I'm developing an app that uses OAuth to authenticate.
The problem is that when I try to get the access_token from facebook with passport.js (node.js) I get something different that when I try to get it with Scribe on Android. Is there any reason?
When I try with twitter the access token are the same and I can match users....
Thanks!
Unless I misinterpreted the question, you can use the "id" field in the response from FB to detect whether its the same user or not (regardless of which API/language you end up using). These IDs are unique per user and should allow you to detect whether the same user logged on via Android (Scribe) or passport.js (node). Hope it helps
Related
I'm sure this is basic and I'm missing something. I've read through other answers on SO, I've googled, I've read resources and I just can't wrap my head around what I need to do.
I'm trying to figure out how to write an app that connects to Twitch's API, specifically how to authenticate with Twitch's api. Their documentation is here: https://github.com/justintv/Twitch-API/blob/master/authentication.md
I've created an app and stored my keys.
Now comes the part where I want my user to click a button which launches the authentication on their website. From what I can tell I do this by using an AccountManager. Except... I can't figure out what I'm supposed to do.
Here's the excerpt I've found online:
AccountManager am = AccountManager.get(this);
Bundle options = new Bundle();
am.getAuthToken(
myAccount_, // Account retrieved using getAccountsByType()
"Manage your tasks", // Auth scope
options, // Authenticator-specific options
this, // Your activity
new OnTokenAcquired(), // Callback called when a token is successfully acquired
new Handler(new OnError())); // Callback called if an error occurs
According to twitch's documentation I want to send the user to:
https://api.twitch.tv/kraken/oauth2/authorize
?response_type=code
&client_id=[your client ID]
&redirect_uri=[your registered redirect URI]
&scope=[space separated list of scopes]
&state=[your provided unique token]
And I simply have no idea how these two things need to be combined.
Firstly, I recommend to read the OAuth2 RFC. This should cover everything you need to know.
The AccountManager code snippet won't help you much unless there already is an app that provides authentication for Twitch. If that's not the case you either need to use an existing OAuth2 library or implement your own.
You could write your own AccountAuthenticator but that's a different challenge (and you still need some kind of OAuth2 client).
Doing it yourself is not that hard, see below.
Steps to implement it yourself
Twitch recommends to use the "Implicit Grant Flow" for mobile apps. That's what I'm going to describe below.
1. Get a client ID
Register your app as outlined in Developer Setup to get a client ID
As redirect URI you can use something like https://localhost:12398/, the actual port doesn't really matter.
2. Build the authentication URL
In your client app you need to construct the authentication URL like so:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=[your client ID]&
redirect_uri=[your registered redirect URI]&
scope=[space separated list of scopes]
Apparently [your client ID] should be replaced by the client ID you've received from Twitch, same goes for [your registered redirect URI] (that's the URL above, i.e. https://localhost:12398/). [space separated list of scopes] is the list of scopes (i.e. features your want to access), see Scopes. Make sure you URL-encode the parameter values properly.
Assuming your client ID is 123456 and the scopes you need are user_read and channel_read your URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read
Note that you should also pass a state parameter, just use a randomly generated value. You can also append the (non-standard) force_verify parameter to make sure the user actually needs to log in each time (instead of continuing a previous session), but I think you can achieve the same by clearing the cookie store (given that you open the URL in a webview in the context of your app) before you open the login page.
With a random state the URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read&
state=82hdknaizuVBfd9847guHUIhndzhuehnb
Again, make sure the state value is properly URL encoded.
3. Open the authentication URL
Ideally you just open the URL in a WebView inside of your app. In that case you need to intercept all request to load a new URL using WebViewClient.shouldOverrideUrlLoading
Once the client is redirected to your redirect URL you can close the webview and continue with step 4.
Theoretically it's possible to utilize the default browser to do the authentication, but I would have security concerns since an external app could learn about your client ID and the access token.
4. Extract the access token
The actual URL you get redirected to in step #3 will have the form:
https://[your registered redirect URI]/#access_token=[an access token]&scope=[authorized scopes]
or to pick up the example
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read
Where xxx is the actual access token.
If you passed a state it will be present like so:
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read&state=82hdknaizuVBfd9847guHUIhndzhuehnb
All you have to do now is to parse the (URL encoded) access token, scope and state. Compare the scopes and state to the ones that you actually sent. If they match you can start using the access_token to authenticate.
Note According to the OAuth2 RFC, the response URL MUST also contain a token_type and it SHOULD contain an expires_in duration in seconds.
Once you received the access token you can use it to authenticate as described here.
Access tokens issued by the Implicit Grant Flow usually expire after a certain time and the user needs to authenticate again. The Twitch documentation doesn't mention any expiration time, so it's possible that the token is valid forever. So make sure your app doesn't store it or store it in a secure way (like using Android's key store provider to generate and store a key to encrypt the access token).
