I have this app that uses data from gmail accounts. I have been able to create a php site that retrieves the oAuth tokens (online and offline) and later the necessary user information from the mailbox, all using the Google php api. Now to my problem:
When a secondary user logs into gmail in a browser that was previously used by an authorized user, the credentials seems to "stay". So the 2nd (or 3rd or nth user) can see data non-related to them, which is also a security hole. But most important: every loged in user into gmail is seeing only the data of the 1st logged in user.
The question: Is there a way I can use Google PHP API or Google JavaScript API to retrieve the user name of the current gmail session?
This is the current php piece of code I've been using to retrieve the user data:
use google\appengine\api\users\User;
use google\appengine\api\users\UserService;
session_start();
$user = UserService::getCurrentUser();
$userEmail = htmlspecialchars($user->getEmail());
The idea is that the app uses the current gmail user information to query a database and then retrieve the data for that specific user - and only that logged in user. If the user is not authorized, then prompt for the authorization window and ask for permission.
Any ideas or suggestions are welcome.
UPDATE (Sept 7, 2015):
I have made a change in the app.yaml so every logged in user in gmail gets served a different uri from my app. That works just fine. Now I face a new issue: how can I make the PHPSESSID and SACSID cookies to use an specific path instead of the whole domain? That way - theoretically - I can have several logged in users each and every one connecting to a different subfolder.
I've read the whole documentation about the UserService but it seems all I can do is redirect to this:
UserService::createLoginURL($_SERVER['REQUEST_URI']);
And that takes care of the authentication.
The question: How can I restringe the scope so the cookies gets the appropriate folder path?
The main issue is that once you log in to App Engine (via the UserService), that a user session has now been created in your App Engine application, and therefore it doesn't really matter what you do in GMail or any other Google application, as the session has already been created, and persists within your application.
The App Engine UserService was available way before secondary logins were even possible, and it hasn't been updated since. So this use case probably wasn't a consideration when the API as developed.
Related
i want to create an Api for my own mobile App to access data that is stored in a MySQL-Database. However i read a lot of articles about the 3-legged OAuth approach and i think this is not the solution i'am looking for. When i understand it correctly the 3-legged approach is more usable when for instance i create a new twitter client and want to use the twitter Api.
But my app is not a third party app, my app and the website incl. the database are from me. So i assume, that the user starts the app enters his user id and password, then the api has a function that checks whether userid/pw are correct and sends "true" as a result back to the app. The app then offers the user the possibility to access the functions for which a login is necessary. So the user should not be redirected to a website and "allow" the access to userid/pw.
If i understand it correctly the 2-legged approach is more likely for my purpose. But i am confused by this also. I assume that the user enters his id and pw, these credentials are looked up in the database by the web service a token will be looked up in the database for this user and will be send to the app. Additionally an app-token is saved in the app from the beginning and will be send with the request also. The app will save this user-token from the DB internally and will use this token everytime the user does something with the web service. With every request to the web service the token will be send to the service and the service checks whether the token is a valid one otherwise an error is send to the app.
I looked up this example:
http://code.google.com/p/oauth-php/wiki/ConsumerHowTo#Two-legged_OAuth
But there is nothing mentioned that the userid/pw from the user are looked up in the database...
Can anybody explain how i can solve this?
Two legged OAuth is similar to Client-Server. It is a client app requesting full access to the data from a server. The client would have full access to all data allowed by it's credentials regardless of which user is accessing the client
Three legged OAuth is a User-Client-Server. It is a Client requesting to get access to the User's data from a server. The Client would only have access to that an authorized user's data (until the user revokes access).
I am looking to see how we can allow a user to connect with their Google Analytic's User ID and connect with our app and we can get the information from their account.
I am looking forward to some articles or any library thats build around the same.
I will be using PHP and MySQL. Do you suggest any other Database than MySQL ?
You can start with a database to keep things simple and since you are not looking to store too much of historical data. The link below should get you started with all the required libraries and documentation.
https://developers.google.com/analytics/devguides/reporting/core/v2/gdataAuthentication
Go for the web client based authentication model rather than the service account model.
This will cause the api to redirect your user to google authorization page and your app will be given privileges to user account.
Make sure you save the refresh token when it redirects back to you app.
Please note that the refresh token only get sent for the very first time you app asks for permission and not after that.
On my site, I intend to offer users the ability to authenticate via OAuth. I don’t want to ask them to first register with me and then connect an external account; I want to offer single sign on.
I believe we’re supposed to reuse Access Tokens; certainly within sessions and even between them.
Google goes so far as to say they’ll limit the number of access tokens to 10 per user per application. (Apparently Google still supports OAuth1, but recommends Auth2 now) 10 is a pretty small number.
Using cookies (like this) seems like a good plan for identifying a user between sessions, but I’m having trouble with the scenario where a user has deleted cookies or connects from a new machine.
How do I know who the user is before I’ve requested another Access Token for them? Request tokens do not contain the userid, right?
Thanks
You will have to maintain your own user accounts anyway, no matter which protocol and which provider you choose. A token (or a URL in the case of OpenID) that you get from a provider is unique for a given user and you are supposed to associate it with your internal user account and recognize user by it.
If you don't want to provide any registration UI it's okay: just get the token, retrieve all the user info you need from the provider and store all this somewhere in your database. You will also have to issue and recognize your own cookie for your users, or else they'll be forced to go through provider auth every time they visit your site.
There is a portal that a company's users are familiar with, and we will put a link to login to a different portal on a different machine. This process would not require username/password check, just hitting the link will log them in.
How can this two delivered in secured way? We don't want that anyone with the link to be able to log in, how can we make this to work between the two platforms?
I'm presuming the two portals aren't able to share sessions/cookies. If they are you can just use those to keep track of who is logged in where.
In the situation where that's not possible, you could use an authentication API, which you could query to see if a given user_id is logged in on that portal. This could be a very simple API which returns a yes or no, or you could develop it to be more complex.
Additionally keep in mind that there are Open Source choices out there. Open ID is a system that stackoverflow uses, for example.
Easiest method would be script on main site, that waits for session ID in POST/GET input, if session exists, it outputs user name. The new site server, when user comes in, reads in cookie with session ID, sends a request to main site server script and asks if session ID exists, if exists, uses that user name, for new site server.
Here is what I'm trying to achieve:
User opens my apps page and clicks the link: site statistics
My apps knows the analytics credentials, and authenticates with Google analytics, so the user does not need to provide the credentials.
User is redirected to Google analytics report home page.
What I have tried already:
submitting the "fake" form from my site
posting the form data via Zend_Http_Client (Curl)
The above does not work in the long run, because there are some params in Google's form generated automatically (and saved in cookie), so the user needs to authenticate himself at least once.
started playing with Zend_Gdata_ClientLogin, so I have obtained very long client token and I can access the analytics data, but I still don't know how to skip the login form.
I don't want to process the analytics data myself. I just need to see it online, without manually logging in.
So, the question is, how to skip the Google Analytics form (e.g. using API).
I'm no Analytics Guru, but logging the user in automatically might very well be impossible due to security restrictions.
Logging in on server side, and proxying the data to the client, is a bad approach even if you get it working, because there's a lot of Ajax involved and stuff can break any time.
Possible alternatives that come to my mind:
Adding guest accounts to the analytics account that are allowed to view the stats but not change anything (The user would still have to authenticate)
Fetching data using the API (Obviously much more complex than what you have in mind, but as far as I can see the only method that can work completely automatically)
Recommending the user to activate browser-side password storage - with all the downsides this includes