I'm currently trying to wrap my head around a rather complex OAuth2 use case. I have two servers, one is a client side web server, which serves a website, the other is an API server, which is used to interface with all our backend data.
Currently users use a basic UserCredentials flow which creates an access token on our API server, which is then used to sign all requests from the webserver to the API
Is there a way I can allow users to log in using Google or Facebook, and either use the access token generated to sign API requests in the same way as above, or alternatively create an access token on our API which is then used the same way as above?
In a word: NO.
Let me try and explain why. Lets start by looking at Google, to access google you need to register your application in Google Apis console. When you ask a user to give you access to there google data you do it using the client id and secret you got from apis console. Then google goes about createing your application an access token for there api this info is all stored on there servers. When you then try and use that access token they know which user gave you access to there data via the api.
Now the same holds true for Facebook, and your service as well. They are all diffrent APIs offered by diffrent companys. They create the Access tokens Google cant create you an access token to access data on Facebook any more then Facebook could to Google. Things just dont work that way.
Related
I created a web application which will show all private videos of only one account.
Now I have to authenticate the account to get list videos. I saw 2 ways to authenticate by ClientLogin and Oauth. Which ClientLogin is deprecated and don't know how to use Oauth to authenticate the default account on server.
I have client_id and client_secret for my app.
I try this example but not working and i don't know what in $get['code'] and how can I put username and password of this account when using OAuth not ClientLogin.
It's pretty simple.
You can follow the steps at How do I authorise an app (web or installed) without user intervention? (canonical ?) to get a Refresh Token. At Step 8, choose the YouTube API instead of Drive API. Try to choose the most restrictive scope, eg. readonly. You can embed the Refresh Token (securely!!!!) in your app and then use it at any time to generate an Access Token. Thus the stored Refresh Token behaves like a username/password with restricted permissions.
Ask you have stated clientLogin is shut down you can not access any Google api using Login and Password. Your application needs to be authenticated
The thing you need to know about the YouTube API is that it does not support service accounts. You will have to use Oauth2. I am not a PHP developer but I have done this previously in C#. What you want to do is possible just a little tricky.
First off as I said you need to use Oauth2. I am hoping that this example is reasonably up to date if not the one for Google analytics is you may have to compare them a little.
Your script will need to be authenticated once using Oauth2. Then by requesting
$client->setAccessType("offline");
you will receive a refresh token. You will then be able to use this refresh token in your script on the server at anytime to request a new access token and access YouTube for that channel.
I'm working on a project where I'm developing a platform. As a solo-developer I made the decision to use Lumen as a PHP back-end and create an RESTful API.
Web shops should be able to install a plugin so they can access the API without having to code themselves.
I need to keep track of the web shops that use the API. I just need the same way to retrieve access tokens like Twitter and Facebook do when you register an app.
So I was thinking about OAuth2 Server but I have never used it before so I'm not sure if I'm on the right path...
If you want your own OAuth2 system then yes you will need a server running it.
The idea of OAuth2 is to authenticate your clients where a shop equals one client.
OAuth2 is not about individual users but clients. With that idea in mind you can setup an OAuth2 server and its only job would be to authenticate each request, make sure it belongs to a recognized client and then issue a token.
With that token you can then go on and issue more requests to actually interact with the system you are building. This is a very high level view of the entire system, of course.
There can be multiple variations on this, how tokens are issued, what type they
are etc. I prefer JWT ( JSON Web Tokens ) as it's JSON and thus lightweight.
A quick search revealed this: http://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/
I do have my own article on building your own OAuth2 system, however it is based on dot net not PHP. You are welcome to use it though maybe it will help clarify the concept.
Here's the link : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
I've worked on several websites few years ago and I want to be up-to-date with "the new web" so I'm working on a website using Laravel and Lumen to practice.
I have an architecture like that:
An API using Lumen (with databases: users data, user preferences, …)
A website (without database, this part just ask to the API some data and allow the user to be connected to his account)
Currently everything in my API is public: retrieving users, deleting accounts, searching users, etc.
The problem is that I don't know how to allow situations like that:
Allow my website to execute actions calling the API (call private routes on my API)
I would like to have some routes public on my API (the easiest part, it's done actually)
I would like to allow external users to call my API if they have a valid token (Google analytics, Bugsnag like services)
I'm thinking about services like Google analytics, Bugsnag, …: this services ask the user to put a token/key in Javascript. Is it a problem if someone take the token and use it on his personal website and/or in a mobile application?
I've read about o-auth 2, is it the place to start?
Thanks!
I suggest you to try for:
Allow my website to execute actions calling the API (call private routes on my API)
JWT Authentification (JSON Web Tokens).
How do JSON Web Tokens work?
In authentication, when the user successfully logs in using his credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie. Read more about jwt
Use this JWT-AUTH for connection jwt mechanism with lumen/laravel.
I would like to allow external users to call my API if they have a
valid token (Google analytics, Bugsnag like services)
For that task I suggest you to use OAuth 2.0 protocol
For my web application - I need to fetch all the data for a particular facebook page. What kind of permissions do I need. Do I really need to create a canvas app for it?
I dont intend to do anything on FB - but use some of the data available to arrive at some conclusions in my web based application which will be hosted on a server outside of FB.
Facebook's API documents should provide everything you need:
https://developers.facebook.com/docs/graph-api/reference/v2.1/page
According to the permissions section, you'll need either an App token or a User token. Since you're talking server-to-server (I'm assuming this is server-to-server on account of the PHP tag), you're going to want to use an App token:
https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens
You should be able to create a Facebook App from within your Facebook account, which will provide you with an App ID and App Secret. You can use those to make calls directly to the API.
Hi guys I'm working on my google apps application - currently I've build the authentication upon the example available at google namely this url
The problem is that the session seems to time out and that everytime I am logged into my google apps account and go to my application I need to authenticate again and go through the screen where google asks me if I should allow the application to access the services like GMAIL, Docs etc listed in the manifest xml file. I don't think I'm doing it right as other applications allow instant access.
Any ideas
you should store and reuse the oauth access & secret key. this should avoid the re-authentication with google (or other oauth based services) - unless your access key has been revoked of course.
Cheers!