Is it possible to allow a client to connect to the API ONLY with a google apps domain email address? Users often have their own gmail session active and we need to ensure that they can only connect to the api using our Google Apps Domain email.
For now the only solution has been that we disconnect them when they return from the auth steps if their email address doesnt contain our domain, with an error message telling them they need to follow the steps again using their [domain].com email address, which is far less than ideal. Can the domain be specified somewhere in the scopes or api console for example?
[Google API PHP Client]
I found a hacky solution, describing briefly for those who may need smth similiar:
If you add the login_hint parameter with the email address (in this case with Google Apps account, with our own domain) it bypasses the initial login page and if any other google sessions are available bypasses them as well. I didn't find this behavior described in the documentation, nor did I find the ability to add this parameter in the google-api-php-client. I added a method in the Google_Client.php file to allow the ability to add the login_hint parameter:
public function setLoginHint($loginHint) {
global $apiConfig;
$apiConfig['login_hint'] = $loginHint;
self::$auth->login_hint = $loginHint;
}
And the parameter to the authenticate method in Google_Oauth2.php:
$request = Google_Client::$io->makeRequest(new Google_HttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), array(
'code' => $code,
'grant_type' => 'authorization_code',
'redirect_uri' => $this->redirectUri,
'client_id' => $this->clientId,
'client_secret' => $this->clientSecret,
'login_hint' => $this->loginHint
)));
Then I can call the method using the user's Google Apps email address during authentication:
$client->setLoginHint("user#mydomain.com")
If there was something built in that I didnt find in the docs or searches please let me know. By the way, I thought Google API guys were keeping an eye on SO for questions such as these, echo echo...
Related
I want to use the Microsoft Graph API on my application (which is actually on development).
I use fullcalendar js on my application (laravel 8) and when a user create an event on my application I want the same event create on his outlook calendar.
I want that the user connected on my application has only the right to access his outlook calendar (not all organization users calendar). In order to restrict this I understand that I have to use delegated autorizations and not applications autorizations.
First I would like to get an access token in order to use the API.
To do this I use oauth2 and guzzle :
$url = 'https://login.microsoftonline.com/' . env('MS_TENANT_ID'). '/oauth2/v2.0/token?api-version=1.0';
$tokenCall = Http::asForm()->post($url, [
'grant_type' => 'client_credentials',
'client_id' => env('MS_CLIENT_ID'),
'client_secret' => env('MS_CLIENT_SECRET'),
'scope' => 'https://graph.microsoft.com/.default',
'username' => 'xxx.xxx#xxx.com',
'password' => 'xxxxxxxx',
]);
$accessToken = json_decode($tokenCall->getBody()->getContents());
I obtain a token but when I inspect it with jwt.io, it appears that I haven't scopes in it (scp).
Do you know why it doesn't appears?
EDIT:
It appears that I use an application authentication and not a delegated authentication (for user).
So I change the 'grant_type' parameters for 'password' instead of 'client_credentials'.
But it throws me another error :
invalid_grant
AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxxxxxxxxxxxxxxxxxx' named 'Graph PHP'. Send an interactive authorization request for this user and resource.
I read that in an delegated authentication I have to call the authorize point before the token point.
To do this I have to define a Redirect URI on my application on Azure. Unfortunately I made development on a local server (not localhost) which haven't SSL. Azure dosen't allow the Redirect URI to be on http except for localhost...
Is someone have already face this problem?
I would like to send email messages with our corporate emails provided by Gmail. In order to do that, I would like to use Gmail API with rest commands (basically launched with a php procedural code, for legacy purpose).
I have that code :
I go to this url :
// https://accounts.google.com/o/oauth2/auth?client_id=my_client_id&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/gmail.send&response_type=code
// and obtain a token like that : 4/1AX4XfWgmW0ZdxXpJn8YzkVeDs3oXZUHyJcR7abE2TuqQrcmo4c1W02ALD4I
/*
echo GoogleAuthCurl("GET", '', array(
'client_id' => $GOOGLE_CLIENT_ID,
'redirect_uri'=>'urn:ietf:wg:oauth:2.0:oob',
'scope' => 'https://www.googleapis.com/auth/gmail.send',
'response_type' => 'code'
), array());
then I can use requests in curl for getting my access token :
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token */
$tokenJson = json_decode( GoogleTokenCurl("POST", '', array(), array(
'code' => '4/1AX4XfWiEWngRngF7qryjtkcOG1otVtisYpjHnej1E54Pujcrchef8REvdt0',
'client_id' => $GOOGLE_CLIENT_ID,
'client_secret' => $GOOGLE_CLIENT_SECRET,
'redirect_uri'=>'urn:ietf:wg:oauth:2.0:oob',
'grant_type' => 'authorization_code'
)
));
print_r($tokenJson);
This far, I've got food for my authorization header. My issue is in the first step (with the consent asked to user). I wish i can do this step without putting my url in the browser, validate two screens to grant access before getting the authorization code.
