i try to develop a web-service which displays some user information from an Office 365 instance using the Microsoft Graph.
I'm able to query groups, user details and so on, but i'm not able to get the user profile picture as described here http://graph.microsoft.io/docs/api-reference/v1.0/api/profilephoto_get. It always return a 403, even when my service had all rights (for testing purpose).
The webservice is a deamon as described here: http://graph.microsoft.io/docs/authorization/app_only, so no actual user is logged in. Could that be an issue? Is it possible to query the photo information using a deamon?
As mentioned above, the problem could be solved by two things:
Use app permissions istead of delegated
If implementation reuses the Auth-Token, restart the apache (or other webserver) running the app after changing permissions for the app. The cached token doesn't seem to get updated rights.
Related
I am successfully connecting to the Google Adwords API with the OAuth2 examples from Google. I want now to implement programatically the disconnection of the customer for this OAuth2 connection.
I saw in some examples the function
$client->revokeToken()
but in my case this function is not present. I am using for the connection the libraries from
"googleads/googleads-php-lib": "*"
I think you miss-understand how Oauth2 works. When you run your application a window pops up asking the user if they would like to grant your application permission to access their data. Assuming the user says yes then your application can now access their data. They are not logged in any scene.
What revoke does is remove the access that they granted to your application.
There is an issue about this on the issue forum 986 I cant seem to figure out if the bug was fixed or not.
If you cant get it to work you can do
https://accounts.google.com/o/oauth2/revoke?token={token}
this works the same as the user removing your application from Permissions
I have a small site/web application where registered users can see some files that I periodically prepare for them; I store these files in separate directories and every user can only see and download their own files.
Now, I'm moving these directories to Google Drive and I would keep functionalities like file listing and downloading.
Reading the official docs I found some interesting examples about file download/upload, but all of them talk about authorization that user must give in order to access to their Drive and this is not what I'm looking for, I don't want access to their Drive!
As I can see, the doc is not contempling the case that someone may want to give (read-only) access to own Drive. But maybe I'm missing something...
Basically, I need the list of files on my Drive account and, if requested, a way to download one (or more). The only one that has the auth to Drive account is my server, users will send request from it.
Is it possible? I think yes, but I can't find any docs about that. How can I authorize my server?
I think you're looking for the Using OAuth 2.0 for Web Server Applications where you'll be using service accounts to achieve your goal.
"This document explains how web server applications use the Google API
Client Library for PHP to implement OAuth 2.0 authorization to access
Google APIs. OAuth 2.0 allows users to share specific data with an
application while keeping their usernames, passwords, and other
information private. For example, an application can use OAuth 2.0 to
obtain permission from users to store files in their Google Drives."
The snippets are in PHP too, so it works in your favor.
Overall goal is trying to access (my own) Google Sheets with a server-side PHP application (not for sheets owned by individual app visitors). For this I'm hoping to use https://github.com/asimlqt/php-google-spreadsheet-client, which mentions that it doesn't handle the OAuth2 stuff, for which I can use https://github.com/google/google-api-php-client.
So in trying to follow https://developers.google.com/api-client-library/php/auth/service-accounts , it says (step 5):
The Console shows your private key's password only at this initial moment of service account creation--the password will not be shown again
However when I do those steps, it sends me a .json (with private_key_id, private_key, client_email, client_id, type), but at no point does it show me any kind of password. I have tried this with both Firefox and Chromium, tried deleting my old Service Account, making a new Service Account. Is there something else I need to enable on my Developers Console? or something else that I'm missing?
When you create a service account on the Google Api Console, usually, the file randomname.p12 will get downloaded automatically, and the password for this file will be notasecret but, if you are authenticating using the service account i beleive you dont need the password, even tho i am using it, see here check out bram answer he is authenticating using a service account, which might be what you are looking for
I am looking to build an API that I can deploy on my servers to monitor system load.
It will report to a central manager server that runs a client to display the information.
The issue I am struggling with is best to secure the API.
What I want is for the client to be the only software that can access the server and retrieve this information but I am unsure how to achieve this using PHP.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The client is also written in PHP using MySql and has a secure login.
This sounds like you're trying to solve the wrong problem.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The only right answer to this is authentication. You need to protect your API by giving each user access credentials known only to them.
Your API must never reveal any data that the client isn't allowed to see as per their authentication credentials. Trying to work around this danger by trying to somehow protect the client from prying eyes is not safe - somebody who has access to the client and can observe it running will be able to reverse engineer any traffic between it and the server given enough effort.
If the API is properly secured, it won't matter to you which client tool is used to access it. The requirement to limit API access to a certain program will go away.
if you use SSL, along with authentication (i use 3rd party auth google, fb, etc), create data /reports on the fly and have the data saved in a subdirectory OUTSIDE your web folder (instead of /var/www, /var/myStorage/currentSessionId/), then you basically guarantee the security that you want.
your php will only access a subdir that is named for the session it is running under.
I am trying to access the Twitter direct messaging API.
I have set up an app and set the permissions to Read, write, and direct messages:
However, when I test the application and see the authorisation screen, direct messaging is not included in the permission list:
I have tried creating fresh applications, resetting the keys once the permission have been changed and only creating the access tokens once the permissions have been updated. However, I still cannot get the Read, write, and direct messages permissions to kick in.
I am using HybridAuth as a framework to acccess the Twitter API.
I note this question, however no answer has been provided as the solution may have been established in a chat session which is longer available.
edit
hybridauth\Hybrid\Providers\Twitter.php
find
$this->api->authorize_url = "https://api.twitter.com/oauth/authenticate";
replace by
$this->api->authorize_url = "https://api.twitter.com/oauth/authorize";
cf: https://dev.twitter.com/discussions/1253