OneDrive code flow asking to log in to Microsoft account - php

Whenever I try to authenticate the OneDrive API it asks me to log in to my Microsoft account, but doesn't that defeat the purpose of the API?
I redirect my script to the Auth Code URL which should return a unique code for me to request an access token. It works fine when I am logged in to my Microsoft account but when I am not logged in it shows me to the Microsoft login page.
The URL I am using is
https://login.live.com/oauth20_authorize.srf?client_id=MYCLIENTID&scope=onedrive.readwrite offline_access onedrive.readonly onedrive.appfolder&response_type=code&redirect_uri=MYREDIRECTURL
EDIT
Here is the PHP code I am using to redirect
$auth_code_url = 'https://login.live.com/oauth20_authorize.srf?client_id='.$od_app_id.'&scope=onedrive.readwrite offline_access onedrive.readonly onedrive.appfolder&response_type=code&redirect_uri='.$url_website;
header("Location: ".$auth_code_url); exit();

The API allows you to manage a user's files on their behalf, it does not create a OneDrive account for your application/service.
In order to manage a user's files, they need to authorize you to do so. Conceptually this means the user talks to login.live.com and says "I'm UserX, here's my proof". login.live.com then gives them back a token saying "We believe that this user is UserX". The user then provides this token to your service, so that when you make OneDrive requests you can provide the token to say "UserX gave me permission to manage their files".
If the user is already logged in, their browser already has an auth cookie stored so login.live.com will give back a code/token without prompting for login. If the user is not logged in, login.live.com (and also your service) has no idea who the user is. So it is necessary to show the login screen to get/verify the user's identity so that you know whose files to modify.

Related

logging out a user from facebook app

it seems that this method doesn't work for logging out the user from an app on facebook, i dont want to log the user from facebook itself like with getLogoutUrl, only from the app.
if the user uncheck the email field on the dialogue box the first time he log in with facebook, he needs to logout from the app, in order to log in again without unchecking the email field, so he have a second chance of signing in to my site.
this method doesn't work anymore:i'm on php SDK V4
setcookie('fbs_455857397897935','', time()-100);
// kill the session
session_destroy();
455857397897935 is the app id
You could try to revoke users login using graph API
DELETE /{user-id}/permissions
Quoting from docs:
You can also let people completely de-authorize an app, or revoke
login, by making a call to this Graph API endpoint:
DELETE /{user-id}/permissions This request must be made with a valid
user access token or an app access token for the current app. If the
request is successful, your app receives a response of true. If the
call is successful, any user access token for the person will be
invalidated and they will have to log in again. Because you're
de-authorizing your app, they will also have to grant access to your
app as if they were logging in for the first time.
Hope this helps your usecase.

Secure Google Redirect URL

I enabled Google Login option in website from where I get UserInfo and Email. I am using Google APIs Client Library for PHP.
I set redirect URL to
$client->setRedirectUri('http://login.example.com/authenticate/redirect_back');
and same in Google Developers Console. So after successful user login Google redirect back to
http://login.example.com/authenticate/redirect_back?code=4/gdtpUtOQ3ThblOTVnhEOtoeoeNRa.AqLKJLKDJxy_bnfDxpKmSx6cjgI
now my question is "What if somebody intentionally create code=4/xzzzz?" because Google openly showing where it is going to redirect (see in screenshot link | sorry i cannot post with < 10 reputation).
Google Auth Screenshot
I tried myself with dummy value and it get authenticated. But throws fatal error with invalid_grant when getting UserInfo. Is there a way to validate code value just after Google redirect back?
I guess you do not need to secure the Google Redirect URL.
Because the flow of authentication clearly says that,
once user grants the basic permission to access their data, user is redirected back to your website with Authentication code. The code is used to obtain Access Token, using Access Token the application can access current user data from Google, which could be used to register and login the user.
So in case a user tries to hit the callback URL with any arbitrary code, Google will not be able to authenticate the user and provide you with an User Info and email . Hence, you will not be able to register/login the user.

How can I access multiple API´s (Facebook and Twitter) on one user?

