So I like to use the vimeo API in a WordPress plugin.
Its seems to me there are actually 3 different ways how to do this.
So my guess is that I could setup my website with video as 'master' application and through their complicated authorization process let users authenticate my app to do things. I am not sure how this exactly works ...
Because I plan to use this commercially I would have to register my plugin as a commercial application with video. Not that I expect to be rejected by them but I like the idea of my users have their own sites be their own application even if this means longer setup for them.
I have seen one plugin (codeflavors vimeo post Lite) offer settings for client id and client secret to the user and then does a request to get a API token specific for the user so basically every user has their own app registered on vimeo.
/**
* Constructor, fires up the parent by providing it with
* client ID, secret and token, if any
*/
public function __construct( $args = array() ){
// set plugin settings
$this->settings = cvm_get_settings();
// set the token
$token = null;
if( !empty( $this->settings['oauth_secret'] ) ){
$token = $this->settings['oauth_secret'];
}else if( !empty( $this->settings['oauth_token'] ) ){
$token = $this->settings['oauth_token'];
}
// set up redirect URL
$redirect_url = admin_url( 'edit.php?post_type=' . cvm_get_post_type() . '&page=cvm_settings' );
// start the parent
parent::__construct( $this->settings['vimeo_consumer_key'], $this->settings['vimeo_secret_key'], $token, $redirect_url );
I do not understand this part of their code, the part where the token is either a oauth_secret or a oauth_token
But I actually already integrated their code ignoring that oauth_secret part so users can generate their token in the WP Admin page if my plugin when they put their vimeo secret and id in.
But now I found 2 other plugins that seem to just use tokens.
define( 'VIMEOGRAPHY_ACCESS_TOKEN', 'eaf47146f04b5550a3e394f3bbf8273f'); they have their token just public-ally in their code. Is this intended to be used this way?
I also found out in the Vimeo app setup that you can generate a token right there. "Generate a token for script or testing". And I seen yet another plugin instructing users to generate their token there and drop that token in the WP Admin page.
So I am a bit confused but my guess is I could just use my own token for public data and when users need private data I could just instruct then to generate their own token and use that and actually skip all this complicated authorization stuff. Even though there is a official api for it to me its seems simpler and easier to maintain to just let them use a token like a api key for other APIs.
So my question is am I right about this. And what are the advantages to going the complicated route. If I can just let my users generate their own tokens?
Authentication tokens with the Vimeo API can be broken down into three types:
Unauthenticated (client credentials)
Authenticated (OAuth2 flow)
Authenticated (Personal access token)
Unauthenticated/client credentials tokens can only be used to get public data from Vimeo, and are generated from the client_id and client_secret values.
Authenticated tokens can be used to get both public and private data from Vimeo, when granted the appropriate scopes. Authenticated tokens are generated in one of two ways:
Send the enduser through the OAuth2 flow, where they authorize your application to perform actions on behalf of their Vimeo account
Generate a "personal access token" on the app management page. This token is authenticated to the app creator's account.
Usecases vary, of course, but here are some general examples of when to use each of these types of tokens:
Unauthenticated - Use if your application will only ever need to retrieve public data from Vimeo.
Authenticated token via OAuth - Use if your application will be used by other users and will need to get data on Vimeo private to those user's accounts.
Authenticated token via personal access token - Use if your application will only ever be used by the your own Vimeo account and will need to get data private on your account.
Each of the services you mention should outline what type of authentication token they require. They may need you, as the enduser of their application, to go through the OAuth2 flow and authorize the application to perform actions on behalf of your Vimeo account. They may also need you to generate an application on the Vimeo Developer site, and either provide the service with your application's client_id/secret, or create a personal access token and provide the service with that token.
I hope this information helps!
Related
I am developing an application from where I would like to create Campaign with list. The application flow is like this, User will click a Button then user will redirected to MailChimp login page, User will come back to my site after Logged in where URL is http://127.0.0.1:8000/home?code=f0f6949c8b5286c38a90aa4820776e14.This code is Authorization Code.
