I've spent a week trying to figure this out, and I am turning to the experts on Stack Overflow for a little help.
The Concept
I've designed a front-end and a back-end that are relatively separate. Members interact with a Client-side application that runs on Angular4 frameworks. For that, I use the Javascript SDK to control Facebook login. The application does not use Facebook for anything more than login and pixel information, so I request bare minimum permissions (thus bypassing any need for application review also).
On the back-end, I store the facebook ID of the members. The facebook ID is their unique identifier, since not all users will have an email address. If the member has a paid subscription to the site, the backend needs to invite them to a group page that has SECRET privacy setting. Membership to this exclusive group is one of the perks of paid membership.
The Problem
Here's the problem, to send a member invite, I need a CLIENT_TOKEN from a group administrator. OR I need to have a CLIENT_TOKEN for my APP, if the page that is created was created by the app itself.
What I have found
Facebook API documentation on the CLIENT_TOKEN is very sparse. The documentation includes redirects where the user supposedly enters their user-name, password and then, when they return, a CLIENT_TOKEN is passed back with the redirect. However, this does not work for the Backend, because the admin user (me) is not going to be available to interact with the page that is loaded on the redirect.
I thought about creating the group with the APP to utilize the CLIENT_TOKEN that is owned by the APP itself. However, the documentation (current link pointed to by the current API, btw) notes that APP groups are deprecated, so this is not an option.
What I need to know
Here is what I need to know:
1) How do I obtain a CLIENT_TOKEN for my personal user account without being present to authenticate each time it is requested?
2) In addition to the above, do you have any other advice or tips that I might have forgotten to ask about that pertains to programmatically inviting and removing members?
You can not send invite requests for a group to users via API.
That was a feature available specifically for App & Game Groups as well, but is gone with them.
Related
I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0
He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".
If yes, he renders the page, if not, he redirects the user to the login.
(So basically he does one oauth request per page view.)
I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?
He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)
He said I should "just also get the groups on each request" and that's it.
(Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)
My understanding of how this should work is the following:
The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.
Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.
But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.
So any explanations/opinions would be very welcome.
Additional informations about the project:
We use Laravel 5.4
I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)
If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.
There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?
I would consider creating a separate access management for the application if:
There is a chance of people outside of your company using the application.
You needed to modify existing Google groups (if there are some) just to make them fit your application.
It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.
I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.
The auth sequence you described looks correct.
I am working on a website which will allow registered users to link with their Facebook account and periodically, the site will poll their information and post back to their Facebook page.
The site is Joomla based, so using the PHP API seemed most sensible, but I'm not sure.
I've looked at the Facebook documentation and it seems confusing. Do I need to write an app and get it approved, or is there a simpler way?
If I need to write an app, is there anyway to develop and debug the app before getting approval and only turn off sandbox mode after approval has been achieved?
What would be the simplest way to implement this so I can retrieve some Facebook info and make posts to Facebook pages at later dates?
In future, I may wish to allow users who are logged into Facebook to automatically login to my site, but for now, I do not want this.
You will need to register an application. Being that this is not an application hosted on facebook, there really isn't much of an approval process.
PHP SDK would be required for what you want to do.
In order to post to facebook or get facebook account information, the user would need to authorize your application and provide permission for what you want to do.
Keep in mind that although a user can grant your application a key via which you can do things on their behalf on facebook, this key will eventually expire if the user does not return to your application.
I would take a look at the Facebook API that was done for summer of code. It is currently in the platform tracker and you also need the OAuth1 API that she did. If if you use that you'll have a good start on what you need.
This is a tough question to ask so I hope I can make it clear!
I'm writing a PHP script that access a users Gmail calendar. I first wrote it using Zend and it was fantastic, but found that I have to use the Oauth to get to tasks - therefore I rewrote it for Oauth instead.
In order to use Oauth I have to go to my API console and set up the account and then I have access and everything works great. Here is my problem: I can't ask every single user to go through this somewhat technical step of creating a key and all of that just so my app can work with their Gmail.
