http://api.chan15.info/google-stackoverflow.html
This is the sample code I use to let user login via Google JavaScript API, and it's work, next step is use user id to login to local server via PHP, but use the user id by JavaScript is pretty danger, the real procedure I want is:
login user via JavaScript API
get access_token from JavaScript
pass the access token to PHP
use access token to Google OAuth to get user id again by PHP
login the user by user id
but I don't know how to get access token.
After the user is logged in to their Google account using the Javascript Oauth2 API the access token can be found here:
gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().access_token;
I've used this to pass the token along to a separate curl PHP request as well as CORS. Since Google's JS API is still Beta I had to resort to sending a PHP curl request in the past. If you're planning to store the token for access after the user navigates away I'd also also get the token expiration date and call another function that wipes out the stored token whenever expired or explicitly revoked. But for me it was just easier to pull this right after successful login each time since I only needed to call the PHP function once and in real-time with AJAX as a bandaid.
PS: You might want to change the original category from Java to Javascript
Related
I am using the facebook JS sdk to login a user. These are the steps that I follow:-
1) I use the FB.login(...) to get the details of the user.
2) Now, after receiving the details from Facebook, I send a POST request using jQuery's $.post(..) function to a php page say FBUser.php with the parameters - name,uid(Facebook User Id),email and access_token for publish_actions.
3) Now in the FBUser.php page, I do all the stuff like converting the short-lived-token to long-lived and then I check that if the uid received is present in my users table. If it is not, I create a new user, else I log in the old user. Today, I just realized that I was making such a big security compromise because anyone can send a POST request to the FBUser.php page with a uid of an existing user and get access to his account. But, on the other hand I am sure that some big websites also use the JS SDK. So obviously, I am wrong somewhere. What would be the correct procedure to log in the user securely and preventing his account getting hacked?
You should match the app and user id first, then you should check the access token, like this:
graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app-token}
You can get the app token from https://developers.facebook.com/tools/accesstoken/
You can get the uid of the user using the access token that was sent to you, by using this token to access Facebook graph and query "/me".
You shouldn't relay on the uid that is sent by the client. My application only receives the access token and gets the rest of the data from a server-to-server call.
I am implementing the hybrid sign in flow got login with Google+. What I want to achieve is this:
One a user has authorized the app, the next time he comes back on the website, I want to log him in automatically.
In hybrid flow, google automatically logs the user in and displays a welcome back message (javascript sdk) along with returning access token. But this process requries one ajax call to be sent to gogole api.
I want to make this call through the backend itself using Google's PHP client library. Since the app has been authorized already, it should simply return the access token as it does when using javascript sdk. But I am not able to figure out how to achieve this using client library. Can anyone please help me out?
In your call parameters set access_type: 'offline', then need to get a new token using the refresh_token that is provided ONCE at the FIRST time of authorisation. You will have to store that refresh_token somewhere in your database and pair it up with the user's already expired access token ID or somehow and make another call for a valid access token.
For the time being you can set approval_prompt: 'force' but that's merely a development trick not a real solution.
More is explained here refresh token with google api client php
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.
I am working on the project which has a mobile front end and php server backend. It Implements a facebook login on the the front end getting the required tokens. Now this token is sent to the php backend so that this token can be used to get the user info and friends lists.. how can i go about using this with the fb-php sdk in Codeigniter.?
You could pass it over using a cookie. I have used the facebook api a few times but never tried this.
Would it not be easier to use the PHP sdk to log the user in because then you would already have the access token available.
You can add fb-sdk as a thirdpaty library and after you initialize the object
you can retrive the friend list like this
$fb->api('/[userid]/friends?access_token=[access_token]');
if you have problems with users access token you can use applications access token too.
Check this link to how to get the app access token : http://developers.facebook.com/docs/facebook-login/access-tokens/
I've been trying to get Google's Calendar API working in a PHP web application, but I'm having a hard time getting authenticated.
What I want to do is to allow users to interact with calendars of a single account known by the server.
Each type of scenario covered in the OAuth 2.0 docs talks about "user consent" which involves a login form and the individual user logging in, but I want the server itself to authenticate directly and obtain an access token for itself.
Is there some part of OAuth or some alternative mechanism I can use to do this?
In order to do this, you must go through the steps for user consent and then copy the access tokens it gives you into the PHP code.
The usual procedure for OAuth is like this:
Send user to authentication page.
User comes back with $_GET['code']
Send $_GET['code'] to OAuth server for a token
Store token in database for the user (or session, if it's very short lived)
But when doing it with a single calendar like this, you modify step 4. Instead, you dump the token to screen and copy it into your PHP file as variables, instead of putting it in the database. Then when you go to pass the access token to the server, you just pass the known, static token rather than a dynamic token from the database / session.
See mathewh's answer here:
How to automate login to Google API to get OAuth 2.0 token to access known user account
The lightbulb for me is when you get the access token you get a refresh_token as well... you use this token to "refresh" your access token once it expires.
There is no way around a manual authorization step the first time.