I am trying to get a list of all Google Apps users of a domain onto a public PHP website (without visitors of the site needing to login or do anything). I have a basic understanding of what needs to happen but can't quite piece it all together. It can't be as hard as it seems to me... could it?
Authentication and Authorization:
I'm pretty sure it needs to use OAuth 2.0 ... but am unsure whether it needs 2 legged or 3 legged. I got another section of the site working with ClientLogin but that won't pull in Google Apps profiles, only user's first and last names (I need the other profile fields). I have set up the API access within the account and have that side of things all set (I believe).
I have found this page, which shows how to construct a URL request to get all Profiles (in every language except PHP of course) but don't understand how to implement this.
http://code.google.com/googleapps/domain/profiles/developers_guide.html
I also tried this example but it just gives me a 401 after I enter the credentials. http://gdatatips.blogspot.com/2008/11/2-legged-oauth-in-php.html
I don't know which frameworks or includes are needed to accomplish this either. I have tried zend, OAuth.php and a whole bunch of other bootstraps... but keep getting lost as to what each is doing.
If someone could help me by outlining:
Which files/framework I need to upload and include as a bootstrap
What variables within those files I need to update with the Google credentials
How I integrate the Google Profiles "Retrieve all Profiles" request with PHP
An ELI5 (explain it like i'm 5) overview would be very much appreciated... I'm sorry for my apparent incompetence, but I have been reading articles for nearly a week and have not gotten anywhere.
Thank you in advance for any help provided.
Good question.
You'll need to implement the Google OAuth 2.0 process as it's described here (experimental?), because someone (you) will need to give your app the initial permissions to access Google Apps API. Steps are:
Register your domain with google (don't remember the link)
Redirect/send browser to an authentication url: https://accounts.google.com/o/oauth2/auth, with the appropriate request params (see the first link). You'll need access_type=offline, your scope would be https://apps-apis.google.com/a/feeds/user/
Get a code back, then exchange for a refresh_token, an access_token, and a value specifying when the access_token will expire. Store these in a database
Whenever you need to make an API call, check if your access_token has expired or not, and refresh when necessary, which is what the refresh_token is for. The refresh_token is valid as long as you don't revoke the access you gave to the app.
OAuth Playground helps a lot. Good luck.
Related
I am looking to display the current song I am listening to on Spotify. There is an endpoint to obtain this here (Spotify Web API Player) which requires authentication through the Spotify web API.
If I have obtained a Client ID and Client Secret from my app settings, which authentication type is suited to my needs?
I've looked here (Spotify Authorization Flows) but from my understanding and confusion, I believe this cannot be done as the request for authentication would be to authenticate the user against my app and display their current song and not mine.
Fundamentally, I'm looking for a way to display my current song without the end user having to request access to my app but instead, the app uses my details.
Thanks in advance.
Arielle from Spotify here.
The Authorization Code Flow is what you're looking for, but you are correct that in a standard implementation users would see their own data (which makes sense - you usually don't want users seeing other users' data)
However, you can set it up such that you're the only one who authenticates and only your data is shown. I actually made an app to show my currently playing track a little while back. Check it out on Glitch here: https://glitch.com/edit/#!/ari-currently-playing
You can simply start editing the project to "remix" it and make your own version!
Hope this helps, let me know if you run into any issues!
I'm working on an web based image search platform that uses Instagram. I've looked over the API and I noticed that there's are no ways to call any of the endpoints without the OAuth authentication. I don't want to make people sign in every time they want to search for something. I would like to make it function as a normal search box would.
I'm wondering if anyone has any suggestions on how to circumvent this problem? I was thinking of automating the authentication of my own account and storing the token... allowing users to search without needing to login. I'm not to sure how to accomplish this.
Any feedback would be greatly appreciated.
Thanks!!
According to the Authentication API documentation you could just use your own token for each request but there are rate limits for a token and you will have to handle token expiration.
The BIG downside, and major security concern, to using your own account for access is that you are essentially giving access to your account when requests are submitted.
For a media call you just use your token
https://api.instagram.com/v1/media/{media-id}?access_token=<YOUR-ACCESS-TOKEN-HERE>
I have a website I'm working on. It enables users to register and post stuffs within the site. Can I get a link to some sort of api that allows people to add their facebook account (once) and then automatically post what they posted on my site on their facebook newsfeed (the sort of thing that happens when you connect your facebook account to your twitter account) .I've searched and can't seem to get exactly what I want
What you want is pretty common and if you searched you clearly didn't do a good job on the search.
