I am developing a chat application which requires linkedin authentication for its users. I had a look at the sample code on the Connections javascript API page and wanted to test it out. While the direct link http://developer.linkedinlabs.com/tutorials/jsapi_connections/example.html retrieved my connections to perfection, running the code on my localhost yielded no results(no errors though). It simply does not seem to fetch the connections. I tried obtaining the connections in tag:JSON format first, but even this was an exercise in futility. Note however that the Profile API works on both the localhost as well as the example on your page. Please help!!
Regards,
It sounds like you haven't set the JavaScript Domain properly - you need to set the JavaScript API Domain field of the Application Settings to http://localhost for the application to function when running locally.
Related
I'm curious if anyone else has encountered this issue.
I am building an application that will authenticate users using Google 0Auth 2.0 + OpenID.
I've built a simple site just with HTML and CSS to hold the UI and I'm using live server in Vscode to view it.
In The Google developer console for oauth, you must set Authorised JavaScript origins for client-side applications. I assumed I would just set this to http://localhost:5500 for the port that live server uses but I always get the following error:
Authorization Error
Error 400: invalid_request
Permission denied to generate login hint for target domain.
I have got around the issue by just getting a domain and hosting for a test site and setting this as the "Authorised JavaScript origin". However is seems really clunky and I have to FTP all my files to my hosting provider every time I want to change my code.
I could also host everything on a Node.js server from my local machine but this would just cause the same issue as before.
My question isn't so much how to stop getting this error but what is the proper way of developing with OAuth 2.0 and is there any way to speed up the process/create a local environment that doesn't get the same errors.
Thanks for your help.
There is an answer to this Google question here that may help you.
The way I have always set up an OAuth environment is to try to avoid localhost and use more real world URLs on a Developer PC. I also like to split them like this which helps me to visualize the architecture:
Base URL
Represents
http://www.example.com -
Your web UIs
http://api.ecample.com
Your APIs
http://login.example.com
The Authorization Server
This approach can also give you more confidence that your code will work well in beowsers, in areas such as these:
CORS
Cookies
Content Security Policy
By default you just need to edit your hosts file and add an entry like this. It can work very well for demos to business people also.
127.0.0.1 localhost www.example.com api.example.com login.example.com
:1 localhost
ADVANCED SCENARIOS
At Curity we provide some quite advanced developer setups and this approach scales well, as in the below articles. The second of these also provides a script you can use to run locally over SSL, in case this is ever useful:
Single Page Apps End to End Developer Setup
Kubermetes End to End Developer Setup
I'm attempting to make a custom client to a web service that is authenticated by SSO/SAML. So far I've tried following the redirects and set-cookies manually, but the redirects eventually got stuck in a loop. I also failed to recieve a set-cookie for "SimpleSAMLAuthToken", even though that cookie was present when looking through it in the browser.
If anyone finds it helpful I'm using Electron to make the application. Thanks in advance.
How can I integrate chrome push notification (GCM) on my HTTP site. That would be great help if i could get any sample related to this? According to Google documents this is only for HTTPS sites, but is there any way to integrate push on HTTP site?.
Please help me, I am stuck here?
The Web API needs a service worker so the piece that receives the events needs to be https for sure.
I am not sure if you would be able to register via http through some iframe trickery but I would not count on it. Even if you manage to do it there are no guarantees that it will keep working since as you say the documentation says it is only for https sites.
It is possible only with https site. But the workaround is this you will have to maintain one https domain. For Http site, you will use an iframe or Modal for getting a subscription and redirect to your https service worker. This is the only way to do this.
I am working on allowing a chrome extension to post a new entry to my site via post data.
I want to be able to lock it down so only the chrome extension can post. If I get post data from anywhere else I want to reject it.
Does anyone know if/how this is possible or how you would go about doing it?
Unfortunately, validating clients (whether a Chrome extension, an Android app, an iOS app, client-side JavaScript, or some other client) from a web server is an unsolved problem.
There are some things that you can do to deter abuse and mitigate this problem such as:
Requiring user authentication (and rate-limiting usage per-user)
Rate-limiting access on the basis of IP addresses
Requiring tokens to be provided that are handed out in prior requests (this can be used to ensure that certain APIs are called in certain expected orders / patterns).
Showing a CAPTCHA or other challenge for anomolous or over-limit usage
While you can additionally check things such as user agent, referrer URL, or a token that you embed in the Chrome extension, with any distributed application, it is easy to reverse-engineer these and mimick them in a counterfeit app, and so these aren't true solutions.
You can add a simple check in the code.
Following code stops anyone who is trying to access your api outside the chrome extension.
if(substr($_SERVER['HTTP_ORIGIN'],0,19) !== "chrome-extension://") die("Not Allowed")
I was reading #Nivco answer to Authorization of Google Drive using JavaScript and saw:
"...all you have to do it is use server-side code to process the authorization code returned after the Drive server-side flow (you need to exchange it for an access token and a refresh token). That way, only on the first flow will the user be prompted for authorization. After the first time you exchange the authorization code, the auth page will be bypassed automatically.
Server side samples to do this is available in our documentation."
Having read the documentation I am still pretty confused about how to process the authorization code and ultimately pass the access and refresh tokens to my Chrome extension so that it can proceed without the server for future requests. Can someone provide an example of the server-side code to do this?
As background I have a Chrome Extension with several thousand users that is built on the Google DocList API but I am trying to transition to the Drive API since the other one is being deprecated. Ideally my code would be entirely stand alone as an extension but I'm willing to accept the single authorization request through my server that Nivco's answer requires.
Thanks!
We've just ported our JavaScript application from using server to client flow. We've removed the server part entirely, it's not needed any longer.
You can see the source code that we used online, it's available uncompressed.