I'm trying to make a Twitter client with Adobe AIR, how can I successfully use OAuth with Javascript? I mean, I've used jsOauth but it seems to lack the oauth_signature somewhere...
One thing you can try is you can use the approach that is described in the Facebook developers section dedicated to authentication. You want the section that is called "Client-side flow".
In a nutshell they propose that you make an application that will redirect the page it is loaded in to a special URI with it's app_id and backurl in the query parameters. Once Facebook manages your app's permissions, it will redirect the user back to your page with a special access token in a URI fragment, e.g. http://example.com/my_app_page/#token=foobar. This way only your script on the client side can access this token and use it to make requests to the Facebook API.
go have a look at streamie, a twitter client based on node.js. In the source, you can find an extremly good implementation. It's done by cramforce. You find it on github:
https://github.com/cramforce/streamie
jsOAuth uses the Authorization header to pass the OAuth relevant data to the API service.
If you are having issues, by all means email me I'll be happy to look at your code. jsOAuth isn't flawless, I'm fixing bugs as they come up.
Theres a boiler plate for PIN based client auth here: https://gist.github.com/1071227
Related
I'm currently working on an application for myself in which I need access to my own photos/albums on Google Photos. I have gotten by using the oauth 2.0 token generated in the playground, but I'd like to get a more permanent solution that does not require me manually regenerating the token. Is this possible with Google Cloud? The app is meant to run in daemon, so this makes any option with consent pages unusable. The scopes I'm using are:
https://www.googleapis.com/auth/photoslibrary.sharing
https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata
https://www.googleapis.com/auth/photoslibrary.readonly
I have tried using the https://accounts.google.com/o/oauth2/token and https://accounts.google.com/o/oauth2/auth endpoints to generate one programatically, but the only minor success I had was /auth sending me to a consent screen. I've also looked at using the refresh token given by Google Oauth playground with no luck there either.
Just looking to see if there is anything that I am missing.. This is my first post on stackoverflow, so please let me know if you need any more information.
I was unable to make it an internal app as it was for personal use and not for an organization.
Solved this by first using the google api package to create my own access/refresh token for my oauth client, then calling the https://oauth2.googleapis.com/token endpoint each time to generate a valid access token. I hope this can be helpful to someone else!
According to the setup documentation, as long as your app is marked as internal, you should not need to verify the app and can use it without the consent screen.
I am trying to do a login like Google does, which includes a cross-domain-authentication. When loggin into google.com you are automaticly logged in for different domains like youtube.com. For me it looks like:
you enter credentials at accounts.google.com
Google sends a request via AJAX to check them
if they are correct, it 1. sets a cookie and 2. does requests to the other domains like youtube and sends some identifiers (SID or token?) and sets the cookies for those domains as well
after all other domains also have the cookie in place Google redirects you back where you came from
I was researching a lot and it seems like easyXDM (http://easyxdm.net/wp/) is a good solution for this (do you think it is?). But I am not sure how to do the cross-domain-authentication. When the user logs in correctly, should i just do requests to the other domains and pass the SID and create cookie on the domains? Or is it not secure? Or should I create a token for the user after loggin in and store it in my DB. Then send the token with to all the domains to authenticate him and then delete the token?
Some other stuff i found was a solution via iframes in iframes.. also Googles analytics.js (https://developers.google.com/analytics/devguides/collection/analyticsjs/cross-domain) looked exciting... but i saw it's even integreated in easyXDM.
I hope some if you guys are having experience with that stuff. I am curious to read what you think :) gerti
What you want is OAuth2 (this is the protocol you're referring to -- what Google login does).
If you're looking for a simple solution, you might want to try using something like Stormpath + IDsite. It's a free API service you can sign up for / use.
Basically, they'll host a domain for you where you redirect your users when you want them to create an account or log in. They'll then handle all the authentication / authorization (across domains), and send you back an authenticated user with a JSON web token (JWT).
Stormpath has a bunch of libraries for a variety of programming languages, you can get started here: https://docs.stormpath.com/home/
The other solutions people typically go with require quite a bit of time / effort to get running. I've actually helped build quite a few of the Stormpath libraries (in Node / Python), so I'm pretty familiar with it -- you really can't beat it in terms of simplicity.
I'm need to automatically perform the login at: http://gsc.klub-modul.dk/. After I am logged in, I need to able to fetch pages from this domain, which requires me to be logged in. As far as I have gathered, the site is using ASP.NET to interact with the server. I am open to all suggestions. I'm looking for a script to do this, as I am still new to this.
What you are trying to do is botting (Automated access of site or online game),so follow these steps,
Generic steps
Monitor the HTTP request being made by the browser (I use
Fiddler,you might also find browser built-in network tool(press F12) handy)
You need to look for cookies especially.
In short you should be able to make same HTTPRequest on each event
(by event I mean first time page request ,page submit for login and
etc)
Use python for botting
use these libraries Mecanize / twill /scrapy / Beautiful Soup
Tutorials to get started
http://docs.python-guide.org/en/latest/scenarios/scrape/
http://www.pythonforbeginners.com/python-on-the-web/web-scraping-with-beautifulsoup/
http://arunrocks.com/easy-practical-web-scraping-in-python/
https://classic.scraperwiki.com/docs/python/python_intro_tutorial/
Stackoverflow links
Scraping sites that require login with Python
Scrape a web page that requires they give you a session cookie first
Fake a cookie to scrape a site in python
Python Scraping Web with Session Cookie
My Advice
I think if you haven't made a web scraper (web-bot or bot-tool) before than you should start with small things like fetching a specific information from a page which doesn't require login then move on to more complex scenarios
As usual Asp.Net uses cookies for session, authorization needs. So basically you just need to make POST request to login page with Login, Password parameters, then you need to obtain cookies from response, and then make new requests for needed pages with these cookies.
