Facebook oAuth requires your secret key? I thought you weren't supposed to share that. Am I using the wrong secret key?
Your secret key is a shared secret between you and Facebook. Thus you can send it over secure channels (such as SSL)
Are you talking about when your program requests an access token? If so, you need to supply the secret you're going to be using so it can be known by Facebook and associated with the access token they're issuing to you. Once you have your access token, you shouldn't have to send your secret to Facebook anymore...just use it to hash your API requests.
The api keys reside in php and you are not supposed to print them anywhere. Just use them to initialize the php facebook api. Here is tutorial i have written to write Facebook apps.
http://www.dreamincode.net/forums/topic/153919-facebook-php-api-and-xfbml-on-iframe/
The answer is, it depends. My understanding is that you are asking about the client_secret or app_secret.
If you are doing server side connection to Facebook, then you use the client_secret. This is the authorization grant type of the oauth protocol.
If you are doing client side connection to Facebook, you don't want to include the client_secret as your code can be decompiled and others can access it, and start interacting with facebook using your credentials. In this instance, you are using the implicit grant type of the oauth protocol. Facebook does not require the client secret in this instance, and in fact, their security page checklist says never to include the client secret:
https://developers.facebook.com/docs/facebook-login/security#checklist
The best (opinion) run down on oauth from a conceptual perspective (rather than nitty gritty code) that I've found is here:
https://stormpath.com/blog/what-the-heck-is-oauth
(I have no association, just like this page).
Hope this helps, D
Related
I need to find a way to authorize an android client with a wordpress API at runtime using OAuth, without hard-coding the client key and client secret.
I added a new application in wordpress and generated a client key and client secret. In addition to that, I installed the "Wordpress REST API - OAuth1.0a Server" Plugin.
As for now, the client key and secret is hard-coded inside of my android project. I successfully authorized my android client with these credentials using OAuth1.0a and can make requests to the API.
However, multiple android clients should be able to connect to different wordpress API's.
After the app is build only once, a client should have the ability to get the client key and secret for a specific Wordpress site to initiate an OAuth authorization.
Therefore, the client key and secret need to be specified somehow during the initial setup process at runtime.
Is there a better to do this, other than manually typing in the client key and secret?
I really feel like I'm overlooking something quite obvious, but couldn't find the answer yet.
Thanks in advance!
I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
I created a web application which will show all private videos of only one account.
Now I have to authenticate the account to get list videos. I saw 2 ways to authenticate by ClientLogin and Oauth. Which ClientLogin is deprecated and don't know how to use Oauth to authenticate the default account on server.
I have client_id and client_secret for my app.
I try this example but not working and i don't know what in $get['code'] and how can I put username and password of this account when using OAuth not ClientLogin.
It's pretty simple.
You can follow the steps at How do I authorise an app (web or installed) without user intervention? (canonical ?) to get a Refresh Token. At Step 8, choose the YouTube API instead of Drive API. Try to choose the most restrictive scope, eg. readonly. You can embed the Refresh Token (securely!!!!) in your app and then use it at any time to generate an Access Token. Thus the stored Refresh Token behaves like a username/password with restricted permissions.
Ask you have stated clientLogin is shut down you can not access any Google api using Login and Password. Your application needs to be authenticated
The thing you need to know about the YouTube API is that it does not support service accounts. You will have to use Oauth2. I am not a PHP developer but I have done this previously in C#. What you want to do is possible just a little tricky.
First off as I said you need to use Oauth2. I am hoping that this example is reasonably up to date if not the one for Google analytics is you may have to compare them a little.
Your script will need to be authenticated once using Oauth2. Then by requesting
$client->setAccessType("offline");
you will receive a refresh token. You will then be able to use this refresh token in your script on the server at anytime to request a new access token and access YouTube for that channel.
i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?
I need a way of recognizing that an incoming request to the api is a legitimate request from our api.
What other security concerns should i keep in mind and calculate for?
any design suggestions?
i am currently looking into what oauth can do for me here!
I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).
I would make sure you use this:
HTTPS (never send password or sensitive data over plain HTTP)
A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
Make sure your access_token expires after certain time or conditions you might impose.
Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.
Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<
Twitter'll phase out HTTP basic authentication by August 2010. In the link my scenarios are from Desktop Applications. Basically my client should tweet new posts on a website.
This would be incredibly simple with HTTP basic auth, because I can store and use my account's username and password in the app to authenticate.
However, with OAUTH I can get final credentials by two means:
Callback method. You are redirected to Twitter, (login if isn't), click allow access, get redirection back to your callback URL.
PIN mode. You get a link to open, (login if isn't), click allow access, receive PIN code. Use this PIN code to authenticate your app.
Do I understand correctly that PIN codes also expire? How is it possible, given a username and password just to tweet from a client application? How can a server side script log in with the username/password and click allow access? All scenarios I could google up are for a web application to authenticate via twitter where the user is in front of the browser to walk through the redirect.
All scenarios I could google up are for a web application to authenticate via twitter where the user is in front of the browser to walk through the redirect.
The user has to be there to authorise you the first time (just as they'd have to provide you a username and password), but the resulting access token does not expire and can be reused (unless the user deauthorises your application, that is).
Store the access token - it's as good as a username/password. Better, actually - if they change their password, your access remains.
The PIN does expire under OAuth 1.0a. Using the verification code returned requires use of the temporary request token in the initial authorization request.
OAuth 2.0 defines more flows - one of which uses a direct login/password mechanism. It's up to Twitter to determine which flows they decide to implement. You can also embed a user-agent in the app.
Desktop apps suffered from a really bad user-experience with OAuth 1.0 which led to 2.0. It's doable, but painful. You can request XAuth access if you need to from Twitter as well. It's almost the same as basic auth.