I've been puzzling through the github API docs (v3) and I'm kind of stumped. For the initial step - the acquisition of the access token - it appears that the only way to do it within a web app is to rely on a callback URL, which gets posted a temporary code. That's then used in subsequent queries to their API.
Does anyone know if this can all be done in a single step, e.g. cURL - i.e. within a single block of code in one page? Passing off control flow to a different URL causes innumerable problems for my particular scenario.
Thanks! :)
This is the nature of OAuth. You could you try to use the basic authentication method, but if that doesn't fit your needs, then PHP has an OAuth library that should make authentication pretty painless. There are also a few PHP wrappers out there for the Github API, e.g. php-github-api.
Related
Windows 2012, PHP 7.4.
I having a really hard time getting this going, and the more I fuss with it the more confused and frustrated I become. I'm already behind on the project, so I need to start asking questions.
Working server-side: everything is handled by our application: click a button, it does all the processing without any further interact.
The task is "simple": send a PDF out for remote signing. Signature tabs are already placed in the PDF, all I have to do is SEND.
Question #1: Getting the JWT token and requesting application consent is a process, but it only has to be done once per application, right?
Question #2: The SDK seems to be overkill. I've written against REST APIs before and I'm comfortable working in that world. So, SDK vs. manually writing what I need. Advice? And whichever choice is preferred, where do I start?
Appreciate any help.
Question #1: Getting the JWT token and requesting application consent is a process, but it only has to be done once per application, right?
Getting consent from the user who will be impersonated by your app is a one time process. Depending on your use case, the "user" could be a "system user" such as finance#example.com or the user could be a specific person.
More on getting consent.
The access token that you get back from the JWT grant flow lasts an hour. So you'll need to repeat the JWT call if you need to make another API call after that. Please do not create a new JWT grant for each API call! Cache the access token.
Question #2: The SDK seems to be overkill. I've written against REST APIs before and I'm comfortable working in that world. So, SDK vs. manually writing what I need. Advice? And whichever choice is preferred, where do I start?
Half of the developers who use the DocuSign eSignature REST API call the API directly. So we're happy for you to do that if you prefer.
Create the request object as a PHP associative array, convert it to JSON and then call the API using your favorite HTTPS request library.
If you have a problem doing so, open a new StackOverflow question.
I am trying to implement Google Cloud Task queues with a HTTP Target. I've used the queues for App Engine but in moving to Cloud Run I wish to use the same queue system. I have implemented the dispatcher code but unlike App Engine I can't trust the headers so I'm aware I need to verify the request using an auth token but I'm struggling to get my head around it? I'm making a lot of assumptions as well. I'm trying to build this in PHP so if possible it would be good to see an example in PHP but even just some Psuedo code of the flow would be useful.
My first assumption is it's best to use OIDC Tokens? based off of:
if you are writing your own code in the targeted service to validate
the token, you should use an OIDC token. For more information on what
this entails, see OpenID Connect, particularly Validating an ID token.
I've read the linked heading for this but it didn't make much of it clear to me if I'm honest.
Secondly tokens will be in the Authorization header as Bearer <token>?
Thirdly I guess I should use something like the package firebase/php-jwt to decode the token. But how do I decoded it exactly? My service JSON file only has a private key, do I need to grab the public key from the cloud console? Once I do that is there particular parts of the token I need to look at to verify the request? Or should the fact I can decode it into valid JSON be enough?
Everytime I read a bit of documentation on how to do it I think I'm getting closer to the answer but I'm at the point it's taken far longer than I'd like and it's a bit frustrating when Google documentation rarely seems to just point out what I need to do.
You can refer to the link : https://developer.okta.com/blog/2019/05/07/php-token-authentication-jwt-oauth2-openid-connect
for more information about how to create http tasks with authentication tokens for cloud run. Note that the code is given for python, jave, GO, and node.js. But it will give you an idea of the flow.
A request example of the authorization header (https://developer.okta.com/docs/reference/api/oidc/):
curl -v -X POST
-H "Authorization: Bearer ${access_token}"
"https://{baseUrl}/userinfo"
Information on how to decode the token:
https://developer.okta.com/blog/2019/05/07/php-token-authentication-jwt-oauth2-openid-connect
I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
I am trying to build a web app that is using RingCentral PHP SDK to subscribe to presence events. The application will be using Authorization Code flow. I am getting the access token but have no idea how to use this token with SDK and Platform objects. It looks like SDK is geared towards using Password flow.
Should I use plain curl to invoke POST /restapi/v1.0/subscription HTTP/1.1 passing access token in Authorization Header? Or there are ways to use RingCentral SDK objects for it? Am I missing something?
