I am trying to wrap my head around all this "api-centric" concept and somehow, for various reasons(after turning SO upside down) i am not able to find answers by my own, so i hope you can help me :)
Here it is, as part of a personal project i need to create something like a social application website, i say "like" because it's just a small project, nothing too fancy.
The idea i have in mind is that i create a rest service, say something like http://api.domain.com/v1/ with all the needed methods for resources (create/delete/update/read).
Now, after this service will be created, i need to create my website, say http://www.domain.com/ and this website will communicate with my api.domain.com for each action it does. If a new user registers, send the data to the api server, process it, return an answer and so on.
Then, after the website is created, i am planning to use phonegap to create a native application for iphone and android. These mobile applications, will basically act just like my website does, connect to the api server and do various actions.
This is pretty simple if no authorization is involved, so anyone who knows the api endpoints would be able to manage all the resources, thing that as you would guess, i don't want, so i have to implement some kind of authorization mechanism and i am not really sure what to use.
I am thinking to implement OAuth2 so that my api act as a oauth provider, then my website/mobile apps will connect to the api, get authorized and then do their job.
Is this a good approach, any thoughts?
Next, let's say i stick with oauth and everything works okay, what if i want to give my users the opportunity to create their own apps to access info about the other users/or their own data(basically i have a public api, why not taking advantage of that), then the user that will install the app will need to approve it in order to get access to his info. I know this is possible with oauth(since facebook/twitter/others does it), the question is, how do i differentiate between simple user created apps and my own ones(like the website and mobile apps)? Is this separation doable by providing various "scopes" when requesting permssions?
If not, what other approach should i use?
I'm not too experienced with oauth, so maybe some of the questions are a bit wrong, hopefully you get the point of my problem.
If it helps, i'll use PHP 5.4 with Yii framework, Apache 2(mod ssl available), MySQL.
Thanks :)
Yii provides CWebService (SOAP), you can use that, or create your own REST API indeed.
I created a API myself, the same way you want to do it.
For safety purposes i'm logging in with a api username and a api password using CUserIdentity:
if (Yii::app()->apiuser->isGuest) {
if (!empty($_POST['apiUser']) && !empty($_POST['apiPassword'])) {
$identity = new ApiUserIdentity($_POST['apiUser'],$_POST['apiPassword']);
$identity->authenticate();
if($identity->errorCode===ApiUserIdentity::ERROR_NONE)
{
Yii::app()->apiuser->login($identity); // Login for 30 minutes
$responseData['success'] = 1;
$responseData['sessionId'] = Yii::app()->session->sessionID;
} else {
$responseData['error'] = 'Incorrect username and/or password';
}
}
}
The POST data is coming from the app it uses the api. The SessionId is passed back to the app, so a next login isn't necessary. If you're using CURL to make the api request you can send the session ID back to the next api request using:
$strCookie = "PHPSESSID=".$sessionId."; path=/";
// Set the COOKIE files
curl_setopt($ch, CURLOPT_COOKIESESSION, true );
curl_setopt($ch, CURLOPT_COOKIE, $strCookie);
This way the session is maintained every next request.
Related
I would like to implement Instagram for a Wordpress plugin.
This plugin will allow user to display instagram images with comments, likes, etc... I would like to use different source like user, tags, etc... There will be no interaction with like, comment system. It's just a plugin to display an instagram grid.
However I don't understand what is the right way to use the new API. On the instagram developer guide it's mentioned that the new API will be limited for the number of connections, etc... I don't know if it can concern my case for the plugin I want to develop.
To sum up, does the access token is enough to do what I want or do I need to use the API like this wrapper class with 'api Key', 'api Secret', 'api Callback'. It seems that information can be retrieve in different way but I don't understand what I should use. Or do I need to create an APP?
Maybe these questions can seem stupid but I'm not fluent in English and the developer guide of instagram is just not clear for me about the way I should use instagram for authentication/connection with any user.
I hope someone can guide me a little bit.
There is 2 ways you can approach this problem.
1) The plugin requires each user to register their own app with Instagram.
This means each user who installs the plugin would need to go through the app review process. Plus you would need to provide away for the users to supply their client_id, client_secret and a callback. Essentially you write the code to make everything work but the complexity of configuring the OAuth flow is still up to your users.
2) You register your plugin as an app with Instagram and make requests on your users behalf.
This is the intent of OAuth and Instagrams new API updates. This will also push all the complexity to you the plugin author. Since this is open code you will need to figure out away to keep your client_secret secure. One solution could be running a service for your plugin that handles the OAuth flow. You might also have API limit concerns depending upon your plugin adoption and usage.
I have a super admin privilege for google for education apps. I want to check if a specific user have already logged in to his/her account. I can manually do this admin console but i need to retrieve it using the web application that i created. I am just wondering if there's an API for this.
You can pull lastLoginTime with the Directory API.
If you're looking to pull login data for all, you can also use the Reports API. I would personally, recommend the Directory API over this though if you're looking for current data as it's not abnormal for the reports data to be a week old.
Another, perhaps not completely secure approach, would be to use a standalone google appscript. Turn on the admin SDK both in the advanced Google service menu and in the API. Then you can make standard GET requests to the appscript. This way the admin authentication is handled by the appscript.
function doGet(e) {
var email = e.parameter.email;
var someinfo = user.someinfo
Logger.log(someinfo);
return ContentService.createTextOutput(name);
}
I've been working on an app for IG, and was looking at other websites which use the IG API. I came across this website which allows the user to login by entering their username and password directly into the site. It is then able to access the IG API and fetch things like follower count, however without the user authenticating an IG API Client as would normally be required. The app can even perform functions such as liking pictures using your account, which as far as I know also requires you to authenticate an app with elevated privileges.
