I've been going through the steps to add a Google+ Sign-in to my web application as found in https://developers.google.com/+/web/signin/
When used in a 'typical' web site, the 'client side' flow works just fine. Now, I'm trying to integrate this Google+ sign inside PhoneGap. Since PhoneGap runs the web page as a file:// URL, the origin that gets sent in the request is file://. In every other PhoneGap I've written, this hasn't been a problem.
However, when I click the Google+ sign in button from my page in PhoneGap, the origin being sent as file:// causes the following error message:
Error: invalid_request
Invalid parameter value for origin: Missing authority: file://
I went to the Google API console and tried to assign file:// as an authorized Javascript origin. But, of course, it doesn't allow file:// to be entered as an origin.
So I'm wondering if anyone has any insight in how to do this kind of web-style (Javascript) Google+ sign in from within PhoneGap (or from a local web page where there is no server - just a page being run as a file://). I really don't want to have to do the sign-in in native code and then integrate the token back over into the 'PhoneGap' realm since that kind of defeats the purpose of writing the app once for multiple platforms.
My understanding is that you cannot use the standard client-side flow with Cordova/PhoneGap because file:// is not a valid origin.
However, you can use the In-App Browser plugin along with window.open, which will allow to initiate a "standard" client-side flow from within the application. You then listen to events on the opened window to deal with the responses.
The plugin works cross-platform so you won't have to maintain multiple native implementations.
The ng-cordova-oauth library implements this for AngularJS.
For more details about the implementation, see this tutorial for details, as well as the Google OAuth documentation.
For file://, the thing works differently.. try this as your origin: http://localhost:4567
or try this tutorial: here
Related
I make a web application using quasar and java spring boot backend. I convet my web application to an Android application using webview. But when i published in play store, its gives security issue for my backend server url. But i do not collect any data or install anything in Android apps or user device but Google gives an exception in my Android App. How can i fix this issue in Android web-view apps.
This warning is sent by Google Safe Browsing service, which is embedded in the Google Chrome Browser and several other browsers, this service looks for vulnerabilities principally in the markup; for example open tags that could lead to a code injection or other possible threats. The Safe browsing service is independent of the GCP Serverless services, this means that GCP is not marking the site as dangerous.
To prevent this message from appearing, or remove it we can do the following:
Look out for potential vulnerabilities in the app, once the changes have been made, you can use this page to see the Safe Browsing Status.
If you think that there was a mistake, you can request a review to remove the Phishing Warning in this site.
It is highly recommended to take a look a this documentation to understand what could be the reason behind the message
My issue is now fixed. It ended up being a hosting server issue. Google had me on a black list, but now its fixed.
Short:
I need help in SSO in Safari, I'm using iFrame and postMessage logic which is working fine in Chrome and Firefox (PC, Mac, Android and iOS) but the catch is in Safari. I tried Storage Access APIs and placed those in iFrame's onLoading event to check access. But the localStorage which I was used to store JWT is not persistent in the iFrame. I'm using Angular 11.
Scenario:
I'm developing few applications which uses same auth site for sso, which was working as expected as I said in short description. But when it comes to Intelligent Tracking Prevention enabled browsers as of now Safari, It blocks the iFrame by considering it as 3rd Party Trackers which is very insane since the iFrame's origin (Domain) is same with Sub-domain used in service sites.
I tried to check the access by using storage access API i.e hasStorageAccess() in window onLoad method in the iFrame's script. If has no access, I called requestStorageAccess(). I'm here not using user gesture and using button click from service site because I'm using angular for frontend framework but in order to request using button in iFrame.(Since, The policy specifies to get access works only after user interaction which is another headache for devs)
I need help to overcome this issue and fix the SSO with ITP. Any guidance is useful and I'll keep updated.
Google is working fine with their sso and services such as YouTube and Mail doesn't need login on every visit. Any idea on how they achieved.
The reason could be that Safari has the option "Prevent cross-site tracking" enabled by default and that can interfere with the SSO login and display of an embedded iframe (because it blocks some cookies).
Solution
Disable (uncheck) the option for "Prevent cross-site tracking" in the Safari configuration menu.
Tip: To achieve a better user experience, using Javascript you can detect when a user is using Safari and show him an HTML message explaining that he needs to disable that option in order to continue or use another browser like Chrome or Firefox.
I am trying to get linked in authentication on my phonegap app so I am using the javascript sdk
What domain do I add to the authentication list? I keep getting the error "JavaScript API Domain is restricted to localhost"
and I tried this: http://www.benwagner.net/mobile/linkedin-developer-api-javascript-domains-cordova-mobile-app/
But linkedin won't allow file:/// anymore
I can see that there seems to be no way to support mobile application Java Script API domain. As the mobile application has no public domain but just a socket, it's a client.
As the link that you have provided claimed to have found a solution in 2013 by just mentioning the protocol file:/// in the domain. However I found another link from 2014 which says that this doesn't work anymore. May be you can try adding file:///, http://localhost.
This should in effect (if the file:/// is allowed) should allow your application on mobile and in localhost browser to sign in.
I'm implementing a phoneGap application and I want to allow signing from different services (Facebook, Twitter, Google). I am using the childBrowser plugin which is actually a UIWebView.
Whenever I try to load specifically Google's OAuth URL https://accounts.google.com/o/oauth2/auth with or without the specified parameters, the UIWebView is stuck on loading. If I access that URL from mobile Safari, it works.
From a bit of searching (before posting) I came to the conclusion that it must have something to do with the Certificates from Google. UIWebView doesn't allow unsigned certificates, or something like that.
RESOLVED
I had a blank space before https (it was ' https..' instead of 'https..'). This caused the webView to get stuck on loading screen.
Whats the easiest way to build a simple 'web' application which is a single page, that just refreshes itself (using AJAX or something) to display continuously changing data hosted on various different servers on the internet?
I want to interface with (for example) Twitter, Facebook, Skype, Google Calendar, and any number of other services that have some type of web API.
The application does not need to allow user interaction other than to configure it with the authentication parameters needed to access those services.
It should be able to run full-screen with no UI elements showing, just the pretty information I am displaying.
I started to write an HTML file using Jquery but I am running into "Same Origin Policy" issues. Is there a way around this?
I'd love to just write this in Html/Javascript and run it in Google Chrome, is that possible somehow? I don't know how to get around SOP without hosting my own web server as a proxy to cross the domains.
Is there another alternative that is still pretty easy and simple? I looked into using the Windows Vista Sidebar but apparently you can't have a full-screen gadget.
I figured out that I can use the command line option for chrome:
--disable-web-security
And it will allow me to workaround the same origin policy, and since I am using this for a local application I can put the app in a virtual machine and let it run without too much worry.