If you could provide a little more information about your use-case, and how you're implementing the code, I can provide greater detail.
To create a subscription using the PHP SDK, here is the demo code contained within the RingCentral PHP SDK repository on Github
TL;DR
I see two questions being asked:
Does the RingCentral PHP SDK support Authorization Flow (3-Legged OAuth), because currently it appears the SDK is focused only upon the Password Flow?
Authorization Flow is the best-practice for building multi-tenant applications since it removes the security risk of your application storing usernames and passwords which are associated with RingCentral accounts. The RingCentral PHP SDK supports Authorization Flow and Password Flow authentication types. Once your PHP SDK instance has a valid access_token then it can create a subscription quite easily.
We can see in the PHP SDK code on Github within src/Platform.php that constant AUTHORIZE_ENDPOINT is supported as a returnable value from a request to authUrl().
You can see in Grokify's RingCentral OAuth PHP Example that Authorization Flow is supported by the PHP SDK.
Once your SDK instance has a valid access_token, it will use that token in the Authorization header when you createSubscription(), addingListeners(), and register() as seen in this PHP demo code to create a subscription
How do I create a RingCentral Subscription using with the PHP SDK (does the SDK have objects associated with it I can use)?
There are several ways you can go about using the RingCentral SDK(s). I've provided a link to the PHP Demo on creating a subscription in the above TL;DR.
Since you are working with the RingCentral PHP SDK, then you are restricted to server-side implementations as PHP is a server-side only language.
How you choose to implement your subscription is entirely dependent upon your application's use-case needs and your architectural requirements. Since you have indicated you are using Authorization Flow, that leads me to believe you are building a multi-tenant, web-based application integration. Since you said you are getting an access_token, I am guessing you've called the Platform.login() and passed it the code value you receive from the 3-Legged auth request to /restapi/oauth/authorize and received in the redirect. I'm not sure if you're doing all this from the client or server, but I'm assuming the server.
You would need to associate the session to the SDK instance and subscription on the server-side. This means you will have to manage multiple SDK, and Subscription instances for each client-side session. You might also need to implement WebSockets or Long-Polling so you can achieve the near real-time event updates that Subscriptions enable. So while, yes the RingCentral PHP SDK can be used with Authorization Flow, I personally would recommend against using it for any end-user, client-side, multi-tenant application development (unless you have properly prepared for mapping the sessions to the SDK/Subscription instances as I described earlier.
If you do not want to manage all of that on your server-side, you could use the RingCentral JS SDK on the client-side of your PHP application, but this might get a little messy and require some re-architecting of your solution depending upon how you have things built. Of course, this approach has a data-volatile aspect depending upon what you want to do with the data you obtain from the subscription and if you need it to persist between sessions (once again depends upon your use case).
I have a main website (which contain all data) and multiple client websites which fetch data from the main website. Each client website has access to different set of data on main website. I want to create a PHP based web API for this. This is my first API so I am not sure what is the best and most secure way to do this.
After some googling I found OAuth to be the most common authentication method for APIs. however in my case I want the client website to be configured once and then the communication should be automatic, i.e. communication should take place in background without any user interference. Is OAuth required for this scenario?
Or is there any other method I can implement here?
oauth is way to complicated to implement for your needs.
If you are using rest, i suggest using a basic-auth in the header and using SSL so that your communication is encrypted.
You could make a small SecurityFilter that checks if for any request with a url pattern /api/ that the basic-auth is correct and that it use SSL...
It really depends on how you are exposing your API.
If you are using REST, HTTP Basic Auth over HTTPS is sufficient. I see a lot of people try to implement their own solutions when the provided approach is quite sufficient.
If you are using SOAP, there is a SOAP-based approach you could use: WS-Security (which is just a standard using anything from SAML assertions to OAuth tokens).
If passing Basic Auth credentials over HTTPS is too "open" for you, in that the credentials are saved in config on the client server somewhere, OAuth2 is probably the best solution. Doing OAuth on the server side wouldn't require any user interaction. You just store your tokens in a server config and let the OAuth library take care of the rest. PHP has a library for this PHP OAuth Library. There are plenty of OAuth2 libraries for PHP. Just Google it.
After some more googling and research I found answer to my question:
The scenario I explained is an example of 2-legged oauth (one can find many articles about 2-legged and 3-legged oauth)
Also, OAuth is not difficult to implement, infact for a developer with good knowledge of API and Auth system its very easy.
Here's a link of very good php OAuth library with example code http://code.google.com/p/oauth-php/