What I'm trying to do is basically have a system that allows people to post to Tumblr via this website using Tumblr's API. I think it would work something like:
Get the user to grant our application permission on Tumblr; get the token and secret from Tumblr.
If this user has never authenticated before, store the OAuth token, OAuth secret, and the user those belong to in a database.
If the user has authenticated before, check the OAuth token and secret that Tumblr just gave us against the ones already stored in the database to re-authenticate this user.
So, do I need to re-authenticate with OAuth on every single page? Or in other words, I need to contact Tumblr every time the user loads a page to make sure they're still the person they say they are?
Related
I'm building an application for an event so they can directly post their news messages on facebook. I'm trying to use de php SDK V4 for this but there are some parts of the login process I don't understand (still couldn't find a solution after searching for several hours).
My Problem is in the login process. First you have to specify which applicaton you are and give your application secret. Than you have to login to facebook with an account.
But which account should I use for that? The one of their event? Mine?
(I'm an admin of the events page) (this means that all messages will
be posted from mine account while i'm not the poster...sounds pretty
weird..)
Which method should I use to login into facebook? There is a veriaty of methonds like the FacebookRedirectLoginHelper(), the FacebookCanvasLoginHelper() or the Javascript one. However as far is I understand all these helpers for your users to login to their facebook accounts and that's not what I want.
During my search I found some an example of someone who is making a similar system (Facebook Graph API PHP SDK v4 - Post on Page). He/She uses the folowing piece of code for getting a facebook session:
FacebookSession::setDefaultApplication('{APP ID}','{APP SECRET}');
$session = new FacebookSession('{Page Access Token}');
This suggests that you don't need to login into facebook by user but only need a Page Acces Token. However if I understand it correctly (correct me if I'm wrong), to get a Page Acces Token, you first need an User Acces Token (https://developers.facebook.com/docs/facebook-login/access-tokens/#pagetokens). To get an User Acces Token you should be logged in, and than we're back to question 1 and 2 in the beginning of my story.
Or can I just get a Page Acces Token using the following api request (according to https://developers.facebook.com/docs/facebook-login/access-tokens/#pagetokens)
GET /{user-id}/accounts
Using a random user-id as long as the page admin gave this user permission to generate such a token (so the user related to "user-id" shouldn't be logged in while retrieving the Page Acces Token?) .
Sounds like you'll need to use the following flow:
Have the page admin log in with their Facebook account. Make sure to request the manage_pages extended permission. This will give you access to the pages they admin.
Once they grant access to your app, you'll get a short lived user access token. Exchange it for a long lived user access token.
Get the list of the user's pages with /me/accounts. Each page will have an access_token field returned with it. These are all page access tokens. We want to use a long lived user access token to get this list so that all the page access tokens returned will not have an expiration date. They live forever! :)
Use the page access token to post to the wall of the page if you want to post as that page. Use the user access token to post to the wall of the page if you want to post as that user.
And the Facebook Query Builder might make this whole process a lot easier. :)
Hope that helps!
I have implemented google drive api in my website(in php) with the Oauth 2 authorizing method where different users have to enter their own client id and client secret to access files in his/her google drive.
But to make it more user friendly I am planning to implement Google+ Sign-in method as in this url https://developers.google.com/drive/about-auth.
Can anyone provide me with a tutorial on how to use google + sign in to get the refresh token for google drive api requests?
These are the steps ...
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login the and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
I have a php app where my registered users login to facebook. I use $facebook->getLogoutUrl();. Then I retieve all their albums and display their id and names in an HTML select tag. The user select one and the id of the album is stored in the DB.
Here everything works great.
Then an anonymous user visit my website and I want him to see my registered user photos (public photos of the albums selected by the registered users) (they are not logged in my site, they are not logged in facebook). At the moment it only works if the anonymous user is logged in facebook. But I want to diplay photos even if the anon is not logged in facebook.
$photos = $facebook->api('/'.$idAlbum.'?fields=id,name,link,photos.fields(id,picture,source)');
I have tried a lot for 2 weeks but nothing seems to work. I have tried without login, I have tried with an app access token, I have tried:
https://graph.facebook.com/oauth/access_token?client_id=XXXXXX&client_secret=YYYYYY&grant_type=client_credentials
Can anyone help me? or tell me if is not possible to my app to retireve photos from an album. I searched a way to login my app but I only find app access token (https://developers.facebook.com/docs/howtos/login/login-as-app/) but as it say it can make requests as the app, not as a user
In order to access a users information, you're going to need a valid access token for that user. An application access token can't be used to do anything on behalf of a user.
