This may be duplicated with other articles, but I can't figure out how to do it after reading all of those.
I'm working on a back-end project in PHP and we are isolated from the front-end. According to the documentation from the front-end team, they will pass an access token and need the back-end to pull userid from Twitter's server.
Is there any way to do it? I could pull the data if I have oauth_signature and oauth_nonce, but they only give us the access_token.
I could pull the data if I have oauth_signature and oauth_nonce
That's not correct. oauth_signature is generated based on the application secret and request parameters. oauth_nonce is just a random string
So you need to get access_token and access_token_secret and perform a GET account/verify_credentials request
Further reading:
https://dev.twitter.com/docs/auth/implementing-sign-twitter
https://www.rfc-editor.org/rfc/rfc5849
Related
I'm trying to get my head around adding oauth2 to an API I've created.
Currently, I've got calls that require a unique key in the URL e.g.
https://apilocation.com/api/{unique_key_here}/action/
I've just added the ability for someone to get an access_token using:
https://apilocation.com/api/{unique_key_here}/oauth2/token
and a username + secret key
which works fine and returns the token in a JSON array.
https://bshaffer.github.io/oauth2-server-php-docs/cookbook/
is what I'm following
Where I'm stuck is how to best get them to use the access and pass it in their calls to the API. I could get them to get the token each time they want to use the API and then include that in all their calls so I can validate but that seems clunky. The background is built on PHP and MySQL and I want it to be easy for people who aren't very used to coding to be able to make calls.
I've looked at the following:
passing in the request url
passing it as a post var
partially as a header but felt it was clunky for a new user
Warning: I am a total JWT newb and trying to figure it all out.
First...what I understand:
JWT contains three segments separated by . The first part can be base64 decoded to get "something" where I can validate the claims in the 2nd (and 3rd?) segment.
I am able to get the id_token back and can separate each segment into its respective JSON object...but thats not secure at all :)
I took a look at this https://github.com/firebase/php-jwt but I am unsure what KEY I need to supply to decode the JWT (I know I can decode the first segment and get the kid used for the JWT but when I have that specific key object...I'm not sure what to pass to firebase to decode it? https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in
Please excuse my horrible understanding of JWT :/
EDIT: More Info
Using this ID TOKEN:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IklkVG9rZW5TaWduaW5nS2V5Q29udGFpbmVyIn0.
eyJleHAiOjE0NDIzNjAwMzQsIm5iZiI6MTQ0MjM1NjQzNCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9s
b2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzc3NTUyN2ZmLTlhMzctNDMwNy04YjNkLWNjMzExZjU4ZDkyNS92
Mi4wLyIsImFjciI6ImIyY18xX3NpZ25faW5fc3RvY2siLCJzdWIiOiJOb3Qgc3VwcG9ydGVkIGN1cnJlbnRs
eS4gVXNlIG9pZCBjbGFpbS4iLCJhdWQiOiI5MGMwZmU2My1iY2YyLTQ0ZDUtOGZiNy1iOGJiYzBiMjlkYzYi
LCJpYXQiOjE0NDIzNTY0MzQsImF1dGhfdGltZSI6MTQ0MjM1NjQzNCwiaWRwIjoiZmFjZWJvb2suY29tIn0.
h-uiKcrT882pSKUtWCpj-_3b3vPs3bOWsESAhPMrL-iIIacKc6_uZrWxaWvIYkLra5czBcGKWrYwrAC8ZvQe
DJWZ50WXQrZYODEW1OUwzaD_I1f1HE0c2uvaWdGXBpDEVdsD3ExKaFlKGjFR2V7F-fPThkVDdKmkUDQX3bVc
yyj2V2nlCQ9jd7aGnokTPfLfpOjuIrTsAdPcGpe5hfSEuwYDmqOJjGs9Jp1f-eSNEiCDQOaTBSvr479L5ptP
XWeQZyX2SypN05Rjr05bjZh3j70ZUimiocfJzjibeoDCaQTz907yAg91WYuFOrQxb-5BaUoR7K-O7vxr2M-_
CQhoFA
I can decode the header segment eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IklkVG9rZW5TaWduaW5nS2V5Q29udGFpbmVyIn0 to {"typ":"JWT","alg":"RS256","kid":"IdTokenSigningKeyContainer"}
then looking at https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in
I know that this key object was used
{"kid":"IdTokenSigningKeyContainer","use":"sig","kty":"RSA","e":"AQAB","n":"tLDZVZ2Eq_DFwNp24yeSq_Ha0MYbYOJs_WXIgVxQGabu5cZ9561OUtYWdB6xXXZLaZxFG02P5U2rC_CT1r0lPfC_KHYrviJ5Y_Ekif7iFV_1omLAiRksQziwA1i-hND32N5kxwEGNmZViVjWMBZ43wbIdWss4IMhrJy1WNQ07Fqp1Ee6o7QM1hTBve7bbkJkUAfjtC7mwIWqZdWoYIWBTZRXvhMgs_Aeb_pnDekosqDoWQ5aMklk3NvaaBBESqlRAJZUUf5WDFoJh7yRELOFF4lWJxtArTEiQPWVTX6PCs0klVPU6SRQqrtc4kKLCp1AC5EJqPYRGiEJpSz2nUhmAQ"}
so...what value for the key would I pass to firebase?
