So I've start building an application for a website in Swift. The main goal is to have an iOS App which can receive notifications (in JSON from website) and can show all the features of the website.
So I can login and sign-up from the app to my database but the thing is I don't understand how to take out my session login and display it in an UIWebView. So the user has just to log-in and he can see the website with his account. The only thing I can make is to show the website as a guest.
Can someone help me please ?
As far as I know UIWebView does not store/send any cookie(session) for your web site. That means you're always not authenticated.
In order to complete your task you need to create your own cookie handling mechanism.
You need to save auth cookies sent to you by the server in response HTTP header, e.g.
Set-Cookie: JSESSIONID=ABAD1D;
Then you need to make any required request and MANUALLY put cookie header filed in your request header e.g.
Cookie: JSESSIONID=ABAD1D
Save response somewhere and render HTML in a WebView
BOTTOM LINE: All this stuff is a huge overhead to your app. Instead you need to write API of your web-site specifically for iOS(and other) apps, using different authentication approach and data transfer (well known).
What you want to do is basically create a little browser, I don't think it is a good idea.
Related
First time posting, long time reading.
I want to perform a silent authentication against Azure AD but I can't seem to get it to work.
Please find image below which outlines steps and overall solution approach.
This is the current approach I have set up and it is working quite well:
User logs in and is authenticated against a SaaS solution via Azure AD.
On the front page within the SaaS solution, user clicks on a widget which opens up a modal window.
Ajax call (POST) (bootstrap-table) is made which calls a php-script from another domain.
PHP script receives ajax request (CORS settings are ok). Here is where I would like the script to perform a silent user authentication against Azure AD and return user's email. It should not in any way display any login-screens or account selection screens. If the authentication fails it should just exit... perhaps with a error message.
Once authenticated, php-script performs API call(s)
On successfull call, JSON data is returned
And JSON returned from PHP-script is displayed on front page (bootstrap-table).
I've been trying with various examples/libraries (thephpleague/oauth2-client, magium/active-directory, ...) and I'm able to authenticate fine via Azure AD App but there is always a login-screen present or select account screen is displayed.
The reason for this approach is that I believe CORS are not secure or perhaps should not be used as a security measure. And also, because some browser does not seem to return Origin I am experiencing some issues...
Now, I'm more of a hobby-developer and perhaps this is in no way possible to achieve but I would like to believe it is and would appreciate any tips/hints on how to perform this silent activity/authentication.
Thank you!
I'm new to ionic. From last 2/3 weeks, I'm working on ionic to build a mobile app for our web application & currently in confusion at one step. Need some suggestion regarding the best way to solve this.
Our web application is built upon PHP & we are not using any kind of REST architecture in it. Since now, we are moving to the mobile app we are trying to refactor our codebase. So that, one base code will handle all both(mobile app/web app) kind of request.
In mobile app side, I'm using OAUTH(http://bshaffer.github.io/oauth2-server-php-docs/). It's working fine. I can able to login/logout. But, I can't able to manage my PHP SESSION data.
In the web application, I know after login PHP send a session id which get stored in browser cookie & in all subsequent HTTP call it gets attached by browser. But, in my mobile app I'm not getting that SESSION ID after login. So, I thought maybe this is the reason for which my mobile app is not getting the user's SESSION data.
To resolve this, what I've done now...
After getting, authorization token & refresh token from OAUTH server, I include current PHP SESSION ID also in the data set & return back to the mobile app. Then, in all subsequent Http call I send that SESSION ID value to server side & by using the following code, I retrieve the user's SESSION data.
session_id($_POST['session_id']);
session_start();
$UserData = $_SESSION['User'];
It's working now. But, I really don't know whether it's a right way to do such things or not & mostly I'm concern with security issue associated with this. Can anyone guide me with this?
Regards
How can I "link" a person's youtube account to an account on my website? I am trying to get Analytics from videos, how much money they have made, etc. I know i am supposed to be using the YouTube Analytics API, but I see tons of different documentation and it gets SO confusing. Are there any PHP libraries I can use to get this data and to link the user's account to my web application? I am also confused on where I get an OAuth Key.
Here are some sites i have looked at:
1) Site One
2) Site Two
On site two, I looked at the examples, but nothing really helped me understand even how to start.
A lot of the relevant info you'll need can be found in this document:
https://developers.google.com/youtube/analytics/authentication
Basically, it outlines the following 4 steps:
1) Register your web app in the Google Cloud Console
This is needed so you can get a client secret and client ID, which your server-side PHP code will need in order to do the oAuth flow (and get the right scope to be able to query analytics data for the user that's authenticating). See here for more info on how to do this:
https://developers.google.com/youtube/analytics/registering_an_application
The most important things to do as your register your app are to turn on the YouTube Analytics API and create a new client ID for your web application.