Now I would like to fetch Lists of that specific user who is logged in few moments ago. I can fetch my Lists using API key, but I need users Lists, I don't know users API key.
How can do that ?
I think I need OAuth 2 token of MailChimp API call to fetch User's Lists. How can I get OAuth 2 token of MailChimp API call ?
Thanks
From the MailChimp documentation (source: http://developer.mailchimp.com/documentation/mailchimp/guides/how-to-use-oauth2/)
How to Use OAuth2
For developers integrating platforms that require clients to access MailChimp’s servers, we recommend using OAuth2 for authorization. OAuth2 is a secure option that allows third-party applications to access a server without passing user credentials or API keys.
Before You Start
Here are some things to know before you begin the OAuth2 process.
Our server implements v10 of the OAuth2 specification, and supports Web Server Flow.
On the server side, OAuth2 is pure HTTPS, so we recommend using HTTPS for your redirect_uri.
We don’t expire tokens, so you won’t need to use refresh_token.
Register Your Application
When you’re ready to begin, register your application with MailChimp:
In your MailChimp account, navigate to the Account page.
In the account drop-down menu, click Extras, and choose API Keys.
Under the “Developing an App?” heading, click Register and Manage Your Apps.
Click Register an App.
In the fields provided, input your application’s information and click Create.
When creation is successful, you’ll see an Application created message appear, and more information at the end of your form, including the Client_ID and Client Secret. Do not share the Client_ID and Client Secret.
On this screen, you don’t need to save or change the information. Click Update or Cancel to go back to the Registered Apps page, or close the window.
Endpoints
OAuth2 exposes three specific endpoints, and one for metadata.
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
redirect_uri
Client-side, made available to the browser in use.
metadata
https://login.mailchimp.com/oauth2/metadata
Note
We support wildcards for the redirect_uri so you can provide
data-center-specific information for proper API calls. Wildcards work
as long as the redirect_uri appears to be a user-registerable domain
under a top level domain. For example, if you enter https://co.uk/ as
a redirect_uri, wildcard support won’t work. If you enter
https://mydomain.co.uk/, wildcard support will work. Domain detection
is based on these criteria.
A redirect_uri will also override the path portion of a URL, as well.
For example, a redirect_uri set to https://test.example.com/oauth.php
means that any URI starting with either test.example.com or
*.test.example.com will work (i.e.: https://test.example.com/somethingelse.php is valid).
Flow
To start your application’s connection to MailChimp, start by sending the user to the authorize_uri.
The user will input their username and password to approve your application. “Remember Me” cookies aren’t permitted here.
After the user authorizes your application, our server will redirect your user back to the redirect_uri, along with a code you can exchange for an access_token. The code is valid for 30 seconds.
Your application should then make an out-of-band request to the access_token_uri using the code our server provided.
Our server returns an access_token, which completes the official OAuth2 flow.
To complete the MailChimp flow, make another RESTful request using an OAuth2 client to the metadata_uri.
Our server will return a datacenter string, API endpoint, and login URL, as described in the following list.
dc:
The data center string, like us1, us2. If your API wrapper is data center aware, use access_token-dc as a standard API key.
api_endpoint:
Use https://{dc}.api.mailchimp.com. If you your API wrapper isn’t datacenter-aware, use this API endpoint and the access_token as your API key.
login_url:
https://login.mailchimp.com
Note
The access_token is used as an API key. Users don’t have access to these keys because they are tied directly to your
application. But, the user can de-authorize your application in
MailChimp, which removes and invalidates the token.
