I've seen similar Questions like this before but don't understand the correct way of doing it. Or rather the questions were always a little different.
The scenario: I have a site where the user should log in via twitch.tv
I have a button which refers him to this url
https://api.twitch.tv/kraken/oauth2/authorize?response_type=code
&client_id=exampleclientid
&redirect_uri=http://example.com
&scope=user_read
I have censored redirect_uri and the client_id but basicly on this site the user needs to login into twitch or if he already is he can authorize that my application gets acess to "scope" here in this case "user_read" which is his email adress.
Now to my problem. When returning to my site my url will look like this
example.com/#access_token=exampleacesstoken&scope=user_read
example acess token is just a combination of numbers and letters which I need to acess private information like his email even his username.
Over this url
https://api.twitch.tv/kraken?oauth_token=exampletoken
I get acess to my needed information, but how do I grab the token from my url via php and delete everything after http://example.com to make it look good again.
The offical API documentation might be helpful and talks about CURL but I don't understand how it works and the PHP manual is very indepth.
https://github.com/justintv/Twitch-API
Sorry if I'm taking the lazy way here, but I think I'm missunderstanding something big because I just have to make a simple grab of the URL
From the Twitch documentation:
https://github.com/justintv/Twitch-API/blob/master/authentication.md#implicit-grant-flow
If the user authorizes your application, they will be redirected to
the following URL:
https://[your registered redirect URI]/#access_token=[an access
token]&scope=[authorized scopes]
Note that the access token is in the
URL fragment, not the query string, so it won't show up in HTTP
requests to your server. URL fragments can be accessed from JavaScript
with document.location.hash.
Related
I made a oauth2 server, and now I want to make c client using symfony2 to connect to it (when I click login, I'm redirected on the site with oauth2 server, I login, then I'm redirected to my client with the token).
I followed this: http://symfony.com/doc/current/cookbook/security/api_key_authentication.html
The problem is whem they retrieve the apikey. If I decide to use implicit grant with oauth2, the token is sent like that: example.com/#token
So I can't retrieve it with query->get.
If I send the code it's fine, but when I tried to curl my server somehow it broke (yeah, not specific error, still looking into it)
So I was wondering, is this the proper way of doing it?
Also, when they write about he specific url, why would I need one, if I can check everywhere?
Thanks :)
you can get your token like this in php :
For known url if you have your url with the hash, this part after # is called fragment.
$url=parse_url($yoururl);
echo $url["fragment"];
if you don't have this url in your backend, you need some javascript magic :
var token = window.location.hash;
then send it to your backend.
Maybe there is some other more symfonyc way to do this properly, but i never used oauth2 yet.. :D
How can I "link" a person's youtube account to an account on my website? I am trying to get Analytics from videos, how much money they have made, etc. I know i am supposed to be using the YouTube Analytics API, but I see tons of different documentation and it gets SO confusing. Are there any PHP libraries I can use to get this data and to link the user's account to my web application? I am also confused on where I get an OAuth Key.
Here are some sites i have looked at:
1) Site One
2) Site Two
On site two, I looked at the examples, but nothing really helped me understand even how to start.
A lot of the relevant info you'll need can be found in this document:
https://developers.google.com/youtube/analytics/authentication
Basically, it outlines the following 4 steps:
1) Register your web app in the Google Cloud Console
This is needed so you can get a client secret and client ID, which your server-side PHP code will need in order to do the oAuth flow (and get the right scope to be able to query analytics data for the user that's authenticating). See here for more info on how to do this:
https://developers.google.com/youtube/analytics/registering_an_application
The most important things to do as your register your app are to turn on the YouTube Analytics API and create a new client ID for your web application.
2) When a user visits your page, you'll need some way (i.e. a login button, for example) to trigger the start of the oAuth flow. When this is triggered, you'll want to redirect the browser to this URL:
https://accounts.google.com/o/oauth2/auth?client_id=[YOUR CLIENT ID]&redirect_uri=[THE URL YOU WANT THE USER TO BE DIRECTED TO AFTER AUTHENTICATION]&scope=https://www.googleapis.com/auth/yt-analytics.readonly&response_type=code&access_type=offline
This will present them with a window asking them if they want to give permission to your app to read their analytics. Note that the client id parameter is the same that you received when you registered your app in step 1. That registration process also will require you to set the allowed redirect URIs, so here you must pass one you set in the registration.
3) The redirect URL will be requested, from step two, by Google's servers with a "code" parameter attched. So when it is requested, it should immediately do a POST to another URL (i.e. with cURL or something similar), that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=[CODE THAT CAME IN AS A GET PARAMETER] &client_id=[YOUR CLIENT ID]&client_secret=[YOUR CLIENT SECRET]&redirect_uri=[THE REGISTERED REDIRECT URI]&grant_type=authorization_code
If you do it as a POST with cURL, then the response will be a JSON packet that has an access token and a refresh token.