Access tokens expire after a while and that prevents applications from searching though the users information when the user is not actually using the application.
If you want to go all the way - just download all the photo's from the album and store them on your server... If you can't do that, then you'll have to look into extending the album owner's access token so that you can use it when querying their album. As far as the application is considered, with that extended access token, it is in actual fact the album owner who is making the request.
Taken from the Facebook docs:
Extending client-side user access tokens
When a person completes a client-side auth flow and you retrieve their
user access token, by default the token is only valid for one to two
hours.
You can exchange this token for a longer-lived one that's valid for up
to 60 days by passing it to the /oauth endpoint from your server with
a grant_type parameter of fb_exchange_token. [Note that it must be
sent from the server so that the App Secret is not exposed.] Here's
what that looks like:
https://graph.facebook.com/oauth/access_token?
grant_type=fb_exchange_token&
client_id=APP_ID&
client_secret=APP_SECRET&
fb_exchange_token=SHORT_LIVED_ACCESS_TOKEN
The response from this endpoint will include the long-lived access token. This will be a
different string to the original token, so if you're storing these
tokens, replace the old one.
Basically you'll have to do this as soon as any (registered) user performs a succesful login and store the token in your database.
I have been doing research on this Oauth concept and I am still very confused about this concept. One of my main questions is how does one register with a google account or a twitter account.
For example, lets say in order to register to my website, you must provide a Username/Password/Email/GroupName. If you register through my website, than you can provide those fields very easily. However let's say the user wants to register through google. How would those fields populate?
From my understanding once you register with your google credentials, you are redirected to a page on my website where you fill in the required fields. I am not sure if this is correct. Can anyone help me understand this more?
Basically OAuth works like this (depending on the version these points consist of multiple steps):
You redirect the user to a provider, where he logs in
The user is redirected back to you and you receive an access token
Using this access token you can then request the users data from the provider. Typically the providers provide a call which you can use to ask for the user's email address, full name and a (provider-specific) user id, but that is not part of OAuth.
How you now use this information to handle that user as if he logged in to your site is then completely on your own. You probably want to create a new user object on your side each time you see a new user id.
There are couple of basic concepts that needs some clarity before one can understand how a new user registration happens using OAuth2. These are:
Resource Owner (You, the human)
Identity Provider (Google, Facebook, Twitter, etc.)
Resource Server (Same as Identity provider, or some other service)
Resources (Things you want access to)
Client app (The app you are using to access those things)
For new user registration, you will follow the same sequence of client app requesting authorization to be granted access to the resources. This will trigger a login page, user logs in, authorization code is created (by the IdP) and sent back to the client app. The client app exchanges this code for an access token (some encryption signing is involved, read up the documentation - basically allowing client app to prove its own identify).
This access token is then used to request access to resources - in this case, the new user profile. This could be name, email, picture etc. Use this to create a new row in your client apps profile database. A new user account is created.
Then for subsequent logins, the client app will use this access token to validate its life with the Google Auth server - and then create a local session/cookie to login the user.
Hope this is clear.
I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:
User is taken from my site to authenticate via Twitters site
Generate Access token for user
Get the users unique Twitter id via Twitter API
Do a user lookup in local db with this id and locate access token if available.
If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
If the user is found, md5_salt the twitterid and set as a cookie.
If the user re-visits, lookup user based on cookie
Does that sound like a secure approach or is using the md5 twitter id a bad idea?
Appreciate any comments.
Without knowing exactly what your client/consumer application is doing, it is hard to tell whether this approach will be "secure".
One problem I see, is that once you have an access token from twitter, how do you identify your user if the cookie gets deleted? Or would you require them to get a new access token? This would mean that they would have to both login, and authorize your application each time.
Also, an access token for one user of your app. can be stolen and used by another user of your app. since it works just like a password AND you have no authentication on your side to verify your cookie saved access token.
To answer your question then, I would have to say that using oauth as the only authentication provider, no matter how you do it, is not a best practice.
In order to be secure both the client (consumer) application, and the server (provider) application, need to verify the identity of your users. The easiest way to do this is with a username and password which are stored in your users head, and not on file somewhere...