted on a server which then takes care of logging in. Then the PhoneGap app will have to ask the server if the authentication was successful. However, I was hoping there would be a simpler way.
What is the best way signing in through Google on a PhoneGap app?
I have managed to get it working! I'm posting my thoughts here because I had a hard time finding the answer after hours of searching the web.
The important steps are:
Make sure ChildBrowser works properly
Setup a function that will listen to page changes
window.plugins.childBrowser.onLocationChange = function(fooUrl) { console.log(fooUrl); }
Build the URL with the query string as described in this tutorial
Point ChildBrowser to the URL
When the user logs in, you will be able to extract the session token from fooUrl
If you still don't know how to do this, have a look at this Android app.
(There is a lot of code, and it might seem overwhelming, so I suggest only going for this as a last resort)
Google will not allow you to perform direct authentication by handling the user credentials directly. Instead Google wants you to perform an authentication protocol, typically OAuth 2.0. Other popular authentication protocols you may hear about is OpenID 1.0, 2.0, OpenID Connect, SAML 2.0, ID-FF, etc. These protocols will redirect the user to the Identity Provider (Google, in this case), and send you back with an assertion that you may use to trust the user. With APIs, like Google, you would make use of the authorization functionality of OAuth, which provides you with a token that you may use with all Google APIs after authentication.
A good introduction to how OAuth 2.0 works
With PhoneGap and mobile apps, things are a bit different than the typical OAuth setup.
In your case, the browser is in a controlled environment, your app, and you may
select to redirect the user to Google Authorization endpoint using the main view,
select to open a ChildBrowser with the Google Authorization endpoint, to not lose any state on your app.
to somehow open Safari or another browser with the authorization endpoint, and register a custom schema handler, to redirect the user back to your app after authentication.
These examples are vaguely mentioned in the OAuth 2.0 specifications, but there are no aid in what is the best or optimal in a specific use case. Often the best possible option is not perfect (from a user perspective).
I recently wrote a tutorial on how to make this work with Phonegap and ChildBrowser for iOS.
OAuth 2.0 Guide for Phonegap using ChildBrowser and JSO

Categories

Resources