I am using Oauth to create a way for users of our website to login
using their twitter account. However, It's quite annoying that
everytime they click to sign in with their twitter account they have
to grant access each and every time.
Couldn't it work so that if it has been granted once they don't have
to keep granting access? Therefore removing a step. I'm using the
steps found in:
http://net.tutsplus.com/tutorials/php/how-to-authenticate-users-with-twitter-oauth/
Thanks for any feedback!
I found the answer after talking to some developers on twitterapi irc
Bascially I was going to https://twitter.com/oauth/authorize with all my oauth, what I need to do was go to https://twitter.com/oauth/authenticate instead. That then gives forever authorization.
When the users connects, you receive an access token and a secret token, which are used every time you ask anything to the Twitter API.
If you wan't your users to stay connected to twitter, you only have to save in your database those two tokens. (They are user specific, don't use one token for every user).
When you know these tokens, you don't need to ask the user to grant access, you can directly use them to call the API.
If a user removes rights for your application, you won't be able to use his tokens any more, and you will have to ask him to grant access a new time.
You need to start the token / token secret you get in a database or other long term storage method. Then you pass it into the object that does the OAuth authentication so you don't have to keep asking your user. With PHP you can store them in a MySQL or similar database and load them into $_SESSION when the user logs in to pass the values.
Related
I am still getting confused in understanding the concepts of authorization and authentication in Google Analytics API.
I created the new project at Google Developers Console and enabled the Google Analytics API. But why they are asking these two things in API & Auth section?
Can Anyone give me any real life example which gives clear cut idea about these two things?
Authentication is the process of identifying yourself. When you log in to a service, you authenticate yourself by using some credentials. This credentials usually are a pair of username and password. If the provided credentials are correct then we can say that you have successfully authenticated yourself. But it doesn't means you can do anything on the system. For example maybe your account has been banned or you don't have permission to access the resource.
Authorization is the process of checking if you have the right to do something. To do this, first you have to authenticate yourself, because without knowing who you are it is not possible for someone to check if you have the right to do something or not.
Just imagine an invite-only party. When you arrive, at the door a big guy asks your name. You will say that you're Akilsree1, so you have authenticated yourself. Then the guy will check if your name is on the list of invited people or not, so he will authorize you to enter the party or maybe he will say that you cannot enter because you're not on the list (you do not have permission).
Edit:
In case of the Google Analytics API things are a little bit trickier.
Basically this is what happening:
When you use their API in your app, the user will be redirected to Google to log in (user authentication).
Then when your app tries to do something in behalf of the user, he/she will be asked by Google to give permission to your app to do so (authorization).
After that your app will receive a token which can be used by the app to authenticate itself when uses the API to do that specific thing (app authentication)
More details you can find here.
Authentication meaning recognizing the subject identity. Like, does it exist in the DB?
Authorization meaning granting access to a resource. Like, can this user/role access X page.
In simple language if you want to understand
Authorization is level of access rights that a user has i.e. the
amount of information which he is authorized to access. Example: The
data that a normal user can see in a system will be quite different
from the data that admin user will be able to view and manipulate.
This difference is achieved by means of authorization.
Authentication simply means the submission of valid tokens(i.e.
username,password in most cases) which are recognized by the system
and by which system will grant access of system to particular user
Google analytics API requires authorization token for every request sent to it. and OAuth2.0 is the protocol used
hope this helps!
Good luck!
Basically, I'd like my users to be able to register and log into my site using their Soundcloud accounts (much like Google or Facebook).
But I'm following the login flow from their docs (http://developers.soundcloud.com/docs#authentication), and I understand how to redirect them to the Soundcloud connect screen to authorize my app. And from that, I get a code that I can exchange for an access token. But after that the docs state this:
You should now store the access token in a database. Associate it with
the user it belongs to and use it from now on instead of sending the
user through the authorization flow.
So they're assuming that I already have registered users who then connect to Soundcloud through some other function of my app. But what I want, is for them to be able to create their account from their Soundcloud user info. I think this is initally possible, but when they return to log in again, I need that access token to identify them. But I can't get that access token without sending them through the auth flow again.
I'm guessing what I want to do can't be done, but it's also possible I'm overlooking something. Any help would be appreciated!
I've done this with IMGUR OAuth2 API. After you get the access token, make a new request to their /me endpoint. This way, you'll have the SoundCloud id for that particular user. Now you can check if you already saved this user in your database. If you have, just save the new token to make sure this user has granted your app access to their SoundCloud. I'm not sure if I were clear enough. Let me know if you need any further help .
I am using LinkedIn API.
I have done all process to retrieve access token.
but never show anywhere to remove/revoke access token from the LinkedIn.
Please Help.!
Once you store the secret in your DB simply delete it and the access will be revoked.
I believe that if you wish for the user to revoke access to your app the user must to go linkedin and do it, much like Facebook.
As confirmed here: http://developer.linkedin.com/forum/how-really-revoke-apps-oauth-access-token linkedin does not have a programmable API for what you wanna do.
But before you remove it from DB you can invalidate the token which is like an extra step to take by cURLing https://api.linkedin.com/uas/oauth/invalidateToken with your token I believe.
Edit
As #Paul corrects, it is actually quite important to invalidate the tokens with LinkedIn. So doing that and then removing from DB is, as he says, the correct way.
I am looking to see how we can allow a user to connect with their Google Analytic's User ID and connect with our app and we can get the information from their account.
I am looking forward to some articles or any library thats build around the same.
I will be using PHP and MySQL. Do you suggest any other Database than MySQL ?
You can start with a database to keep things simple and since you are not looking to store too much of historical data. The link below should get you started with all the required libraries and documentation.
https://developers.google.com/analytics/devguides/reporting/core/v2/gdataAuthentication
Go for the web client based authentication model rather than the service account model.
This will cause the api to redirect your user to google authorization page and your app will be given privileges to user account.
Make sure you save the refresh token when it redirects back to you app.
Please note that the refresh token only get sent for the very first time you app asks for permission and not after that.
I am trying to better understand the work-flow of the Twitter Oauth implementation. Currently, using Oauth to provide the user the ability to login to my site via Twitter, I can achieve the following:
Authorize my application via their Twitter account
get their oauth tokeh, oauth secret, and userid
store their token/secret/id in a MySQL table for future calls.
The part I'm having trouble with is understanding exactly how I can go about re-verifying the user with the saved token/secret/id instead of re-authorizing that user every time they choose to visit my site.
If I'm not mistaken, every time the user visits my site, they request a new token/key which invalidates the previous token/key. How do I allow them to log in again without the need to change these values in my table.
I understand that this could likely be class-specific, but I am looking for more of a step-by-step explanation of the process.
I can solve this easily with $_SESSION vars and cookies, but it seems like there should be a much simpler way.
Use authenticate API endpoint instead of authorize