I'm trying to implement a transient oAuth authentication for a web app I'm creating. Essentially, the user needs to login with the Service each time they visit my web app. Primarily it's to enable using the web app without me having to store any of the user's authentication data. I'm trying to use the Tumblr API.
My platform of choice is PHP. However I've never really worked with oAuth before and and am still learning. The following scenario illustrates what I'm trying to achieve:
The scenario assumes that:
The user has already authorized my application in their Tumblr account.
Using my Tumblr Consumer Key, Tumblr Consumer Secret, I call to get request_token, which I later display to the user via a link.
Now on clicking the link above, I expect Tumblr to NOT to ask user to allow the app again (authorize in their account) and simply redirect user back and returning some info that will allow me to distinguish the user. There is no $_SESSION as user is trying login to the website using Tumblr
Is this even possible? If yes, can you help me figure out how to get this done?
Ps. I'm a complete oAuth Noob so please be gentle :)
If you are trying to use Tumblr in a way similar to Facebook Connect, Tumblr does not offer this feature at the moment. ie: you can not use Tumblr to log into your site.
Tumblr's OAuth implementation will allow you to have the user allow access for your app to the users account indefinitely. Which means that your app will always be able to access the users account, whether they are logged into your site or not. They will still have to log into your site each time they want to access your app.
Here is a solid guide to OAuth. Tumblr uses OAuth 1.0 :
http://hueniverse.com/oauth/
Related
I am creating an application which aims at automatically creating Spotify Playlists in a central Spotify account (not the account of the end users).
I have set up this account and created the developer app for the secret and the client_id.
On the backend side, I am using PHP to authorize this central user, and it is working as long as I am logged in myself with that account.
Users that visit my website should be able to create playlists via that interface through the Spotify Web API without the need to authorize their account nor being logged in at all.
If I'm trying to open the same page on a separate device (without having any account logged in), it just gives me the following error:
User not registered in the Developer Dashboard
Is it somehow possible to perform this authorization process only on the backend side without the need for the user to authorize it?
Eventually, I want to send the playlist URL created in the central Spotify Account to the user who can open it in their own app or share with others, if they want to.
I try to avoid that multiple users must authorize for my app, since I don't need to access personal information from their account, anyways.
I used the 3-step process for authorization as described in this Stackoverflow Post: Spotify oauth2 with PHP curl. How to get authorization code?
If necessary, I will provide more information.
Do you have any idea, how I can implement this authorization process for the single account on the backend side, without the user even showing any authorization process of the Spotify Web API at all?
EDIT1: I am not trying to login on the behalf of my users, just automatically for my own account without the interactive login with Spotify. Is that even possible?
I received valuable feedback from the Spotify Developer Community that helped me finding a solution to the problem.
When you let the central Spotify account login to your app, you'll [get] an access_token (that will expire in 1 hour) and a refresh_token.
When the access_token of that account expires, let your server send a POST request to the Accounts service /api/token endpoint, but use the refresh_token in place of the access_token.
A new access_token will be returned.
A new refresh_token might be returned too. (I don't think that's even needed)
You can read more about it here.
I am working on my first wordpress plugin and posting to facebook. I have been looking for the last few days for ways to authenticate with facebook. I have found numerous sites that use the method of having the user create an App and then input the AppID and App Secret. However, I have used plugins before that use Oauth (I think) as it opens a pop up and the user basically logs into facebook and then says this app (your wordpress site) wants to control things.
Does anyone know of any resources for authenticating with Facebook without the user having to go through the trouble of creating apps?
Examples I have found but they require APPid and App Secrets.
http://www.sanwebe.com/2012/02/post-to-facebook-page-wall-using-php-graph http://www.pontikis.net/blog/auto_post_on_facebook_with_php
My anticipation is that they set up a website and create a single app for that. Then the plugin calls that website, gets the access token, and sends it back?
The wordpress documentation is quite confusing to me.
Creating an app takes about 5min, so I don't really see an obstacle here.
IMHO there's no other way than either
Using an app with FB Login to obtain the permission to post on a user's/page's behalf, or,
Getting an access token via the Graph Explorer and use this for your plugin
Please be aware that user access tokens expire after max. 60 days.
I've seen this in other apps, so I know it's possible.
I would like to use the native facebook system to offer as a first method of authentication. The benefit of course is that most users are already logged into their facebook account on their phones, so they merely have to allow my app access and they're logged in... plus it's fairly portable to ios.
I understand how authenticate to facebook for the purpose of posting messages on user's wall and so forth, but I can't figure out how to use this authentication as a means of login on the http server.
Does anyone know of any write-ups on this?
I am developing an API using Codeigniter and Phils RESTserver.
I need to have authentication working with oAuth but I cannot find a library
that works with both Codeigniter and MongoDB.
Is it simple to create the oAuth process myself? I know it is hard to answer
not knowing my level of expertise.
This is my understanding of the oAuth process.
User clicks on link and are redirected to the servers login form.
User will be asked to authorize the developers app.
If he does authorize it he is redirected back to the developers website.
On this website the code that he got from step 3 will be exchanged for an access token.
Developers app will now be able to access the users account on the server.
I know there are parameters to be sent along with the requests like client_id and client_secret and redirect URL. But my question is. Is it this easy to implement an oAuth server? Just create the classes and functions? What else are the requirements to
be able to call the process a true oAuth authentication?
Thankful for all input!
Have you had a play with this?
https://github.com/alexbilbie/CodeIgniter-OAuth-2.0-Server
Alex has also written a Mongo library, so if his server doesn't support Mongo out of the box then just have a play with that. Just because your API is in Mongo though doesn't mean the api keys, tokens, etc HAVE to be in Mongo too, but they easily can be.
I'm writing an iPhone app which works against my own server.
Basically, it's a forum where users can post. I don't want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.
My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.
Thanks
See this question for a similar discussion (just limited to Facebook sign on). Here's a high-level overview of what should happen (taken from that discussion I linked to):
User opens the app on the phone. Chooses a service with which to authenticate.
Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
Your app takes the token and sends it to your server.
Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
The session key is used for all further communication between your app and your server until the user logs out.
On the phone, you're going to want some OAuth library to allow users to authenticate with another service. You'll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can't speak as to the general OAuth libraries.
Once logged in, the phone should not store the access token, only the session key.
Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).
It's up to you to decide how your app and your server communicate. I'd go for a JSON+REST API for communications with the server.
Another option to get your users to login using multiple services is Socialize (www.getsocialize.com). It's an open source SDK that manages your users and authentication so you don't have to implement all the steps that cbrauchli has outlined above.
I was exploring if better/easy to use/implement options exist in 2020 using third party libraries to allow login with social accounts. And found two options:
AuthorizeMe - https://github.com/rubygarage/authorize-me & https://rubygarage.org/blog/authorizeme-ios-libary
Auth0 - https://auth0.com/learn/social-login/ & https://auth0.com/blog/using-centralized-login-to-add-authentication-to-your-ios-apps/
AuthorizeMe supports:
Facebook
Twitter
Google
Instagram
LinkedIn
plus custom providers
Auth0 supports:
Facebook
Twitter
Google
Microsoft (Windows Live)
Yahoo
Instagram
Amazon
LinkedIn
Github
PayPal
vKontakte
Yandex
Box
Baidu
Ren Ren (Xiaonei)
Weibo
Shopify
Wordpress
Yammer
SoundCloud
and custom providers as well
Disclaimer: I am not affiliated with Auth0 or AuthorizeMe.