I am always reading about Facebook and Twitter logins for someones website.
The integration using one of theses services is okay, but my questions is how can I access both API´s for one user.
Example:
User is logged in on my website (active session). Now he somehow has to grant me access to his user details etc. on facebook AND twitter. How do I realize that? I don´t want him/her to type in his facebook or twitter credentials everytime he logs in to get his access token (oAuth).
How do I get my own oAuth user access token after using my websites login, so I can interact with Facebook and Twitter´s API.
Is this correct?
Thank you very much, if you can help me.
Facebook
When someone logs into the Facebook account, they stay logged in until they actively log out.
The way to test for this is:
FB.getLoginStatus(function(response){
if response.status === 'connected'{
// The user is logged in
var access_token = response.authResponse.accessToken;
// Do whatever you need to do
} else {
// Get the user to log in
}
});
See here for more details:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Twitter
The process is a little more complex for Twitter, but if you only want to display tweets, consider Web Intents.
Otherwise, follow these steps:
https://dev.twitter.com/docs/auth/3-legged-authorization
Both platforms have the ability to check whether or not the user is logged in first, so you shouldn't have to worry about someone having to log in every time they use your site. However, you cannot use the same oAuth token on both sites - you must get a separate one for each.
Each individual API will need a popup to authenticate, which will redirect to the appropriate api for authorisation, and then once you have the token after the authorisation redirects back to your popup.
You will then end up with a token that you can pass back to the calling page "window.opener" and store the token for that api in a Javascript variable by alling a Javascript funcation on the main page.
window.opener.getInstagramData("self", oauth_token);
Each authentication needs to have its own token and needs to be a button that the user should click on.
I am using this method to get Facebook, Twitter, LinkedIn Foursquare and GooglePlus account info.
Hope this helps.

Twitter OAuth: How do we log the user out of twitter?

I am using the oauth method in order to allow a user to sign into my website with Twitter and Facebook. I also plan to add Yahoo! and Google as well such as Stack Overflow does. Once the user logs in with Twitter successfully they have the option of logging out.
I want to make it to where when the 'Log out' button or link is selected, the user is logged out of my site AND TWITTER. I need it to log out of Twitter also in the case that the user is accessing my website and not Twitters. How do I do this?
Demo and example at: develop.f12media.com
The user clicks on 'Login' at the top of the page to log in with their Twitter account.
Redirecting the user to http://twitter.com/logout will probably work.
But don't do it. OAuth isn't meant to behave that way. Just log the user out of YOUR site.
Logging in to your site via OAuth doesn't necessarily log them in at Twitter, so logging out via your site shouldn't log them out either.
In Facebook it can be done easily because facebook provides logout.php and it takes next=sendBackURL as param.
so when user clicks on Logout button of your application, we can just invoke above logout URL, which will log out the user and smart facebook URL next=sendBackURL will send to your application login page.
But the above seems difficult in twitter, but I think if I do the same, then user will be on Twitter site but he will be logged out of both ur application and twitter.
so it can be by sending authorize?force_login=true, it will be called or will get redirection just after your application logs out user from your site, and user will be directed to Twitter again, I have tested it logs out user from twitter, although it will ask twitter credentials again, but no issue, user can just ignore that.
If Twitter can also provide some logout url, which takes next URL, it will be easy.
Whether or not the user is authenticated on the Twitter site is between the user and the Twitter site. You don't have access or control to that. You only have control over your auth token for that user on your site. You could expire the user's auth token when they log out of your site, but that only affects their Twitter authentication through your site. All that would accomplish is making it so they have to authenticate with Twitter again the next time they log into your site.
I think you're trying to accomplish something you don't need to here. This is the expected flow of OAuth and you shouldn't be worrying about logging the person out of a 3rd party site.

Automatically log facebook user into my site

I've set up a facebook login for my site, using the faceboko php-sdk example.php method. It's working fine, but I want a user who has already allowed my site once to be automatically logged into my site, if they're logged in facebook.
Currently, if a user who has previously 'allowed' my application visits my site while logged in with facebook, they need to click login with facebook, then they are redirected and logged-in. Even though after that click, they don't need to provide any credentials or anything. Thus I would just like this step to be removed and for a user to be automatically logged in.
I hope that makes sense. Thanks
This is discussed on their site.
http://developers.facebook.com/docs/guides/web/#login
Facebook Platform uses OAuth 2.0 for
authentication and authorization.
While you can add login to your site
using OAuth 2.0 directly (see our
Authentication Overview), the open
source JavaScript SDK is the simplest
way to use Facebook for login.
[...]
In order to log the user into your
site, three things need to happen.
First, Facebook needs to authenticate
the user. This ensures that the user
is who they say they are. Second,
Facebook needs to authenticate your
website. This ensures that the user is
giving their information to your site
and not someone else. Lastly, the user
must explicitly authorize your website
to access their information. This
ensures that the user knows exactly
what data they are disclosing to your
site.
http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
By testing for the presence of the
session object within the response
object, you can be sure the user is
known to your application and you can
begin to make further calls to the
Facebook APIs. If the session object
is not present, the user is either not
logged into Facebook, or has not
authorized your application.
http://developers.facebook.com/docs/authentication/
Check the client side flow section to see when you get the authentication token you need to be passing around.
If the user is already logged in, we
validate the login cookie that we have
stored on the user's browser,
authenticating the user. If the user
is not logged in, they are prompted to
enter their credentials

Categories