2) When a user visits your page, you'll need some way (i.e. a login button, for example) to trigger the start of the oAuth flow. When this is triggered, you'll want to redirect the browser to this URL:
https://accounts.google.com/o/oauth2/auth?client_id=[YOUR CLIENT ID]&redirect_uri=[THE URL YOU WANT THE USER TO BE DIRECTED TO AFTER AUTHENTICATION]&scope=https://www.googleapis.com/auth/yt-analytics.readonly&response_type=code&access_type=offline
This will present them with a window asking them if they want to give permission to your app to read their analytics. Note that the client id parameter is the same that you received when you registered your app in step 1. That registration process also will require you to set the allowed redirect URIs, so here you must pass one you set in the registration.
3) The redirect URL will be requested, from step two, by Google's servers with a "code" parameter attched. So when it is requested, it should immediately do a POST to another URL (i.e. with cURL or something similar), that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=[CODE THAT CAME IN AS A GET PARAMETER] &client_id=[YOUR CLIENT ID]&client_secret=[YOUR CLIENT SECRET]&redirect_uri=[THE REGISTERED REDIRECT URI]&grant_type=authorization_code
If you do it as a POST with cURL, then the response will be a JSON packet that has an access token and a refresh token.
4) Your php page can store these both (in your DB, for example), note that the user should be treated as logged in at this point, and you can use the access token in the header of all API requests send to the analytics API.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Calling_a_Google_API
IT'll expire in an hour, so with each request you should be checking its age (i.e. when you stored it in the DB, you could store the expiry time, for example), and when you're getting close you can use the refresh token to get a new access token.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Refreshing_a_Token
You can now redirect them to wherever your app needs them to be to start interfacing with the API.
Seems like a lot? It can be, but once you get the paradigm down it's pretty simple. And you asked about a client for PHP, and thankfully there is one:
https://github.com/google/google-api-php-client
It's got simple handlers for the whole oAuth2 flow, and also has a YouTube analytics service object that sets the access token automatically for you as it's making its various calls.
I'm pretty new to PHP and JSON/XML, but we're forging ahead.
Our project entails logging in to a webservice (which we also built) from a handheld device and then accessing our website from that device. The point is to only allow users who have logged in on the handheld device to access the webpage.
Now, I guess this doesn't only apply to handhelds, but here's the question:
We can send an HTTPRequest from the handheld device and use a PHP script to validate login info from a database, and then return either a 'success' or 'failure' JSON object. If the user succeeds in logging in, our webservice will be opened in a browser window.
The online application relies on Session Variables for authentication every step of the way. Is there some way we can send the HTTPRequest, receive authentication, and then somehow feed the very same page we are opening some data which it will parse into session variables?
It depends on the device. Some mobile phones (like flip phones for example) will most likely not have support for AJAX. Smartphones, on the other hand, will most likely have support for AJAX.
To make it compatible with all devices, your best bet is sticking with a standard login system that posts the variables to the same page or another page for validation. Otherwise, you will be making several different websites to work on various phones.
Hello I am looking to build a basic API and application/apps system on my social network something like Facebook or other sites have, my site is in php/mysql. Here are some questions.
1)
Basically what I want to do is give a user a API key and secret. After I have these how can I use them in my php app to authenticate a user request which would come from there server?
2)
I can basically build an API to send a request to my server with CURL and get the result back to the page in XML or JSON or whatever, the problem is when sending the request the user would have to know the user ID they want to send to lookup data against, this is fine for an API but I am wanting to have an Apps section where the user's app site would be using the API and would be loaded into my site in the app section with an iframe, the problem is, I need to find a good way to make it where a logged in user on my site can go to the app section and go to an app and there username should be available to that page loaded in the iframe. Facebook and myspace do this somehow and many other sites; I am lost how to get around this hurdle.
Any help on any of this is really appreciated, thank you
Update:
I just had an idea, if I require a cookie to be set when a user visit's my site, then they would have a cookie and it could hold there User ID, then my API script could look for that cookie to exist and grab it's value?
If you plane on using an IFRAME, then no, your API hosted on a separate website (the website inside the IFRAME) would not be able to grab the cookie. The cookie is only visible on the website that it was set for.
I have only used Facebook API with the FBML (not the IFRAME,) but all they do their is basically replace what's in the page with the info that the "tag" is calling. I'm not sure if there is a better way, but you could possibly call a page on the app's server (say the app is hosted at http://example.com/app/, and you called http://example.com/app/?id=28318&name=John%20Maguire,) and have your API code handle it and turn it into a variable?
Maybe you should look into the source code of the Facebook API client.