If the implicitly issued access token expires you could consider using the "Authorization Code Flow". That's quite similar but it contains an additional step to receive the access token and a "refresh token" that can be used to renew the access token. I leave it up to you to figure out how that works.
I want to create a tool wich allow a user to post his planning on several media at once : he has to fill a form with his establishment week planning, then I post it via newsletter, on his facebook and on his website.
I am struggling with the facebook part. I created an app and made the page subscribe to this app then I tried to use Facebook4j to post something on the page but I am not even able to get the page.
Here is my code :
Facebook facebook = new FacebookFactory().getInstance();
facebook.setOAuthAppId("{app_id}", "{app_secret}");
facebook.setOAuthPermissions("public_profile, manage_pages, publish_pages, publish_actions");
facebook.setOAuthAccessToken(new AccessToken("app_id|app_secret", null));
try {
ResponseList<Account> accounts = facebook.getAccounts();
} catch (FacebookException e) {
e.printStackTrace();
}
which always return me the error :
An active access token must be used to query information about the current user.
How can I have an active access token in order to post on pages which suscribed to my app?
NB : I am not sure I actually need an app. If there is an other way to post on multiple pages without asking for logging each time, I am ok with that too. (some kind of permanent page token maybe?)
Thanks!
Okay first, yes you need an app to perform these requests.
To get what you describe you are requesting the permissions needed correctly, you still miss one - namely pages_show_list.
In addition you have to set the OAuthAccessToken to the users token not to the app token.
I've been playing with the [scribe API][1] and a basic example e.g:
https://github.com/fernandezpablo85/scribe-java/blob/master/src/test/java/org/scribe/examples/TwitterExample.java
In a command line oriented interface, the user is asked to open a web-browser and to copy'n paste the "accessToken".
Once the user has copied the "accessToken", I want to avoid this "browser step" in the later invocations of the tool: can I store the "accessToken" somewhere to re-use it later ? would it work for any server (Twitter ? Flickr... ) ? How should I change the code to reuse the previously saved "accessToken" ?
Thanks,
In the case of the Twitter API you should store the access token as it represents the user's permission for your application to access their account.
However, bear in mind that the token may be revoked by the user, so ensure your application is able to obtain it again.
To change the code to use a previously saved accessToken all you would have to do is look up the token for the current user - perhaps it's retrieved from a database, and then start making requests. Essentially you would just skip the whole "obtaining request token" block of code.
Hi am regarding facebook php server side login..
http://developers.facebook.com/docs/authentication/server-side/
in that
$code = $_REQUEST["code"];
what is the meaning of this..., what is this code ?
Once the user has authorized your app, you should make a server side
request to exchange the code returned above for a user access token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
Note the "CODE_GENERATED_BY_FACEBOOK" comment.
$_REQUEST['code'] is most likely a token that guards against CSRF. Facebook will create this and give it to your application via $_REQUEST['code'] (could be a POST, GET or whatever).
If you're not sure what $_REQUEST is, you should read the PHP manual entry for it.
$code is like authorization token that you exchange for an access token that you will use later to make calls to facebook api. The part you're looking at handles redirect from facebook after user logged in to facebook and authorized your application to access their information. at this point facebook redirects user back to your site and passes code as a get parameter and that line grabs that code from $_REQUEST, which in this context is the same as $_GET['code']
is it possible to retrieve the username of a google account that i have succesfully authenticated using OAuth?
i have retrieved the users Access tokens but i am wondering if their is a API call i can make such has https://google.api/getUserName and pass the access tokens to that call and succesfully retrieve the users email/username?
In a normal OAuth web service, all you need is the secret and id access tokens to make calls to the web service but in google you also need the username too.
Any ideas?
Take a look at http://sites.google.com/site/oauthgoog/Home/emaildisplayscope . That should work for you.
The only way I figured so far is using the Spreadsheet API.
If you request the feed, that lists all documents
https://spreadsheets.google.com/feeds/spreadsheets/private/full?alt=json
There is a field with the username as well:
response.data.feed.title.$t
Unfortunately, this means prompting the user to grant access to his GDocs account, which may be confusing..
But I don't know of any API by Google to directly get the username.
Best way, the following feed was retrieved from the Contacts Data API:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=0
and get next fields from the feed:
response.data.feed.id
or
response.data.feed.author.name.$t
response.data.feed.author.email.$t
http://code.google.com/intl/ja/apis/accounts/docs/AuthForInstalledApps.html#Errors
This one is PHP, i think a slight modification in JAVA could make this workout
http://www.electrictoolbox.com/google-analytics-login-php-curl-username-password/