I spent a lot of time looking for any clarifications about using oAuth with FB and Twitter.
I have to do application which will be using access_token. This token will be used also on diffrent devices to access user account via API.
When I'm looking for "how to use access_token" I only finding "how to get token".
If I something miss reading documentation please let me know, especially where is example - how to use this token on other devices to access API to send eg. post.
I have found Twiiter4j and Facebook4j these libs helped me... I've got this access_token and now what next, how connect to API... I know that it's no possible to get access to Twiiter API - ok, but what about FB and "client side"
please help.
Oauth can be complicated so let me try to explain it simply.
User visits your website
Your website checks if it has seen this visitor before (usually with a cookie)
If not, send them to FB/Twitter/Whatever's oauth url. In that redirect, we tell FB/Twitter/Whatever that we're going to need x,y,z permissions (access a users timeline, see a users friends, etc). We also tell FB/Twitter/Whatever that when the user says ok, send them back to www.myurl... Finally, we take everything in this request and "encrypt" it, to prove it's really our site asking. The key to this is only saved on our backend, so the frontend (javascript/html) never sees it.
FB/Twitter/Whatever sees the request. They also see the "encryped" form of the requests. Fb/Twitter/Whatever knows this key too (they gave it to us, it's usually called the "secret" when you're configuring your oauth) They can verify it's really your backend asking for permission.
If the user agrees, we get a token. We store that token (on our backend, php, java, ruby, etc) and remember it belongs to that user.
The main thing to stress here is that in order to do the oauth handshake, you need a secret key that you never output to the browser. That means you'll need to implement part of this on your backend. You've tagged this with java so maybe that means you're using java as your backend, maybe with Google app engine or something. You'll need to find the oauth library for that, and work it out from there.
You can't create the oauth handshake only with frontend code.
Related
I am making a desktop application for Reddit in Java. I want to let users log in to their Reddit account via my application so that they can do things on Reddit. I know that I need to get access tokens and whatnot but I don't know how to go through the process of doing that. Whenever I have accessed the API previously, it has been in Python using PRAW, so I would manually enter in the client id and client secret - obviously I can't be doing this for a professional application. I'd appreciate it if anyone would guide me through the process of authenticating the user and how to receive and use the access token.
You have to use oauth apis. There is a sample integration for reddit. https://www.e4developer.com/2018/11/04/reddit-api-authentication-with-java-spring/
also there are developer guide for oauth in reddit page
https://reddit.com/dev/api/oauth
Reddit github page have good documentation
https://github.com/reddit-archive/reddit/wiki/OAuth2
There are a lot of forums and samples out there, but all of them either outdated or just not understandable.
I understand that to authenticate requests to AppEngine I need to log in to a google account using AccountManager, get a token using GoogleAuthUtil.getToken, get an AuthCookie, and than do whatever I want on the AppEngine using my token.
Now, the last 2 parts are the ones I don't understand:
what is the AuthCookie? I need to get a new one every launch? is it a temporary "permission" to request authenticated requests from AppEngine? is the first token I received is a permanent one or I should get a new one every launch too?
My current request is "endpoint.list().execute()". Where is the authentication comes in here? I've seen a lot of weird HTTP request samples but none of them used the AppEngine endpoints.
I'm sorry if it's too basic stuff but I really just started using the AppEngine and I couldn't find any clear explanation on how it works from beginning to end.
Thank you.
Since you are using Endpoints, have you read this?
https://developers.google.com/appengine/docs/java/endpoints/consume_android#making-authenticated-calls
It is up-to-date and I think it is reasonably clear (and it includes a sample).
I believe it is the nature of OATH that you need to get a new token for every session.
I have taken up an assignment for a website and I am creating an android app for them. I am new to android programming and also new to web programming (using xml, http post and get, etc.).
My doubt is a basic one. I am trying to create the login page for this website and I don't know if the url of the website is sufficient or I need some other data such as the website's server address. And if I do need the web server address, is there a way to obtain this from my browser? Or do I ask the people who made the website itself for this?
P.S. I apologize if this is a very basic doubt. Bear with me. I am a beginner.
