I'm wondering which authentication method to use if i need extended permissions (e.g. if i want to use the users photos in my application). The methods are either the single-sign on using JavaScript SDK or by using the OAuth 2.0 protocol. Both methods are explained here: Authentication - Facebook developers. The JS SDK would be easiest but haven't found a solution yet.
The application will utilize the Google Appengine with Django environment.
At the moment the entire Facebook API is undergoing changes.
I would suggest you use the OAuth API - it appears as this is the direction they will adopt.
A word of caution - the "official" documentation in the page you mentioned are not complete at best and some of the options are still buggy (try setting display=wap with scope=... you will get an error).
Check out the Facebook developer forum on the issue I stated above.
I believe you can find answers to other Facebook related issues there.
Related
I've currently got a REST API (written in Java using Spring) and a frontend for that API (written in Javascript using Express) which will query that API for the data to display. I've not gotten too far along in the frontend, and wanted to add in my Authorization/Authentication. I would like to use Azure Active Directory (AAD) for this - we have users in AAD, so this is what we're pursuing. I understand that I can use the MSAL.js library to get an access_token that I can then send to my Java REST API for validation. However, I'm not able to find any decent documentation or examples for this specific case, though. I see a some Javascript Single Page Application (SPA) documentation and examples, but seeing as this is AuthN/AuthZ, I don't want to have a kinda correct solution, because this is important stuff. I also want to make sure I'm handling caching, sign outs, etc, in the right manner.
If anyone could point me in the direction of some documentation, examples, readings, etc, I'd be very appreciative!
Thanks!
You can use MSAL.js to easily integrate with the front end of your API for authentication/authorization of your users.
For java web apps, you can use the MSAL4J authentication library, so that the application can be integrated with the Microsoft identity platform. It allows you to log in to a user or application using a Microsoft identity (Azure AD, Microsoft account, and Azure AD B2C account) and obtain a token to call the Microsoft API.
For more details, please check:here.
I'd like to make a small web app using only client side javascript, that is publicly available on GitHub and hosted via GitHub Pages, that renders information about the different repositories of an organization on GitHub.
Is this possible to do in such a way that:
allows me to authenticate with GitHub without compromising a secret key,
allows me to query GitHub's new graphql api?
In both cases, the docs seem to suggest that the answer to my questions are "no" and "no":
for example, the authentication docs emphasize how to authenticate on the CLI, but I don't find anything on authenticating from a web page via javascript -- is there really no way to do this securely from only the client? Is a server required for this?
for example, the api v4 docs seem to only mention how to call the graphql endpoint via cURL or by using their GraphQL Explorer
I'm seeking guidance here in the hopes that I'm misreading the docs, and that there really is a way to:
build a static-site that authenticates with GitHub for the increased query rate limit size,
and that, when a user visits the page, queries the v4 api and displays the appropriate information about the current status of the various repos of an organization.
I ignored the documentation and just submitted a POST with a Basic Authorization header. It seemed to work. I found the other issue. Github wants a User-Agent header. If you are running in a browser that happens automatically, but if you are not you need to add it yourself. Github documents what should be in it, but apparently does not validate it.
I have seen google apps script's tutorial to migrate from oAuthConfig to oauth1 here
But what if I have the access tokens with me already?
I checked the oauth1 library code here and could not find a way to include access token here.
Is there any alternative way?
Also note that I have 4 things with me: Consumer Key, Consumer Secret, Token and Token secret.(Note: I have 2 things in access token, not only a single token).
As mentioned here(read the Warning on that link), OAuth1 was shut down on April 20 this year. So I am assuming/hoping that you're using OAuth2 instead. If not, I would suggest you to migrate soon as possible.
When working with access tokens, it is important to remember that they have limited lifetimes. Hence, always remember to add them "programmatically". Depending on the API you're trying to access, access tokens are appended to the request as the value of the access_token query parameter of your request. Here are a couple of examples:
Plus API:
GET https://www.googleapis.com/plus/v1/people/userId?access_token=1/fFBGRNJru1FQd44AzqT3Zg
Youtube API:
https://www.googleapis.com/youtube/v3/channels?part=id&mine=true&access_token=ACCESS_TOKEN
So look up the Google Developers documentation for the particular API you're using for help on what the exact request will be like. Here are a few samples for using OAuth2 with Google App Script. Hope this helps.
EDIT:
A little correction. For OAuth1, the access token is passed using oauth_token. For clarity of how the process flows, refer to the subheadings 6.1 to 6.3.2 in this link and the former one for how it is done on Google's end.
Also, quoting this link:
"April 20, 2015: OAuth 1.0 is shut down. A static error page will be displayed on all requests. Make sure you have migrated well before this date."
If that hasn't already happened, it might happen anytime as currently OAuth1 is "officially" shut down.
As of now I am building out a custom Tumblr page which is basically aggregating post content into 1 page.
Problem is, we can't use the Tumblr tags for the Like, we have successfully gotten the Reblog to work, but when ever I try and use an hrefed to this pattern,
'http://www.tumblr.com/like/'+oath+'?id='+id'
and /unlike/ for unliking the post.
