I have been trying to connect to the Salesforce REST API but am not having very much luck.
The Salesforce REST API Quick Start Guide states that an HTTPS callback url is required, but then in the example they use https://localhost:8443/RestTest/oauth/_callback as the callback url.
I tried connecting on my testing server (HTTP) using this php Salesforce REST API example, but Salesforce seems to have had a fit and entered a redirect loop.
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so? For the record, my application is written in PHP, not Java like most of the official examples are.
For localhost it accepts http, and you should use https for other than localhost.
But the redirect URI in the request and the callback url in the connected app should get matched.
You can use http://localhost:8080/<any_page_in_ur_project> in both connected app and in request.
I've never used the Salesforce REST API, but I have read the page you linked to.
The OAuth callback URL must be HTTPS. You seem to have discovered this yourself, both in the documentation:
It must be secure: http:// does not work, only https://
...and the example:
#WebInitParam(name = "redirectUri", value =
"https://localhost:8443/RestTest/oauth/_callback")
As for your other question:
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so?
Presumably by the second method, as alluded to in the first sentence on the page you linked to:
You can set up authorization using OAuth 2.0 or by passing a session ID.
...
Session ID Authorization
You can use a session ID instead of an OAuth 2.0 access token if you aren't handling someone else's password:
Obtain a session ID, for example, a SOAP Web services API login() call returns the session ID. You may also have the session ID, for example as part of the Apex current context.
Use the session ID when you send a request to the resource. Substitute the ID for the token value.
So provided you aren't handling some else's password (whatever that means), you can use login() to get a Session ID and communicate with the web service from there.
Related
I'm trying to use PHP/cURL to connect to a private GitHub repo I created and pull down files from that repo.
I fundamentally understand how to make cURL requests in PHP, how to send over headers in the request, etc. I'm also fine with the basic structure of the GitHub API for grabbing files, etc. For example, I understand the basic request structure for the following API page:
https://developer.github.com/v3/repos/contents/
However, where I'm struggling is with things like the authentication outlined on the following page:
https://developer.github.com/v3/#authentication
How do I get an Oauth 2 token? There's no real explanation on the page or any of the related documentation.
Also, I'm assuming that I probably need some special kind of key (maybe it's the token) to prove that I have authorized access to the private repo I'm trying to access, but I'm not sure what to do for that either.
If I can get the token (and possibly the API key for the private repo as well), then I think I can make the requests and do what I need to do, but the token generation/usage process is very unclear.
Can someone please provide some guidance on how to approach this?
Thank you.
Edit/Answer:
Thanks again to Adolfo Eloy in explaining how to do this.
Based on his advice, I ended up going to my profile settings, clicking on Developer settings, Personal access tokens, Generate new token, and then clicking the top checkbox for repo to get full rights to the private repos.
After doing that, I copied the generated access key and pasted it into Postman as follows:
I added a new header with the key Authorization and a value of token generated-token-string.
I then made a request to the following URL:
https://api.github.com/repos/user-name/repo-name
From there, I was able to use the GitHub API (https://developer.github.com/v3/) to get what I needed.
Hopefully this will help anyone else stuck in the same situation.
First of all you need to visit GitHub developers so you can register an OAuth2 application. Then you have to fill the registering form with your app info such as the name and the url of your application. The most important field now is the Authorization callback URL. This URL will be used by GitHub to redirect you (or the user of your application) to your previously registered application.
After filling all the fields, click on Register Application and GitHub will provide client credentials which will be the client_id and client_secret values.
Copy these credentials to assemble an Authorization URL to start requesting for an access token. Take a look at the authorization URL that I have built below (in my case I am using a client_id identified by daaaaaa75d1c77526e9 - and of course I think this client ID does not exists).
https://github.com/login/oauth/authorize?client_id=daaaaaa75d1c77526e9
&scope=gist&state=xdfads2342&allow_signup=false
&redirect_uri=http://localhost:8080/callback
The parameters sent are detailed as follows:
client_id: the id of your registered application
scope: the permission you are requesting for GitHub (GitHub provides all available scopes for you at Available scopes)
state: a randomly generated number that you have to use in your application to avoid CSRF Attack (to better understand why you can read the OAuth 2.0 specification - RFC 6749)
allow_signup: better explained at GitHub docs
redirect_uri: the URI of your application to receive the authorization code that may be provided in case the use authorizes the usage of his resources.