Zend was really easy, the user provides me with their name and password and I have access. Now I don't see any way to change accounts using the Oauth method, all of the credentials are for a SINGLE Gmail account (as far as I can tell).
Is there a way to do what I'm trying to do without making the users go through fifteen hoops to allow me access? I would like to register my app and get my keys, then be able to point to ANY Gmail account, the user grant me access, and I'm in. Otherwise each user has to go to the API console in their own Gmail, create branding, create a key and then create a server ID, THEN provide that all to me so I can plug it in and THEN redirect them back to Google so they can say "yes, I accept this". That's a lot of steps to integrate.
I hope this was clear enough :).
That's basically how OAuth works. ONLY the developer that wrote the app needs to register it, get the keys and add that to the configuration.
Users of the app simply get taken to a page (after signing into their Google account) where they will grant access to your app in a single click. Google will remember their decision and the next time will be even faster.
I'm building a web application for a customer and I'm not really sure I'm doing the right thing...
Basically, I created a PHP application that read, edit, delete calendars on Google and keeps a copy on my own web application DB (for various reasons). Now, I read about the OAuth 2.0 and realise it could be safer to use this than have my client general Google password (that access ALL google services (calendar, email, etc)) directly in my web app in a PHP file (in other words, if a hacker enter the server than he can steal her password...).
So I created the OAuth 2.0 account, add the classes/folders from this page http://code.google.com/apis/calendar/v3/using.html#setup and added the proper scripts on a test page to "authorize access to your information" (see "Instantiating the client " in the same page) ...
Here is my questions: If I am logged in my gmail with MY login info (not my Client) and I go to my test page, it will ask ME to authorize access to my Google Calendar. But I want my client's calendar, NOT MINE! So, let's pretend I logout, log in with my customer info and go to the test page : it's perfect, I authorize the account, then I'm redirected to my app where i can see HER calendar.
But this is not practical OR logical... Since, for example, I want people on her GENERAL PUBLIC website to go on a page, and fill a form in order to automate her appointments. The script must check her google calendar.... and ask permission for THEIR gmail accounts? No, I want HER calendar.
So this is my problem / question. What am I doing wrong? Is this the right way to do so or did I miss a step? Was this API meant to do this?
How can I use the API to work in the way described above?
Thanks all to light my candle
Joel
If I'm understanding you correctly, you've got the authentication right. The problem is that you don't want to display the calendar of the logged-in user; you want to display your client's calendar.
A user can write to a calendar in one of two circumstances:
The user owns the calendar, or
The owner has given write access to the user explicitly, by specifying the user's email address.
Clearly the second situation doesn't scale. And in either case, you'd need to embed your client's credentials in your application, then use them either to create appointments on behalf of an authenticated user, or to share the calendar with the user. Of course, you'll want to encrypt your client's credentials--don't simply hard-code them in your app!
Rather than using your client's "real" account, it would seem more secure to create a new account (with a unique email address and password) specifically for this calendar. Your client could then access it through your application as her customers would, or you could share the calendar with her and give her write access.
Another possibility might be to make the calendar read-only to the users, and rather than allowing them to create appointments directly on your client's calendar, your app could let them request appointments: it would create the events on the users' calendars and send invitations to your client's calendar. Then your app won't need any embedded credentials. It would also give your client the opportunity to confirm or decline each appointment, automatically sending her response to her users. Another benefit is that each user's appointments would appear on his/her own personal Google calendar.
I'd be interested to know if you (or anyone else) finds a better solution.
I have the same problem, i solved using zend framework, even if i don't like it as it is yet and i'm trying to do with google api directly. ( and i'm not able )
Zend wrap around them i suppose.
I know the question is very old anyway, i embeded zend loader class, and a calendar extension.
Then i just use:
if($something) {
$client = getClientLoginHttpClient($usergmail, $passgmail);
createEvent($client,$dbcon,$id_event);
}
where $dbcon is a connection to my dv, and $id_event is an id where i can find the data i want insert, ( date, content, title, time and so on ).
I don't like it but it works.