Configuration information
User-Specific configuration
client_id
635959587059
client_secret
0da3e7744949e1406b7b250051ee1a95
redirect_uri
http://192.168.1.8/oauth/complete.php
MailChimp standard OAuth2 configuration
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
base_uri
https://login.mailchimp.com/oauth2/
MailChimp custom configuration
metadata_uri
https://login.mailchimp.com/oauth2/metadata
We are using the Oauth 1.0 authentication Flow with the Twitter API. This basically come down to this spec: http://oauth.net/core/1.0/#anchor9.
We created the app and started to get users. Later we implemented Signup with Twitter where now we require the users email address from the API. We asked Twitter and therequest was granted. It works, great.
Now we have an issue with existing users because those authorized the App before we had that Email permission and with their existing Access Token, Twitter doesn't give us that.
Twitter writes in their documentation (https://dev.twitter.com/rest/reference/get/account/verify_credentials)
Note
Your app will need to regenerate the user access tokens for previously authenticated users to access their email address.
How can this be done?
When we delete the corresponding data (token and secret) on our side and ask for new Auth it doesn't have any effect. Twitter always gives us the same token and secret again.. and with that in the account/verify_credentials call no email address.
The only way which we found works is when we log into Twitter and revoke access to the App. Then we get a new token and secret which gives us access to what we want.
But we don't want to tell that to our users but rather do this programatically utilizing the API. How?
Try to request a new/different permission from the users:
What if I want to request a different level of access for my
application instead of the one my application is registered with? You
can do this now by using the x_auth_access_type parameter during the
request_token phase. Using this parameter you can request a read or a
read/write token even if your application is registered for read/
write/direct messages.
More information on this method is in our developer documentation:
http://dev.twitter.com/oauth/reference/post/oauth/request_token
Currently, the person I'm developing for uses google docs to display the website/files. Which can only be accessed via google accounts ending in a certain domain name. For example danny#webtest.com if it's a webtest google account then it can access it.
Now I'm creating them a website not linked to google. However, I still need this authentication process.
Step One
login page will be a simple "connect with google account"
Step Two
user is redirected to login to google, if they're already logged in then moves to next step.
Step three email address is crosschecked with my database, if there a session is made for the row id of that user, if not then it is added.
I'm trying to keep this as simple as possible, however I have no idea where or how to do step Two.
After reading the Wikipedia introduction mentioned by #Izzy, you can have a look at google's Oauth2 introduction and then jump into google's quick start sample app; it gives a fully working commented php app of using oauth 2.0 to authenticate with a google account and fetch user data.
The code in the example uses the package google-api-php-client as well as a js library to reduce the boilerplate to simpler API calls. For the client/frontend side, javascript calls such as:
auth2.signIn().then(function(googleUser) {
onSignInCallback(googleUser.getAuthResponse());
}, function(error) {
alert(JSON.stringify(error, undefined, 2));
});
And on the server, php side:
$code = $request->getContent();
// Exchange the OAuth 2.0 authorization code for user credentials.
$client->authenticate($code);
$token = json_decode($client->getAccessToken());
// You can read the Google user ID in the ID token.
// "sub" represents the ID token subscriber which in our case
// is the user ID. This sample does not use the user ID.
$attributes = $client->verifyIdToken($token->id_token, CLIENT_ID)
->getAttributes();
$gplus_id = $attributes["payload"]["sub"];
// Store the token in the session for later use.
$app['session']->set('token', json_encode($token));
$response = 'Successfully connected with token: ' . print_r($token, true);
Please note that requesting an email address will require asking further the permission (named Authorization scopes) from the client, as seen in this SO question:
$client->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile'));
You can then use any number of APIs that expose userinfo.email. One of these, Google_Service_Oauth2, has the helpful public method userinfo
$oauth2Service = new Google_Service_Oauth2(...);
$userinfo = $oauth2Service->userinfo;
Use OAuth2. Google uses it for authentication process.
OAuth states for Open Authorization. OAuth is protocol which is designed to work with HTTP enabling access tokens to be issues to third-party clients by auth server, with approval action from user.