I am not an android application expert but I think you would need to get details about the following :
How to pass authentication details to server, for example if you need to get a SAML token from any of the ID servers? Or is it just sending out the plain username and password.
Just the website url may not be enough.
Please have a look at the weblink for authenticating against openID or SAML technologies
https://developers.google.com/accounts/docs/MobileApps
It depends on how the website is structured. Is there some kind of API for the website? If so use that. Otherwise you'll have to post the data to the same page the data gets POSTed to through a browser and find some way to catch an error or success. This method is not preferred. Also there may be some kind of central authentication server (Such as LDAP or AD) If so you would have to interface directly with that.
I am trying to login my Android users with their Google accounts. I managed to get auth token from AccountManager. I also found some info that I need to use Google App Engine (so I did). I wrote some code (it is not the issue) and I have two questions. Maybe someone can help me.
I was following this tutorial. I understand most of it. But should I write any server-side scripts? This tutorial doesn't mention any. Also according to this tutorial I should get code 302 response, which I get. Does it mean that authentication was positive? Or maybe now I have to do something?
I am getting auth cookie (I think it is auth cookie) which contains very long value (I think over 500 symbols), expiration date and name. How should I use this cookie? Or maybe I don't have to use it? How can I use it to get user google account username? (I think there is that kind of value, different from email address)
Anyone can help?
Thanks in advance.
You don't need to write any server side scripts, all the server side stuff is already on every Google App Engine App.
You need to pass the cookie when doing a request into App Engine.
I'm building an app to let users export data from a university system. Currently, they can log in and see the data in HTML, but I would like to let people download it as CSV.
I have an app where users supply their username and password. I would like to log in to the university system and HTML scrape the resulting page. How can I do this?
I'm building a GWT app. I could either do this in Java-transliterated-JS on the client, or Java on the server.
Update: Selenium might be nice, but it looks like overkill.
You're going to have to do this from the server unless the domains are the same. You'd need to determine what the POST transaction used by the other server for the login step looks like - parameter names etc. Then you'd perform that operation and do whatever you want with what comes back. If you need to see multiple pages, you need to maintain the appropriate session cookie too so that the server knows you're still logged in on the subsequent HTTP requests.
If you have to hit another site to validate the credentials, then I'm not so sure that people should feel comfortable providing those credentials to you. That is, if you don't have rights to check the credentials directly, why are you trustworthy to receive them? I know sometimes people need to integrate with a system they don't own, so this is just a question.
First, this has to be done server-side because of the limitations on client scripting due to the same origin policy.
The typical way of handling the "screen scraping" you mention is to treat the web page as if it was an XML service. First, examine the source code of the page, then using an internet/HTTP stack, craft a POST to the correct URL and read the response using a standard XML library. It will take some ingenuity to come up with a good way to dig into the XML to find the piece you need that will be as insulated as possible from changes to the page. Keep in mind that your system can break any time that the owners of the site change their page.
Sometimes, you can't just send the POST but have to request the blank page initially in order to get hidden form values that need to be returned in the POST. You'll have to experiment to find out what it requires.
Additionally, you probably have to handle cookies as well, since they usually are an integral part of the web site's authentication and session management (though you might get lucky that the session doesn't matter between the initial POST and the first response).
Last, you may be unlucky enough that the site uses javascript to do part of the authentication work, which may require additional digging to understand how the credentials are posted to the site.
There are other potential barriers such as the site checking to see that the referrer is their own site, possible use of SSL (HTTPS) and so on.
I'm pretty sure that the protection against cross-site scripting in web browsers will mean that you can't log in to the university's app using javascript running in the web browser. So the part of your program that fetches data from the university will need to run on your server. Once you have the data, you can process it either on your server or in javascript in the browser, but I think it would be easier to do it on the server.
See http://en.wikipedia.org/wiki/Same_origin_policy
I'm not too sure about GWT, but in general, you would take the form data submitted by the user, check it against a database of username and hashed passwords. If the database checks out, set a session cookie that says the user is logged in.
In your pages, check if the session cookie say the user is logged in. If not, redirect to login page, otherwise allow them to view the pagfe.