I'm working on a web project that isn't all that dissimilar in principal to power.com, where I am attempting to unify several different social networking sites under a single website, allowing users to register once with the system, and then add as many of their individual social networking accounts (Facebook, MySpace, Orkut, etc) as the system is built to handle, allowing them to browse their respective profile information in a single place.
Simply put, I can't seem to find a way to authenticate arbitrary users into their social network accounts.
I've been poring over the OpenSocial specifications, as well as the OpenSocial PHP client project, but I seem to be missing something, as everything is appearing to be circularly dependent.
My first problem is that, for testing purposes, I have a MySpace consumer key and consumer secret, but whenever I attempt to perform a 3-legged authentication with MySpace, there's no option for logging in as someone else. Plus, it performs an external redirect, which is somewhat undesirable (as a user of this eventual social networking "portal", I'd rather not have to go through that redirection process every time I add a new account).
How would I programmatically authenticate an arbitrary user and allow them access to their account information (preferably without the external redirection)?
Second, the 2-legged authentication requires a userId (usually an arbitrary integer) that identifies the arbitrary user to retrieve information for. However, when I enter my MySpace OpenSocial ID, along with the given consumer key and consumer secret, I am given a 401 Access Denied error. Furthermore, in order to use this ID in the future, it seems that I would need to authenticate the user first...but that authentication appears to require the ID.
I'm pretty convinced that I'm missing something trivial, but for the life of me can't figure out what it is. Help is greatly appreciated!
Technically this isn't my answer, but the developers at OpenSocial have provided me with the following information regarding my question (emphasis mine):
3-legged OAuth is built around the
redirect back to the site you're
authenticating with, and there's no
way to avoid it. It's not the most
convenient experience, but allows
users to share their data with your
website while keeping their passwords
private. Any design which requires
users to enter their MySpace password
into a form on your website is
considered an anti-pattern and should
be avoided. You could potentially
attempt the redirect in a popup window
in order to make the experience a bit
less jarring for the user (currently
the PHP client doesn't make this that
easy, but if you followed up at
opensocial-client-libraries#googlegroups.com
someone could help you work through
that process).
With regard to not being able to
change the user, what I believe
MySpace is doing in your case is
checking for a MySpace cookie and
pre-populating your account
information. If you were a user
visiting the site and not logged into
MySpace, you should get a full
username/login box combination. There
should also be a button or link
somewhere to say "I'm not this user"
and log in with other credentials.
As for 2-legged, you would need to
have the application associated with
the consumer key/secret installed on
the profile of any user whose data you
wish to access. 2-legged is mostly
intended for developers who are
currently running a social gadget on a
container and wish to access social
data for their application users out
of band with a gadget render. In this
case, the application server would
already have the user's OpenSocial ID
(from a signed makeRequest) and the
user would already have the app
installed on their MySpace profile).
Most of this is covered
in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif
you want more information.
Essentially, this makes any use of 2-legged authentication on an external application impossible; 2-legged was explicitly designed not to be used in this sort of situation. Furthermore, it seems that power.com is indeed employing the anti-pattern of having users supply their actual Orkut/MySpace/etc credentials, so that explains that bit.
Clearing out my cookies worked to authenticate me through MySpace. However, I followed up with another question about how Orkut authentication would work, since it doesn't seem to support 3-legged auth. Here was the response I received:
Orkut is interested in supporting
this, so you'll be able to allow users
to share their information with your
application "correctly" in the future.
The corresponding two-legged app would
need to forward the current viewer's
OpenSocial ID back to your server,
probably along with an authorization
token you generate yourself so that
you can link a user's session on orkut
with a session on your own server.
Honestly, it's probably not usable
enough to support a standalone login
system.
Essentially, no, Orkut really can't be hooked into an external app (at least, not yet) without resorting to the anti-pattern.
If anyone has any further information on this topic, please feel free to share!
The pattern is also mentioned here http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
Essentially a lot of the mashups would want this feature :
A 3rd party site which DOES NOT have a
gadget wants to get the end-users
permission to access their data at the
social network, for example to
download their friend list, or to get
permission to post to their activity
stream