Just in case anyone is looking to get up and running quickly and/or is confused as I was; may I recommend the link #astaykov pointed out in the question's comment
https://github.com/Azure-Samples/active-directory-b2c-php-webapp-openidconnect
Along with a simple class I created for Authorization Code grant (handles getting SSO URL, OAuth2 token and validating id_token using external libraries)
https://gist.github.com/rcosgrave/ec92938181096fd8847a38c9cc6a37d0
So I'm working on a project that I'll provide information feed to specific business partner. There's no login required because the business partner's front-end have to pass an preallocated apiKey along with any request to the my REST API. The api only responds to requests that contain a valid apiKey, and its access level has already been predefined when we generate the apiKey.
Currently I'm using CakePHP, with curl, passing the REST request method, and the hardcoded apiKey as param. Security hasn't been an issue so far. But our team is thinking that, what if our business partner want their website to be done in recently trending JS front-end frame work such as AngularJS.
For the same scenario, such a simple task cannot be done in JS framework. I obviously cannot simply give them the client secret (apiKey) and let them include it in their client side code. Anyone can view the secret and have access to the our REST API.
Now we're talking about security, which my team really do not know much. What are the ways to overcome this issue? How to pass a client secret along with http request from AngularJS, securely, obscurely? Any suggestion or could anyone point out something that I can study into?
I had some ideas though, but they just sound not so right.
I'll just put the AngularJS in CakePHP's webroot. That would be a really dirty hack though... Just introduce unnecessary complexity.
Generate hash with the a combination of constraints such as Origin Domain / IP / Public Secret and timestamp, and on my API side, I compare the hash and return an access token for each request... something like that...
There are different options
JWT (see my article)
OAuth (pick one)
A proxy to your API
First two will require an initial authentication request, you'll get a token back that is passed in every future request to your site.
You can create a proxy, the site calls the proxy which then makes another call to the real API and adds your API key.
I am trying to figure out how I can query the FB Graph API (or FQL API) to be able to get number of posts (or status-updates) for a given period of time. I am able to generate an access token using
$access_token = $facebook->getAccessToken();
So that would lead me to believe that the PHP SDK is installed correctly and working. When I try to use the access token in a fql query it fails giving an error message of: A user access token is required to request this resource. The query I'm trying is just to return the current status_id. I tried using uid=me() as well as using an actual user id (testing id from the API). Here is the query url:
https://graph.facebook.com/fql?q=SELECT+status_id+FROM+status+WHERE+uid=me()&access_token=
I'm not sure where I'm going off track with this, so any help would be greatly appreciated.
Thank you for looking.
This is your app id and secret, please do not ever post this to public, anyone will have full control of your application. Reset your token immediately
The PHP SDK defaults to the application access token (which should never be posted in public). You need to have the user login with getLoginUrl() an example is given at
https://github.com/facebook/facebook-php-sdk/blob/master/examples/example.php
Say I have a page on Facebook and updating its status and posting on its wall.
What I want is getting that data in json or xml format and use it on my own web page.
All the api docs I've read so far requires an access token, which I shouldn't need.
Twitter has a rest api like http://twitter.com/statuses/user_timeline/twitter_username.json?count=10, which returns the data in json format. I need something like that.
Almost all Facebook graph API calls require an access token, including the page feed you seek. You can get the feed in json format like: https://graph.facebook.com/pageIdOrName/feed or https://graph.facebook.com/pageIdOrName/statuses but you will need to append an access_token querystring parameter. You can test this with the Facebook Graph API explorer, and you could even use that access_token if you don't want to create an application.