4) Your php page can store these both (in your DB, for example), note that the user should be treated as logged in at this point, and you can use the access token in the header of all API requests send to the analytics API.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Calling_a_Google_API
IT'll expire in an hour, so with each request you should be checking its age (i.e. when you stored it in the DB, you could store the expiry time, for example), and when you're getting close you can use the refresh token to get a new access token.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Refreshing_a_Token
You can now redirect them to wherever your app needs them to be to start interfacing with the API.
Seems like a lot? It can be, but once you get the paradigm down it's pretty simple. And you asked about a client for PHP, and thankfully there is one:
https://github.com/google/google-api-php-client
It's got simple handlers for the whole oAuth2 flow, and also has a YouTube analytics service object that sets the access token automatically for you as it's making its various calls.
I am trying to setup an automatic way to upload videos to YouTube using the YouTube API. The application needs the videos to be uploaded for some processing by YouTube. Currently, I am setting up the oauth2.0 piece and I am able to redirect the user to login with their information. However, when the user is then redirected back to my site with my specified redirect uri, I need to be able to accept custom fields on the end of the URL. Right now, the web server just redirects the user to the page I want, but strips off all of the information returned by YouTube about authentication. I do not know much PHP at all, but think that it might be the way to solve this problem. Essentially, I want to be able to redirect the user to a page on the website where the extra information is retained so that I can use it. Thanks for your help.
http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect#access_token=ya29.AHES6ZS8kOZN2T59fKpoUE0t7roUXqTPWDAwTMvrhZ5TjlZO57JZNQ&token_type=Bearer&expires_in=3600
The format of the redirect is http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect followed by #access_token=ya9232.jdfka7327293&token_type=Bearer&expires_in=3600
However, I have no page with this specific URL..
There are two authentication methods for YouTube - client-side and server-side. (Actually there are more, but I've never used the others).
Documentation is https://developers.google.com/youtube/2.0/developers_guide_protocol_oauth2 but I'l try to paraphrase the bits you need.
"client-side" is what you are using - you basically send the user over the a URL and let google do the work and get the access token back.
"server-side" is what you'll need (as you guessed). To convert, as opposed to sending the user off to a url that ends "&response_type=token", change this bit to "&response_type=code& access_type=offline"
When you get the call back, you have ?code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf - hopefully you can read this as it's before the #
You then use a POST to send this code to the Google servers and it sends back the token in JSON. Taken from that page before:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf&
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
client_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
redirect_uri=http://localhost/oauth2callback&
grant_type=authorization_code
and response is:
{
"access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
}
So "relatively" simply change, but you need the PHP part to do the POST as it requires your secret key (which you don't want to reveal through Javascript).
I'll leave you to Google on how to:
read parameters in PHP (hint - use $_GET['paramter name'])
send a POST message to Google using CURL.
An alternative is to check out YouTube SDK for PHP - these are pre-written libraries that contain the POST and the GET bits for you. But this uses something called "Zend" which can get complex. https://developers.google.com/youtube/2.0/developers_guide_php
Is it possible to check from where user came to my facebook application? I'm looking for something similar to $_SERVER["HTTP_REFERER"]. My facebook application is written in PHP.
No, since facebook "proxies" every request to your app, you will never see a referer.
The only thing you could do would be handing out self generated referer-urls.
Just apply the GET parameter app_data to your url - this gets passed directly through to your app with the signed request.
This would be a method of tracking how many visitors come from sources you know and made a link deal, for example.
Hope this doesn't get too complicated. :) thing is..
I'm trying to make my PHP code post notes to Google Buzz using OAuth as authentication mechanism. I'm doing the typical "OAuth dance" (get request token, authorise it, exchange for access token), but i've ran into some problems that seem to be on Google's side. Hope i'm wrong - it would be much easier to fix. :)
To get to the point - oauth_callback parameter doesn't seem to get passed to the authorization form. Authorization URI i'm redirecting to is like:
https://www.google.com/buzz/api/auth/OAuthAuthorizeToken
?domain=<my.domain>
&scope=<urlencode(https://www.googleapis.com/auth/buzz)>
&oauth_token=<request_token>
&oauth_callback=<my.domain/callback>
When redirected, client is asked to authorize site to read/write from/to Buzz. If accepted, Google asks again (but in different form) to allow access to .. after allowing for second time, success message is shown, but it doesn't return any tokens to my site, not redirecting to oauth_callback uri.
Workaround i found is to manually add form field 'oauth_callback=' trough firebug/chrome inspector, and then, after these two confirmations it redirects to my site and i can extract authorized token from response, and exchange it for access token. If i use 'standard' Google's authorization endpoint, i get redirected correctly (one confirmation only), but then the access token i get after that is invalid for Buzz.
So, am i wrong or google?! :D I've implemented OAuth for cooperation with some other services (Facebook, MySpace..) but i've never had this much trouble.
ok, when i got on the problem next morning, with (partially) fresh eyes, solution was pretty easy (but still undocumented).. :) in case anybody else needs answer - oauth_callback parameter should be specified when requesting request token.