We are using the Oauth 1.0 authentication Flow with the Twitter API. This basically come down to this spec: http://oauth.net/core/1.0/#anchor9.
We created the app and started to get users. Later we implemented Signup with Twitter where now we require the users email address from the API. We asked Twitter and therequest was granted. It works, great.
Now we have an issue with existing users because those authorized the App before we had that Email permission and with their existing Access Token, Twitter doesn't give us that.
Twitter writes in their documentation (https://dev.twitter.com/rest/reference/get/account/verify_credentials)
Note
Your app will need to regenerate the user access tokens for previously authenticated users to access their email address.
How can this be done?
When we delete the corresponding data (token and secret) on our side and ask for new Auth it doesn't have any effect. Twitter always gives us the same token and secret again.. and with that in the account/verify_credentials call no email address.
The only way which we found works is when we log into Twitter and revoke access to the App. Then we get a new token and secret which gives us access to what we want.
But we don't want to tell that to our users but rather do this programatically utilizing the API. How?
Try to request a new/different permission from the users:
What if I want to request a different level of access for my
application instead of the one my application is registered with? You
can do this now by using the x_auth_access_type parameter during the
request_token phase. Using this parameter you can request a read or a
read/write token even if your application is registered for read/
write/direct messages.
More information on this method is in our developer documentation:
http://dev.twitter.com/oauth/reference/post/oauth/request_token
Related
I'm building a very simple API using silex (php micro-framework).
I have an idea on how to authenticate user using Facebook connect or username / password.
I want to build this API to provide data to my mobile app. My API is using HTTPS.
The authentication with Facebook:
Facebook Connect happen on the mobile app
The mobile app is sending the user token and facebook_id to the API
The API check the user Facebook id requesting /me?token=...
The API check the Facebook app_id is correct /app?token=...
-> The user does exists and is authenticated
Now using login / password:
the mobile app send the username and encoded password
The API check the combinaison is correct
-> The user does exists and is authenticated
The question is about the user session. I don't really want to do this tests on every requests (ie. for Facebook auth there is 2 requests to Facebook).
I was thinking to open a session for the user and store some kind of API token. The token would be hashed and salted (salt + user_id + time delivered). I would store it in the session table and would only need to check that the token is still valid and belong to the requesting user.
So the mobile app would only send the user id + the api token for every request.
What to you think of it ? Do you thing of a better solution keeping it simple?
Or do you see any issue with this design?
Cheers,
Maxime
Facebook's authentication flows are based on the OAuth 2.0 protocol. More information about the protocol can be found here.
The flow follows these general steps:
Determine whether someone is already logged in.
If they aren't logged in, prompt them to do so (with a login dialog).
Exchange secure codes to confirm identity.
Generate an access token.
Once your client has obtained the access token, it should store that token. The client can then perform API requests on the user's behalf using the access token. So there's no need to follow the steps above again once you have the access token (unless that token has expired).
Facebook provides a number of SDKs for you to use, including a couple of mobile SDKs. I suggest you use an appropriate SDK for your mobile app. Implementing an OAuth 2.0 dialog with Facebook will be much easier than doing everything manually. Start reading here.
You can save the Facebook Id in the first user login. Then after check for active facebook user you can search and compare in Mysql for existent facebook Id.
i want to create an Api for my own mobile App to access data that is stored in a MySQL-Database. However i read a lot of articles about the 3-legged OAuth approach and i think this is not the solution i'am looking for. When i understand it correctly the 3-legged approach is more usable when for instance i create a new twitter client and want to use the twitter Api.
But my app is not a third party app, my app and the website incl. the database are from me. So i assume, that the user starts the app enters his user id and password, then the api has a function that checks whether userid/pw are correct and sends "true" as a result back to the app. The app then offers the user the possibility to access the functions for which a login is necessary. So the user should not be redirected to a website and "allow" the access to userid/pw.
If i understand it correctly the 2-legged approach is more likely for my purpose. But i am confused by this also. I assume that the user enters his id and pw, these credentials are looked up in the database by the web service a token will be looked up in the database for this user and will be send to the app. Additionally an app-token is saved in the app from the beginning and will be send with the request also. The app will save this user-token from the DB internally and will use this token everytime the user does something with the web service. With every request to the web service the token will be send to the service and the service checks whether the token is a valid one otherwise an error is send to the app.
I looked up this example:
http://code.google.com/p/oauth-php/wiki/ConsumerHowTo#Two-legged_OAuth
But there is nothing mentioned that the userid/pw from the user are looked up in the database...