OAuth is starting to be deprecated, and all major companies are starting to use OAuth2 protocol which is improved version of OAuth, but unfortunately it is not backward compatible.
You can find several implementation in PHP like this one.
I'm working on an API and considering using OAuth (3-legged approach) for authentication and authorisation.
This is the basic idea:
In order for clients (mobile app or web app), to use this RESTful API the user will have to be logged in using identity providers/servers such as Google, Facebook e.t.c
Essentially 3 parties will be interacting here:
The mobile / web app: The one trying to access my API
The API: The site that contains data for the app to run
The identity server: The site that will allow the user to login in order to access the API
Now, the way that I understand this process (assuming I do). This would be the flow (summarised):
The user will try to access data from the API (consumer);
The consumer finds that the user is not logged in;
The user gets a page (with service provider buttons such as Login with Google);
The user clicks the button, and the service provider returns a login form;
The user logs in;
The service provider returns a page asking for specific permissions;
The user grants permission;
The service provider returns an access token to the user;
The user uses the access token to try the request again to the consumer (API);
The consumer takes the token and verifies it against the service provider;
The consumer grants access to the user.
First
Is this process correct (on a higher level), or have I completely misunderstood the whole thing. If it is not correct: Could you offer some tweaks?
Second
After this whole process. How does the consumer communicate with the user? Will I have to be passing around a token on every request made (between the mobile app and the API)? Or can I just use the user details from the service provider to identify the user?
Third
How exactly does the consumer (API) verifies the token provided by the user against the server? Is this already implemented in OAuth, or will I have to do it myself?
Forth and last
In terms of implementation, what would be the difference between the client (mobile app / web app) and the consumer (API)?
I'm new to this, and I am trying to implement it in PHP (the API). If you have any references to PHP code (sample implementations) or external resources, I'd really appreciate it :-)
I am also new for oauth but I'll try to help.
First you could look here for appropriate libraries which could help.
As for me your oauth flow is correct. A good explanations you can also find here.
Keep in mind that authorization server should return an authorization code which you use for obtaining access token.
So your questions:
1) Follow the second link and there - "Authorization Code".
2) With every request to you API you should send your access token. Something like
http://<your api>?access_token=7f813af1-381d-4dd7-b70b-b6a8399b2c00
3) Just use the libraries from the first link. I hope that they have already implemented this. :)
4)Can't exactly understand what you mean. Your client must be able to obtain access token, store it and send it with requests. Your API server must be able to receive access token from client, and give access to api if the access token is correct.
I'm currently creating a server CLI application retrieving facebook Ads metrics through the Marketing API, it would be done as a long running service on the server doing so periodically without user input, but I can't seem to find a way to get a token for doing so.
All procedures to get an access token from facebook PHP Api seem to assume a user is there to login to facebook. I looked quickly to see if I could connect manually with curl but there is some js generated variables in the facebook login process, so that would complicate things.
Is there any way to get Marketing API insight with only an app id/secret ? Or is it possible to retrieve an access token without user input ?
The closest I've been is this :
Api::init(
'appID', // App ID
'APPSECRET',
"appid|appstring"// APP token
);
$campaign = new Campaign('campaignID');
$params = array(
'date_preset' => InsightsPresets::LAST_7_DAYS,
);
$insights = $campaign->getInsights([], $params);
print_r($insights);
But I get an error "Cannot determine the target object for this request. Currently supported objects include ad account, business account and associated objects."
Do you have access to Business Manager? You can generate a System User there which comes with a non-expiring token. See here.
With App ID and App Secret, you can only get an App Access Token. There is no relation to any User with that one, so there is no way for Facebook to know if you are allowed to have access to the Marketing API or Insights:
To access the Marketing API you need a user access token having the
permissions ads_management or ads_read
Source: https://developers.facebook.com/docs/marketing-api/quickstart#access-token
You can use and store an Extended User Token that is valid for 60 days.
More information about Tokens and how to extend them:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/