I'm also interested in advices to create gmail messages with rest requests driven by curl. I found postman collection about all actions gmail api can do, but one or two call examples wouldn't do harm ;)
thanks !
In the current state, by the method you are using, &response_type=code, you need two calls to the OAuth client to get the access token. You can find an example of how to handle it just using HTTP/REST requests here.
In any case, you could use Google API Client Library for PHP. Allows you to handle the OAuth authentication flow, only needing one interaction to get the token.
You can find a full example on how this works here, notice that this example uses the Drive API, if you want to use it within the Gmail API, you can check Gmail API PHP library.
Documentation:
PHP Gmail API
OAuth 2.0 to Access Google APIs
I currently building a small chat using Firebase and PHP. This, I thought, would be a good learning project for Firebase, and so far I am very happy with it!
However, I have hit a wall. I am not sure how I can implement an authentication system to Firebase via PHP. It's quite specific what I need the authentication system to do:
To be able to use the chat, the user must login using my custom php login system. Then once they are logged in, they will also authenticate to be able to read/write in the chat.
I couldn't really understand how this (if even) is possible with PHP, using CURL.
In my __construct function in have the following:
require('/libs/FirebaseLib.php');
$this->firebase = new fireBase('https://<url>.firebaseio.com');
require('/libs/JWT.php');
require('/libs/FirebaseToken.php');
$tokenGen = new Services_FirebaseTokenGenerator('<firebase-secret>');
$this->authtoken = $tokenGen->createToken(
array(
'id' => $this->userid
)
);
How would I authenticate with Firebase to let the user be able to read/write in my chat and not allow non authenticated user to read/write?
Note: I have not done anything to the Firebase security rules - this is part of my question.
I've looked at the documentation, I might just be very thick, but I couldn't really find what I was looking for.
Hope anyone to point me in the right direction.
Thanks!
EDIT: I have intentionally not been using javascript for my chat, apart from ajax calls to my php script which then relays it to Firebase after I have done what I want to do with the user's messages.
EDIT 2: Added links to the used libraries: "Firebase Token Generator" and "Firebase PHP Client"
EDIT 3: My current code looks like this: (reference)
__construct:
$this->authtoken = JWT::encode(
array(
'admin' => true,
'debug' => true,
'v' => 0,
'iat' => time(),
'd' => array('user' => 'admin')
),
'<secret>',
'HS256'
);
New Message Function:
$response = $this->firebase->set('/chat.json?auth=' . $this->authtoken, array(
'message' => array(
'username' => 'Test',
'time' => time(),
'string' => 'Hello World!'
)
));
However it returns: { "error" : "invalid_token: Could not parse auth token." }. I basically want to get permission as the administrator. I have tried just using the Firebase secret as the auth, but its returns the same error.
Rules:
{
"rules": {
".read": "auth.username == 'admin'",
".write": "auth.username == 'admin'"
}
}
The general workflow would be:
After user has authenticated with your custom login system, generate a Firebase auth token in your server-side PHP code. (it looks like you got this far with the code snippet you pasted).
Pass that token back to the client.
Have the client call firebase.auth(<token>); to authenticate to Firebase using your server-generated token.
Use security rules to restrict what the client can read/write, depending on the contents of their auth token.
For a simple scenario where you just want to allow all Firebase access if they're authenticated, you could just have security rules like:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This would give authenticated users read/write access to your whole Firebase. You probably want to lock it down more than that though (i.e. only give them read/write access to certain parts of the Firebase). Check out our Security Quickstart for a walkthrough on how auth and security rules work.
If this doesn't help, perhaps you can elaborate on which part you're getting stumped at.
I am trying to write a PHP script that will allow me to do two things:
Allow users to use their Hotmail (I think its called 'Live' now?) account to authenticate themselves to a website
Retrieve an authenticated users contact list from Hotmail.
I have trawled the internet for the past 6 hours, looking for at least a working example that I can modify/extend to do the above two things. There are several dozens similar questions asked here on SO for example - NONE of the proffered answers work any more (admittedly, some of the questions were a few years old).