Can anybody explain how i can solve this?
Two legged OAuth is similar to Client-Server. It is a client app requesting full access to the data from a server. The client would have full access to all data allowed by it's credentials regardless of which user is accessing the client
Three legged OAuth is a User-Client-Server. It is a Client requesting to get access to the User's data from a server. The Client would only have access to that an authorized user's data (until the user revokes access).
I'm working on an API and considering using OAuth (3-legged approach) for authentication and authorisation.
This is the basic idea:
In order for clients (mobile app or web app), to use this RESTful API the user will have to be logged in using identity providers/servers such as Google, Facebook e.t.c
Essentially 3 parties will be interacting here:
The mobile / web app: The one trying to access my API
The API: The site that contains data for the app to run
The identity server: The site that will allow the user to login in order to access the API
Now, the way that I understand this process (assuming I do). This would be the flow (summarised):
The user will try to access data from the API (consumer);
The consumer finds that the user is not logged in;
The user gets a page (with service provider buttons such as Login with Google);
The user clicks the button, and the service provider returns a login form;
The user logs in;
The service provider returns a page asking for specific permissions;
The user grants permission;
The service provider returns an access token to the user;
The user uses the access token to try the request again to the consumer (API);
The consumer takes the token and verifies it against the service provider;
The consumer grants access to the user.
First
Is this process correct (on a higher level), or have I completely misunderstood the whole thing. If it is not correct: Could you offer some tweaks?
Second
After this whole process. How does the consumer communicate with the user? Will I have to be passing around a token on every request made (between the mobile app and the API)? Or can I just use the user details from the service provider to identify the user?
Third
How exactly does the consumer (API) verifies the token provided by the user against the server? Is this already implemented in OAuth, or will I have to do it myself?
Forth and last
In terms of implementation, what would be the difference between the client (mobile app / web app) and the consumer (API)?
I'm new to this, and I am trying to implement it in PHP (the API). If you have any references to PHP code (sample implementations) or external resources, I'd really appreciate it :-)
I am also new for oauth but I'll try to help.
First you could look here for appropriate libraries which could help.
As for me your oauth flow is correct. A good explanations you can also find here.
Keep in mind that authorization server should return an authorization code which you use for obtaining access token.
So your questions:
1) Follow the second link and there - "Authorization Code".
2) With every request to you API you should send your access token. Something like
http://<your api>?access_token=7f813af1-381d-4dd7-b70b-b6a8399b2c00
3) Just use the libraries from the first link. I hope that they have already implemented this. :)
4)Can't exactly understand what you mean. Your client must be able to obtain access token, store it and send it with requests. Your API server must be able to receive access token from client, and give access to api if the access token is correct.
I've been trying to get Google's Calendar API working in a PHP web application, but I'm having a hard time getting authenticated.
What I want to do is to allow users to interact with calendars of a single account known by the server.
Each type of scenario covered in the OAuth 2.0 docs talks about "user consent" which involves a login form and the individual user logging in, but I want the server itself to authenticate directly and obtain an access token for itself.
Is there some part of OAuth or some alternative mechanism I can use to do this?
In order to do this, you must go through the steps for user consent and then copy the access tokens it gives you into the PHP code.
The usual procedure for OAuth is like this:
Send user to authentication page.
User comes back with $_GET['code']
Send $_GET['code'] to OAuth server for a token
Store token in database for the user (or session, if it's very short lived)
But when doing it with a single calendar like this, you modify step 4. Instead, you dump the token to screen and copy it into your PHP file as variables, instead of putting it in the database. Then when you go to pass the access token to the server, you just pass the known, static token rather than a dynamic token from the database / session.
See mathewh's answer here:
How to automate login to Google API to get OAuth 2.0 token to access known user account
The lightbulb for me is when you get the access token you get a refresh_token as well... you use this token to "refresh" your access token once it expires.
There is no way around a manual authorization step the first time.
is it possible to store the id of a user who grants permission to accept the app and then post a "share" when the user completes an action but they are not logged into linkedin? i have done this with facebook but currently struggling to get my head around the oauth/linked in libraries.
Yes, once the user has authorized your application, you can store the user's oauth tokens and use those to update LinkedIn via the API when a user trigers a share/update, etc.
The only trick is to cover yourself in the case that the user rejects your application's access rights; filter all responses from the LinkedIn API looking for an error indicating that the access token is no longer valid (you should be doing this filtering anyways for throttling issues).
LINKEDIN API has no proper documentation..as to how i can use it..sample code which is provided SKuS