I can't get anything but an access denied page to come up.. Shouldn't I at least be seeing an authentication pop-up of some kind? Not sure what else to do here. Need to get this LIKE functionality working, and using the Tumblr {like button} is not an option since we aren't using a {posts block} rather pulling all our content in via JSON API.
Found an answer!
So let me break it down for you all.. I am just going to run down all the issues and caveats that were discovered while I was hacking away at the Tumblr API. In most cases you will not find any of these answers on the inter webs. If you do, they most likely will just be my answers to my own questions that I posted to the Forums.
A Tumblr Application is defined by any page template either hosted
by Tumblr or not that will be using the Tumblr API. Applications
must be registered with Tumblr at:
https://www.tumblr.com/oauth/apps
All Tumblr Applications upon creation are given a set of keys for
accessing the Tumblr API. OAuth Consumer Key aka API Key Secret Key
The Tumblr API is divided mainly into two different types of
methods. The third being “Tagged” which is for pulling tagged posts
from the Blog or the User.
“Blog Methods” which only require the submission of the Consumer
Key. “User Methods” which require a full OAuth signed request which
meets the OAuth 1.0a Protocol. The “User Likes” returns a maximum of
50 records at a time. This is not documented in the Tumblr API
docs.
Currently the Tumblr API documentation directs developers to use one of the many open source API clients. However, all these clients seem to be Server Side applications. For providers, such as Tumblr, which support only OAuth1 or OAuth2 with Explicit Grant, the authentication flow needs to be signed with a secret key that may not be exposed in the browser.
HelloJS gets round this problem by the use of an intermediary webservice defined by oauth_proxy. This service looks up the secret from a database and performs the handshake required to provision an access_token. In the case of OAuth1, the webservice also signs subsequent API requests.
HelloJS - http://adodson.com/hello.js/ is the only client-side Oauth library that was available and free. There are many services out there that charge on a per-api hit basis to serve as a proxy.
The HelloJS OAuth Proxy is available at: https://auth-server.herokuapp.com/
Login to the OAuth Proxy is done using one of the following social account credentials: Google, Windows Live, Facebook, or Yahoo.
OAuth Proxy serves as a secure “man in the middle” allowing for the “Secret Key” to be securely stored while still allowing for Client-Side OAuth authentication.
HelloJS features a special Tumblr Module - http://adodson.com/hello.js/demos/tumblr.html
HelloJS utilizes the new Javascript Promises asynchronous functions specification - https://www.promisejs.org/
Javascript Promises have some unique rules when it comes to passing objects received from an asynchronous AJAX call.
With everything is done in the callback.
What jQuery calls a promise is in fact totally different to what everyone else calls a promise.
Hope this helps for future Tumblr integrations.
John
I am developing a PhoneGap application and require my users to sign in through Google with OAuth2. Is this possible directly through JavaScript? I have almost no experience with JavaScript (and jQuery).
What are the options? I have thought of a cumbersome alternative which involves posting the username/password to an application I have hosted on a server which then takes care of logging in. Then the PhoneGap app will have to ask the server if the authentication was successful. However, I was hoping there would be a simpler way.
What is the best way signing in through Google on a PhoneGap app?
I have managed to get it working! I'm posting my thoughts here because I had a hard time finding the answer after hours of searching the web.
The important steps are:
Make sure ChildBrowser works properly
Setup a function that will listen to page changes
window.plugins.childBrowser.onLocationChange = function(fooUrl) { console.log(fooUrl); }
Build the URL with the query string as described in this tutorial
Point ChildBrowser to the URL
When the user logs in, you will be able to extract the session token from fooUrl
If you still don't know how to do this, have a look at this Android app.
(There is a lot of code, and it might seem overwhelming, so I suggest only going for this as a last resort)
Google will not allow you to perform direct authentication by handling the user credentials directly. Instead Google wants you to perform an authentication protocol, typically OAuth 2.0. Other popular authentication protocols you may hear about is OpenID 1.0, 2.0, OpenID Connect, SAML 2.0, ID-FF, etc. These protocols will redirect the user to the Identity Provider (Google, in this case), and send you back with an assertion that you may use to trust the user. With APIs, like Google, you would make use of the authorization functionality of OAuth, which provides you with a token that you may use with all Google APIs after authentication.
A good introduction to how OAuth 2.0 works
With PhoneGap and mobile apps, things are a bit different than the typical OAuth setup.
In your case, the browser is in a controlled environment, your app, and you may
select to redirect the user to Google Authorization endpoint using the main view,
select to open a ChildBrowser with the Google Authorization endpoint, to not lose any state on your app.
to somehow open Safari or another browser with the authorization endpoint, and register a custom schema handler, to redirect the user back to your app after authentication.
These examples are vaguely mentioned in the OAuth 2.0 specifications, but there are no aid in what is the best or optimal in a specific use case. Often the best possible option is not perfect (from a user perspective).
I recently wrote a tutorial on how to make this work with Phonegap and ChildBrowser for iOS.
OAuth 2.0 Guide for Phonegap using ChildBrowser and JSO