Using the Facebook PHP SDK is pretty straight forward. There is a PHP Library available with a demo of the functionality you want. In your case you need to do some stuff more, so I'll explain globally what you should do:
Get the Facebook PHP SDK and load it into your website, determine what scope you need to perform the actions what you are going to do, in your case you need to have access to their timeline which is called the publish_stream scope. In order to get the Facebook PHP SDK working you need to create an app at http://developers.facebook.com
If a user grants access you need to save the authentication token that the user provides and save it in your database for later use. I'm not 100% sure how long they are valid, I think it's maximum of 30 days at the moment, but you have the ability to refresh the toking in the requests you make (correct me if I'm wrong, it's been a while..)
Everytime an action is done using the Facebook API you inject the usertoken in the request, thus performing the "post" action onto their timeline.
What you are looking for is pretty straight forward and easy to find..
So I'm trying to get the latest tweets posted by a user using a PHP script (and caching the results into a text file). I'm using the request https://api.twitter.com/1/statuses/user_timeline.json?count=5&screen_name=google and it's been working fine as a public client, but in order to get better control over my API hit limit I need to authenticate my requests.
I've tried the method shown at https://dev.twitter.com/docs/auth/application-only-auth , but after I successfully connect I get the error "Your credentials do not allow access to this resource" (why ?). So I've tried to use the OAuth method (which looks frighteningly complicated for a hobbyist like me), and downloaded the TwitterOAuth library. But I'm still having trouble connecting ! I put my credentials in the config.php file, but I have no idea where to go from there. The documentation seems to be hinting that I need to manually login to Twitter to authorize the application's connection token... or something. Apparently I need to redirect to some callback URL (what even ?!) and get a short-term connection to enable a long-term connection password which I have to store for later ? What is this madness ?
I was initially under the impression that I could just fetch data from Twitter's RSS feeds but those can't be accessed from scripts for some reason (unlike the Google News RSS feed which fetches just fine). It seems I've gotten myself into something much more complicated than what I signed for. Isn't there an easier (and saner) way of doing this ? Or is nothing decidedly simple ?
I apologize for being such an easily-confused dullard, but my head is spinning.
Thanks !
Edit : after digging around some more I decided to just use PHP curl to fetch the raw page, and then do some Xpath voodoo to get the tweets and the time they were posted at. Of course, this is CPU-intensive, far from stable, and probably not a practice that pleases the folks at Twitter; it also only returns the last 20 tweets (which is thankfully enough for my needs).
However, Cormac Driver's response below about Temboo is certainly a method I'll be investigating next time I need to do something like that.
Temboo provides a simple way of using OAuth to authenticate with Twitter. The process is broken down into two steps:
InitializeOauth. This step returns a Twitter authorization URL that Twitter account holders can visit to grant access to your script.
FinalizeOauth. This step returns the access token that your script will need to make authenticated requests to the Twitter API on behalf of the user.
Full details on how to do this with PHP here: https://www.temboo.com/library/Library/Twitter/OAuth/
You can see an example of how Temboo handles OAuth for Facebook on this page. The PHP source code is provided, and it's almost identical to the code you'll need to do the same thing for Twitter.
(Full disclosure: I work at Temboo)
user signs up for a key and secret from my site, then they can send/receive from my REST server.
Where I need help is when a user interacts with the REST, how can I determine if they are authenticated using THEIR key and secret? Basicly this will be for a social network site app area. I have seen that many social networks have an app area and use REST and OAuth and sometimes OpenSocial but I have looked at those and they are a bit complex for my needs I think. As for authenticating with OAuth, I guess I do not really understand exactly how it works, maybe it is what I am looking for though? I don't need to authenticate the user who views the page that is running the API, I need the owner of the app's server to authenticate to send back and forth with my REST?
Any advice on how to do this the best way? I would like to do it the best method for future growth, so if I could do it like the big boys do (Facebook, myspcae, hi5, bebo) that would be the way to go I think.
when a request is sent it should pass the key in the URL to my server but they should have there Secret somewhere in there script, I am not clear how to make that work with each other?
OAuth is almost certainly the best way to go here. Using OAuth, you can provide authorization to almost any kind of web-based API that you would like (REST is fine, but so is plain ol' XML over HTTP).
There are some Stackoverflow articles on how to get started with OAuth.
I also find Google's implementation worth studying, as it's both well documented, and a very good implementation from which to take inspiration. They also have a very helpful "OAuth Playground" that will walk you through an OAuth request step by step.