I tried the Microsoft site and downloaded the latest version of their API which seems to evolve at a rather alarming rate. I finally managed to track down an API which has not been deprecated (yet?).
I followed the instructions and when I attempted to authenticate, I was rewarded with the following mesage, for my efforts:
We're unable to complete your request
Windows Live ID is experiencing technical difficulties. Please try again later.
I immediately tried the online version of the demo and perhaps unsurprisingly, that worked like a charm.
As an aside, I managed to implement the same functionality for Yahoo and GMail, using their OPEN APIs, under an hour each. Now, it is possible that my unmitigated hatred of all things proprietary (sorry make that Microsoft), is causing me to lose the plot a little here.
Has anyone ACTUALLY (in 2012) managed to get a working sample in PHP that allows:
Hotmail (live?) user authentication
Hotmail user contact email retrieval
If you have, a code snippet, or a link to where I can find such a snippet would be very useful, as I have so far, wasted a whole afternoon trying to work the Microsoft Live API via PHP.
PS: No, I'm not interested in OpenInviter, its broken.
i wrote my own oauth library based around a single array for each service provider. this array contains all of the data required to perform authentication and retrieve user data. the array i use for msdn (ie. hotmail, outlook, xbox, msn) is:
$msdn = array
(
'oauth_version' => '2',
'oauth_method' => 'GET',
'redirect_user_params' => array
(
'url' => 'https://oauth.live.com/authorize',
'response_type' => 'code',
'http_params' => array
(
'url',
'client_id',
'redirect_uri',
'response_type',
'scope',
'state'
)
),
'obtain_access_token_params' => array
(
'url' => 'https://oauth.live.com/token',
'grant_type' => 'authorization_code',
'http_params' => array
(
'url',
'client_id',
'client_secret',
'code',
'grant_type',
'redirect_uri',
'scope'
)
),
'scope' => 'wl.signin wl.basic',
'obtain_user_data_params' => array
(
'url' => 'https://apis.live.net/v5.0/me',
'http_params' => array
(
'url',
'access_token',
'scope'
)
),
'client_id' => 'xxxxx', // = oauth_consumer_key in oauth 1.0 lingo
'client_secret' => 'xxxxxxxxxxxxxxx',
'readme_url' => 'http://msdn.microsoft.com/en-us/library/live/hh243647.aspx'
);
the parameters for each of the three oauth stages (ie "redirect user", "obtain access token" and "obtain user data") are in the http_params arrays. in the case of msdn these parameters end up in the query query string of the url that i send out with curl (since msdn only accepts GET, not POST).
i haven't tried retrieving the user's contact address book, but this would just be a case of extending the scope element with whatever extra information you require (documented here http://msdn.microsoft.com/en-us/library/live/hh243646.aspx). as you can see from the http_params arrays, the scope parameter is used in each of the three oauth stages.
Try out a Hotmail/MSN/Live import on the CloudSponge test drive to see if that's the user experience you're hoping for.
If it works for you, you can use our widget or our API. If you want to use the API, we have a PHP wrapper already written for your convenience.
Please confirm your callback url is with http:// if you only put www.domain.com then get this issue..
Hi ive set a news facebook application like below but when i call the auth dialog the Email is not requested so i dont get any informations..
http://hpics.li/b91d453
Any idea ?
My FB request :
$data['get'] = array(
'access_token' => $access_token,
'locale' => 'fr_FR',
'req_perms' => 'email,user_about_me,user_birthday,user_location,publish_actions',
'ext_perms' => 'publish_stream',
'fields' => 'email,name,picture,first_name,last_name,gender,link,birthday,email,location'
);
And the PermissionDialog dont contain the email and the req_prems.. Why ?
And also Preview Current Dialog is different than Preview referal dialog (which contains emails etc)..
Any idea ?
Which documentation are you working from? The parameter that needs to be passed to the Auth dialog to request additional permissions changed to 'scope' in October 2011
See https://developers.facebook.com/docs/authentication/permissions/ for the permission info and https://developers.facebook.com/docs/authentication/ for how to authenticate
If you're doing server-side auth the URL to redirect the user to is:
https://www.facebook.com/dialog/oauth/?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URL
&state=YOUR_STATE_VALUE
&scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES
And then you exchange the code for a token using the oauth endpoint (all this is covered in the docs above) - which your server makes a request to using the parameters below:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK_AND_SENT_TO_YOUR_APP_IN_EARLIER_STEP