I've been trying to get Google's Calendar API working in a PHP web application, but I'm having a hard time getting authenticated.
What I want to do is to allow users to interact with calendars of a single account known by the server.
Each type of scenario covered in the OAuth 2.0 docs talks about "user consent" which involves a login form and the individual user logging in, but I want the server itself to authenticate directly and obtain an access token for itself.
Is there some part of OAuth or some alternative mechanism I can use to do this?
In order to do this, you must go through the steps for user consent and then copy the access tokens it gives you into the PHP code.
The usual procedure for OAuth is like this:
Send user to authentication page.
User comes back with $_GET['code']
Send $_GET['code'] to OAuth server for a token
Store token in database for the user (or session, if it's very short lived)
But when doing it with a single calendar like this, you modify step 4. Instead, you dump the token to screen and copy it into your PHP file as variables, instead of putting it in the database. Then when you go to pass the access token to the server, you just pass the known, static token rather than a dynamic token from the database / session.
See mathewh's answer here:
How to automate login to Google API to get OAuth 2.0 token to access known user account
The lightbulb for me is when you get the access token you get a refresh_token as well... you use this token to "refresh" your access token once it expires.
There is no way around a manual authorization step the first time.
Related
http://api.chan15.info/google-stackoverflow.html
This is the sample code I use to let user login via Google JavaScript API, and it's work, next step is use user id to login to local server via PHP, but use the user id by JavaScript is pretty danger, the real procedure I want is:
login user via JavaScript API
get access_token from JavaScript
pass the access token to PHP
use access token to Google OAuth to get user id again by PHP
login the user by user id
but I don't know how to get access token.
After the user is logged in to their Google account using the Javascript Oauth2 API the access token can be found here:
gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().access_token;
I've used this to pass the token along to a separate curl PHP request as well as CORS. Since Google's JS API is still Beta I had to resort to sending a PHP curl request in the past. If you're planning to store the token for access after the user navigates away I'd also also get the token expiration date and call another function that wipes out the stored token whenever expired or explicitly revoked. But for me it was just easier to pull this right after successful login each time since I only needed to call the PHP function once and in real-time with AJAX as a bandaid.
PS: You might want to change the original category from Java to Javascript
I am implementing the hybrid sign in flow got login with Google+. What I want to achieve is this:
One a user has authorized the app, the next time he comes back on the website, I want to log him in automatically.
In hybrid flow, google automatically logs the user in and displays a welcome back message (javascript sdk) along with returning access token. But this process requries one ajax call to be sent to gogole api.
I want to make this call through the backend itself using Google's PHP client library. Since the app has been authorized already, it should simply return the access token as it does when using javascript sdk. But I am not able to figure out how to achieve this using client library. Can anyone please help me out?
In your call parameters set access_type: 'offline', then need to get a new token using the refresh_token that is provided ONCE at the FIRST time of authorisation. You will have to store that refresh_token somewhere in your database and pair it up with the user's already expired access token ID or somehow and make another call for a valid access token.
For the time being you can set approval_prompt: 'force' but that's merely a development trick not a real solution.
More is explained here refresh token with google api client php
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.
i want to create an Api for my own mobile App to access data that is stored in a MySQL-Database. However i read a lot of articles about the 3-legged OAuth approach and i think this is not the solution i'am looking for. When i understand it correctly the 3-legged approach is more usable when for instance i create a new twitter client and want to use the twitter Api.
But my app is not a third party app, my app and the website incl. the database are from me. So i assume, that the user starts the app enters his user id and password, then the api has a function that checks whether userid/pw are correct and sends "true" as a result back to the app. The app then offers the user the possibility to access the functions for which a login is necessary. So the user should not be redirected to a website and "allow" the access to userid/pw.
If i understand it correctly the 2-legged approach is more likely for my purpose. But i am confused by this also. I assume that the user enters his id and pw, these credentials are looked up in the database by the web service a token will be looked up in the database for this user and will be send to the app. Additionally an app-token is saved in the app from the beginning and will be send with the request also. The app will save this user-token from the DB internally and will use this token everytime the user does something with the web service. With every request to the web service the token will be send to the service and the service checks whether the token is a valid one otherwise an error is send to the app.
I looked up this example:
http://code.google.com/p/oauth-php/wiki/ConsumerHowTo#Two-legged_OAuth
But there is nothing mentioned that the userid/pw from the user are looked up in the database...
Can anybody explain how i can solve this?
Two legged OAuth is similar to Client-Server. It is a client app requesting full access to the data from a server. The client would have full access to all data allowed by it's credentials regardless of which user is accessing the client
Three legged OAuth is a User-Client-Server. It is a Client requesting to get access to the User's data from a server. The Client would only have access to that an authorized user's data (until the user revokes access).
I've implemented the oAuth in php (currently for twitter) and as I've read in several tutorials you should store the access token in db for future use. However I don't see how you know if you have the access token stored for a particular user to decide if you should pull it out of the db or regenerate it. Here's a flow describing my question:
First time user signs in:
get request token
send user to provider's authentication page
user returns to callback url with oauth token and oauth verifier
get access token
save access token/user_id/screen_name on db for future use
User returns 10 minutes later:
access token is still in server session vars if user didn't log out. else, repeat process.
User returns 1 month later:
get request token
send user to provider's authentication page
user returns to callback url with oauth token and oauth verifier
( at this point I only have oauth tokens, how can I know if the user has previously logged in with twitter and pull their access token from db? )
if it is the user's first loggin, generate access token.
The main workflow for oAuth is clear, however it is not clear how to handle returning users and which data should be stored or not.
A million thanks!
You should not regenerate token for each access. Generate it only when it's expired. I've build twitter application using OAuth. Here my flow:
when user login, I will check if they have token in DB
1.1. If it's not exists, authenticate them and then store and use the resulting token
1.2. If it's exists, use it.
1.2.1. If twitter doesn't complain, then the token still valid, use it.
1.2.2. If twitter complained, then the token is expired. Return to 1.1.
1.2.3. If after x retry twitter still complained. Something wrong, notify admin!
Here's the graphical explanation:
The only thing I believe is missing here, is generate a random (long and unguessable) user id first time the user joins the system, and store it forever. this way you can tell who's taking the actions