My question is, how is this app able to login users without using OAUTH which appears to be the only method of authentication?
They probably use a web automation framework like Selenium to take actions like auto-linking content by actually logging in to the Instagram web site with the accounts credentials and simulating mouse clicks, etc. to get the job done. In other words their "script" just looks like a very active user to Instagram because it's all coming from interactions between a web browser and their site.
They definitely are not using the API. Several reasons you can know this:
no OAuth flow to get an access_token
they don't appear in the authorized applications section if you log in and manage your profile
what they are doing is a violation of the API Terms of Use. See the following under "shall not"
Use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.
I'm no lawyer and I have no inside information, however it seems clear enough to me that Instagram does not want this type of "bot" activity.
They claim that they have the timing set up in a way that they go undetected, but I think it's a safe bet that there are algorithms at Instagram trying to detect and prevent this type of activity and if they do, accounts would be at risk of being disabled, etc. I have not inside knowledge here, just speculation.
The Instagram application that you use from your cellphone uses HTTP/HTTPS communication with their application server. The link that you provided on the question uses to simulate those http calls to mimic as an Instagram application.
You can redirect your cell phone's Internet connection through the proxy(your own proxy server). From your proxy server catch the web requests those are being sent by the Instagram application when you are doing login, liking, etc.
It will be easy for you if the requests are through http channel. But if its through the https, then it will be really difficult to capture those. You can try with Fidler or some sort of similar softwares for this.
What I THINK is happening is the following:
They are logging your PHPSESSID and using that so you have the ability to like pictures and whatnot. They are doing all of the back-end work directly in index.php.
If you track the requests that are being sent to index.php through the Network tab in Chrome, you will see that "Cookie:_ instamacro_advcontent=1; PHPSESSID=" on the index.php file "Headers" tab.
I'm doing the same with my website that uses Vine's API(not public, btw). In a PHP file I created called api.php, I use Vine's API to perform actions. I do not use OAUTH at all. I simply use the users "x-vine-session" cookie.
I am trying to get a list of all Google Apps users of a domain onto a public PHP website (without visitors of the site needing to login or do anything). I have a basic understanding of what needs to happen but can't quite piece it all together. It can't be as hard as it seems to me... could it?
Authentication and Authorization:
I'm pretty sure it needs to use OAuth 2.0 ... but am unsure whether it needs 2 legged or 3 legged. I got another section of the site working with ClientLogin but that won't pull in Google Apps profiles, only user's first and last names (I need the other profile fields). I have set up the API access within the account and have that side of things all set (I believe).
I have found this page, which shows how to construct a URL request to get all Profiles (in every language except PHP of course) but don't understand how to implement this.
http://code.google.com/googleapps/domain/profiles/developers_guide.html
I also tried this example but it just gives me a 401 after I enter the credentials. http://gdatatips.blogspot.com/2008/11/2-legged-oauth-in-php.html
I don't know which frameworks or includes are needed to accomplish this either. I have tried zend, OAuth.php and a whole bunch of other bootstraps... but keep getting lost as to what each is doing.
If someone could help me by outlining:
Which files/framework I need to upload and include as a bootstrap
What variables within those files I need to update with the Google credentials
How I integrate the Google Profiles "Retrieve all Profiles" request with PHP
An ELI5 (explain it like i'm 5) overview would be very much appreciated... I'm sorry for my apparent incompetence, but I have been reading articles for nearly a week and have not gotten anywhere.
Thank you in advance for any help provided.
Good question.
You'll need to implement the Google OAuth 2.0 process as it's described here (experimental?), because someone (you) will need to give your app the initial permissions to access Google Apps API. Steps are:
Register your domain with google (don't remember the link)
Redirect/send browser to an authentication url: https://accounts.google.com/o/oauth2/auth, with the appropriate request params (see the first link). You'll need access_type=offline, your scope would be https://apps-apis.google.com/a/feeds/user/
Get a code back, then exchange for a refresh_token, an access_token, and a value specifying when the access_token will expire. Store these in a database
Whenever you need to make an API call, check if your access_token has expired or not, and refresh when necessary, which is what the refresh_token is for. The refresh_token is valid as long as you don't revoke the access you gave to the app.
OAuth Playground helps a lot. Good luck.
user signs up for a key and secret from my site, then they can send/receive from my REST server.
Where I need help is when a user interacts with the REST, how can I determine if they are authenticated using THEIR key and secret? Basicly this will be for a social network site app area. I have seen that many social networks have an app area and use REST and OAuth and sometimes OpenSocial but I have looked at those and they are a bit complex for my needs I think. As for authenticating with OAuth, I guess I do not really understand exactly how it works, maybe it is what I am looking for though? I don't need to authenticate the user who views the page that is running the API, I need the owner of the app's server to authenticate to send back and forth with my REST?
Any advice on how to do this the best way? I would like to do it the best method for future growth, so if I could do it like the big boys do (Facebook, myspcae, hi5, bebo) that would be the way to go I think.
when a request is sent it should pass the key in the URL to my server but they should have there Secret somewhere in there script, I am not clear how to make that work with each other?
OAuth is almost certainly the best way to go here. Using OAuth, you can provide authorization to almost any kind of web-based API that you would like (REST is fine, but so is plain ol' XML over HTTP).
There are some Stackoverflow articles on how to get started with OAuth.
I also find Google's implementation worth studying, as it's both well documented, and a very good implementation from which to take inspiration. They also have a very helpful "OAuth Playground" that will walk you through an OAuth request step by step.