By default these cookies are named ASP.NET_SessionId and ASPXAUTH
I have worked on a similar problem but used a generic approach. I used greasemonkey addon in firefox to login on a game and save data on different db. Later I found out that I could've wrote a addon myself (mozilla ref)
Both of these technique will rely on javascript only.(example of a login script of fb in greasemonkey)
The website was on asp.net too! You just need to receive the cookies and login from javascript code. Jsoup is another approach to parse data and login.
I want to create a web widget that will display information from my site.
The widget will be included in the client's website HTML using JavaScript, and should only be usable for my clients -- web sites that were registered at my site.
The information in the widget should be specific to the user who is currently visiting the client's site.
So, I need to authenticate both the client (website owner) and the resource owner (website visitor). This seems to map nicely to OAuth 2.0, but I couldn't find a complete example or explanation for such an implementation.
Any resources or pointers to such information will be appreciated.
Update: I've stumbled upon this article, which provides an outline for an approach that uses OAuth. However, it is not detailed enough for me to really understand how to use this with OAuth 2.
There are many large organizations that have done this, and I'm sad to see no other answers for this question since it's such an important web pattern.
I'm going to presume that you are not rolling your own OAuth 2.0 provider from scratch, if you are - well done otherwise you should be using something kickass like Doorkeeper to do this for you.
Now, in OAuth 2.0 you have the following entities:
Users registered on your website
Applications registered on your website (who subscribe to your oauth2)
User Permissions which is a list of Applications that a user has 'allowed'
Developer (who is consuming your auth API / widgets and building an Application)
The first thing to note is you must have a domain name associated with each Application. So if a developer registers for a API token / secret on your website, the Application he creates is mapped to a unique domain.
Now, I presume that the flow for an application to authenticate users via your website is already clear. That being said, you don't need to do much for this to work.
When an Application sends the user to your website (in order to sign in) you place a session cookie on the user's computer. Lets call this "Cookie-X".
Now the user is authenticated by your website and goes back to the Application. There we want to show a custom widget with information pertaining to that user.
The developer will be need to copy paste some code into this app.
The flow is like this:
The code will contain a url to your website with his Application ID (not secret) which he got when registering his application on your website.
When that code runs, it will ping your website with his appId. You need to check that AppID with your database, and additionally check that the referrer url is from the same domain as that which is registered in your website for that AppID. Edit: Alternatively or additionally, the code can check for document.domain and include it in the ping to your website, allowing you to verify that the request has come from the domain that has registered with the given AppID.
If that is correct, you reply back with some JS code.
Your JS code looks for the session cookie your website had set when the user had signed in. If that cookie is found, it pings back to your website with the session and your website responds with the custom view content.
Edit: as rightfully mentioned in a comment, the cookie should be HttpOnly to safeguard against common XSS attacks.
Additional Notes
The reasons this is a secure approach:
The AppId and domain name are a good enough combination to verify that other people are not fetching this information. Even thou the appId is visible in the applications html source, the domain name would have to be spoofed by anyone attempting to use someone else's AppID.
Presuming someone takes an AppID which is not his, and writes code to spoof the domain name of the referrer when requesting for your widget, he still won't be able to see any information. Since you are showing user specific information, the widget will only render if your website can find the session cookie it placed on the users browser which can't really be spoofed. There are ways around like session-hijacking, etc. But I think that's beyond the scope of this question.
Other Methods
Just by looking at Facebook's Social Plugins, you can tell that there are other options.
For example, one might be to use an Iframe. If you ask the developer to add an Iframe to his application, you can even reduce a few of the steps mentioned above. But you will have to add JS along with it (outside the iframe) to grab the correct domain, etc. And ofcourse from an accessibility and interface standpoint I'm not very found of Iframes.
I'm developing a new web site that will be a single paged app with some dialog/modal windows. I want to use backbone for frontend. This will call backend using ajax/websockets
and render the resulting json using templates.
As a backend I'll use nodejs express app, that will return the json needed for client, it'll be some kind of api. This will not use server side views.
Client will use facebook, twitter, etc. for authentication and maybe custom registration form.
Client static resources, such as css, js, and html files will be handled by nginx (CDN later).
Questions that I have now:
How can I determine that a given user has the right to do some action in api(i.e. delete a building, create new building)? This is authorization question, I thought of giving user a role when they login and based on it determine their rights. Will this work?
Similar to the above question, will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
Is this architecture acceptable or I'm over engineering and complicating it?
Passport is an option for the authentication piece of the puzzle. I'm the developer, so feel free to ask me any questions if you use it.
I thought of giving user a role when they login and based on it determine their rights. Will this work?
Yes this will work. You can check for a certain role on the user after it's been fetched from the server. You can then display different UI elements depending on this role.
Will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
It wont be enough. Anyone could hop into the console and set something like user.admin = true. In your API you'll need to validate a user token from the request, making sure that the related user has the appropriate permissions.
Is this architecture acceptable or I'm over engineering and complicating it?
At the least you should have an API validation layer. That would make a decent enough start, and wouldn't be over-engineering.
For the authentication part of your question i would use everyauth which is an authentication middleware for connect/express. It supports almost every oauth-social-network-thingie.
For role management you could give node-roles a try. I didn't use it myself but it should help you out, because it checks the role on the server side. Of course that is only useful if your API is implemented in node.js. If that's not the case, you have to "proxy" the API calls over your node.js app.
I hope I could help you! :)