I want to create Gmail email client in PHP similar to android/ios application where user fill username and password and perform operations like send/retrieve emails. I am already done with the Oauth - Web server applications where google provide access and refresh token to authenticate the user account. But I don't want user to be prompted for giving prevision to my application.
I checked something known as 2-factor authentication.Please let me know how is this possible ?
This is not possible with new Google authentication APIs as user's giving out their Google password to random developers/applications is considered a security risk http://googledevelopers.blogspot.com/2012/04/changes-to-deprecation-policies-and-api.html. Use oauth2 with a web flow and have the user authorize it. Then they don't have to expose their password and can always go and revoke the oauth2 grant if they want.
You can try creating a service account. It doesnt require that the user enter his/hers password.
Related
We are using the Oauth 1.0 authentication Flow with the Twitter API. This basically come down to this spec: http://oauth.net/core/1.0/#anchor9.
We created the app and started to get users. Later we implemented Signup with Twitter where now we require the users email address from the API. We asked Twitter and therequest was granted. It works, great.
Now we have an issue with existing users because those authorized the App before we had that Email permission and with their existing Access Token, Twitter doesn't give us that.
Twitter writes in their documentation (https://dev.twitter.com/rest/reference/get/account/verify_credentials)
Note
Your app will need to regenerate the user access tokens for previously authenticated users to access their email address.
How can this be done?
When we delete the corresponding data (token and secret) on our side and ask for new Auth it doesn't have any effect. Twitter always gives us the same token and secret again.. and with that in the account/verify_credentials call no email address.
The only way which we found works is when we log into Twitter and revoke access to the App. Then we get a new token and secret which gives us access to what we want.
But we don't want to tell that to our users but rather do this programatically utilizing the API. How?
Try to request a new/different permission from the users:
What if I want to request a different level of access for my
application instead of the one my application is registered with? You
can do this now by using the x_auth_access_type parameter during the
request_token phase. Using this parameter you can request a read or a
read/write token even if your application is registered for read/
write/direct messages.
More information on this method is in our developer documentation:
http://dev.twitter.com/oauth/reference/post/oauth/request_token
I am still getting confused in understanding the concepts of authorization and authentication in Google Analytics API.
I created the new project at Google Developers Console and enabled the Google Analytics API. But why they are asking these two things in API & Auth section?
Can Anyone give me any real life example which gives clear cut idea about these two things?
Authentication is the process of identifying yourself. When you log in to a service, you authenticate yourself by using some credentials. This credentials usually are a pair of username and password. If the provided credentials are correct then we can say that you have successfully authenticated yourself. But it doesn't means you can do anything on the system. For example maybe your account has been banned or you don't have permission to access the resource.
Authorization is the process of checking if you have the right to do something. To do this, first you have to authenticate yourself, because without knowing who you are it is not possible for someone to check if you have the right to do something or not.
Just imagine an invite-only party. When you arrive, at the door a big guy asks your name. You will say that you're Akilsree1, so you have authenticated yourself. Then the guy will check if your name is on the list of invited people or not, so he will authorize you to enter the party or maybe he will say that you cannot enter because you're not on the list (you do not have permission).
Edit:
In case of the Google Analytics API things are a little bit trickier.
Basically this is what happening:
When you use their API in your app, the user will be redirected to Google to log in (user authentication).
Then when your app tries to do something in behalf of the user, he/she will be asked by Google to give permission to your app to do so (authorization).
After that your app will receive a token which can be used by the app to authenticate itself when uses the API to do that specific thing (app authentication)
More details you can find here.
Authentication meaning recognizing the subject identity. Like, does it exist in the DB?
Authorization meaning granting access to a resource. Like, can this user/role access X page.
In simple language if you want to understand
Authorization is level of access rights that a user has i.e. the
amount of information which he is authorized to access. Example: The
data that a normal user can see in a system will be quite different
from the data that admin user will be able to view and manipulate.
This difference is achieved by means of authorization.
Authentication simply means the submission of valid tokens(i.e.
username,password in most cases) which are recognized by the system
and by which system will grant access of system to particular user
Google analytics API requires authorization token for every request sent to it. and OAuth2.0 is the protocol used
hope this helps!
Good luck!
I'm including Google and Facebook OAuth2.0 to my site. I got it working so it pre-populates my registration form with first name, last name and email (password must be entered manualy). Now i want to enable that users can login/register without entering password. As i mentioned i can get email address with no problems from OAuth but i dont know what to use as password because i cannot have an empty password field in my database (then you could enter users email with no password and you could login).
In my database i'm checking for email and password fields (simple login).
So how do i register my users with OAuth (what to enter into password field), so that i can login them later just by clicking on OAuth icon?
Is there any key that is user specific and is not public?
I think you have not understood the true meaning of the OAuth.
OAuth creates and authorisation layer and separating the role of the client from that of the resource owner. The client Application access only those resources that are controlled by the resource owner after the Authorsation provided by the User.
For security purposes the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes.
Access tokens are issued to third-party clients by an authorization server with the approval of the User. The client uses the access token to access the protected resources hosted by the resource owner server.
According to the RFC 6749:
The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication. The
authorization server MAY issue a client password or other credentials
for a specific installation of a native application client on a
specific device.
Thus there is no need of the password
I am using the auth_type parameter with the OAuth dialog to force the user to relogin as per the documentation here.
If the user is not logged into Facebook, he has to enter his username and password, which is good.
However, if the user is logged into Facebook, all it does is show a dialogue with the user's name and asks them to re-enter their password.
This isn't very nice for us, because our app has the feature to connect to multiple Facebook accounts. And to rub salt into our wounds (so to speak :P), the OAuth dialog does not even have a "not you?" link to allow them to switch users.
Our app is built with PHP and uses the server-side login flow.
Is there anyway to force the user to have to re-enter both his password and email address? Something like Twitter's force_login is what I am looking for.
Use may aFB.Login instead of OAuth, if you want to force the user to login each time.
Docs: FB.Login
I've only known how to use the authorization URL to have a user connect their account to my website. Is there a way to do this authorization via an HTML form? For instance, the user inputs their Google email and password on my website and it authenticates that account without them ever having to sign in and out of accounts on Google and then visit the auth URL.
The reason for this is to connect multiple Google accounts to one account on my website. It would be a huge pain to ask them to log in and out of Google for every single account they want to attach. It'd be a lot better for the user experience to just type the info in a form on my site and have it authenticate. Is this possible in PHP or in any language?
This is a bad idea, do you really want to be responsible for user's Google password? Do you think users will trust you with that information? I know I wouldn't and I'd be highly suspicious that your sight is a phishing scheme with that behavior implemented.
Use OAuth 2.0 or OpenID instead and save yourself the headache of dealing with user passwords.