If the authorization phase runs successfuly, then the following URL might appear on your web browser (with different values for code and state):
http://localhost:8080/callback?code=24234324324234&state=xdfads2342
Now, all you have to do is to request an access token by sending a POST request to /login/oauth/access_token endpoint using a cURL tool as presented bellow:
curl -X POST "https://github.com/login/oauth/access_token"
-d "client_id=daaaaaa75d1c77526e9&client_secret=blablablabla
&code=24234324324234&state=xdfads2342
&redirect_uri=http://localhost:8080/callback"
Then you should receive the following result on your terminal (with a different access token of course):
access_token=23424234234324324lkj23l4kj32&scope=gist&token_type=bearer
Now, to use this access token you have to declare the http header as follows:
curl -H "Authorization: Bearer 23424234234324324lkj23l4kj32" "http://api.github.com/gists/public"
I'm working in an SPA (single page app), witch my idea is to deploy it in app.mydomain.com, and the thing is when a make a request to the API (CakePHP3 in mydomain.com) I cannot get data from authenticated user (if there is one).
I think I have two options, share session between domains, or use an user_token to make an authenticated call, but i'm not sure how it's works.
Any ideas / recomendations?
Regards!
I would recommend to use an "user_token". You could add an authentication endpoint to your API where the user sends the credentials and the endpoint returns an JWT. Then you should include this JWT in every subsequently request to your API (in the Authorization header). The API can then validate the request based on the JWT. In PHP there are already some good libraries to create and validate an JWT. If you have the time you should also take a look at OAuth2.
I'm working with the Instagram API.
I registered an application and get my clientId et clientSecret. I didn't disabled the implicit OAuth.
For the authentication, I use this URL :
https://instagram.com/oauth/authorize/?client_id=CLIENTID&redirect_uri=URL&response_type=token
Then, it redirects to my URL with the access_token in parameter.
In PHP, how can I retrieve the access token from the first url?
I tried with curl function. But I can obtain the final redirection which is :
URI?access_token=ACCESS_TOKEN
When using the Implicit grant the Authorization Server (Instagram) will deliver the token on the redirect URI in the fragment part of the URL ("#"). This flow is meant for in-browser Javascript clients and not for server side PHP. In fact the browser will strip off the fragment portion from the URL before calling the server so the PHP code will never see the access token.
You may use the Authorization Code grant that is meant for web server clients like PHP, so response_type=code.
I am building an API using Zend Soap and there has to be some sort of authentication to actually use the API. Also I don't want the user credentials to be sent over the net each time a request is done.
Is it ok to do an post-authentication by using sessionids & something like this:
User authenticates himself once via SOAP and gets his serverside session id in return.
After that the User has to send his sessionid within the SOAP Header each time he requests something.
When I get an header containing a sessionid, I check the id against my sessionid_db and perform the request if everything seems alright.
Look into oauth? zend_oauth
I've been trying for a while to use Oauth to connect to the GetGlue API, with no success what so ever.
I've downloaded every library I can find (like oauth-php) and tried every example I could find on the internet. There MUST be an example for an Oauth connection to the GetGlue API somewhere, but I cant seem to find it. Anyone have any experience with this. Maybe some samplecode even?
Note: All I need is a single request for my own account. I've tried to stay clear of DB sollutions because it's not at all neccesary since it's just going to be my account that has data to be saved.
GetGlue is switching/has switched to OAuth 2.0 for authentication. You might be more successful with it. The authentication flow follows RFC 6749 closely.
Once you registered your app on their OAuth 2.0 portal and obtained a client id and secret, do something along the lines of:
Load the authorize URL to let the user authorize your app:
// remove the line breaks!
https://api.getglue.com/oauth2/authorize?response_type=code
&scope=public+read+write
&redirect_uri=http://localhost
&client_id=<your OAuth client id>
Once the user has authorized your app, GetGlue will redirect to the given redirect_uri with a code query parameter you have to intercept, e.g.
http://localhost&code=<auth code>
Pass that code to the token endpoint to get an access token to append as a query parameter when accessing the v3 API:
// get tokens
https://api.getglue.com/oauth2/access_token?client_secret=<OAuth client secret>&grant_type=authorization_code&redirect_uri=ttp://localhost&code=<auth code>&client_id=<OAuth client id>
If successful this will return some JSON. Be aware that they redirect from HTTPS to HTTP there. Some HTTP clients refuse to do this.
{
"token_type":"Bearer",
"access_token":"<an access token>",
"scope":"public read write",
"expires_in":5184000, // in seconds from now
"refresh_token":"<a refresh token>"
}
Pass the access_token as a query parameter when making API calls. If the access_token has expired, call the token endpoint with the refresh_token as auth code to get a new one. If that fails, you have to make the user authorize your app again.
There is also a Java library (getglue-java) for the new API now.
For GetGlue, you have send email to obtain the Consumer Key and Secret and thus, if you have the both then I can easily help you. I will provide you all the details to do..