I am currently working on Contact Importer web app (in PHP) so I will be able to grab email address from a user's account on Gmail, Yahoo, etc and use them for my own evil purposes. Just kidding, my web app is very friendly.
I thought I would start with Google. I found they have a fantastic little API called Google Contacts API which lets a programmer, like myself, to access a user's contacts.
After a couple of hours of struggling and throwing shitty code together, I ran into a few road-blocks. My main question is this:
Is there any way that I can have a user provide their username and password for Gmail on my website and have my code retrieve the contacts without that nasty redirection to a Google login page? It's kind of ruins the whole flow of my web app.
I've looked into AuthSub, and gotten that to work, but of course the catch is that you have to redirect the user to obtain the access token. It looks like OAuth will have this same catch.
The one ray of hope I have is the ClientLogin method of authentication. Again, there is a catch, sometimes Google throws you a CAPTCHA instead of the auth token. Again, the user flow is ruined.
I've noticed that our good ol' friends over at Twitter have it working just fine. Does anyone know how they do it?
Thanks!
I think you've identified a feature, not a bug. The whole point of OAuth is to prevent users from typing their passwords into third-party sites like yours: this way they can learn to only type their Google password when they're looking at a Google login page and not have to trust that you won't store their password and use it to read all of their email.
It does provide a small interruption in the flow of your web app, but OAuth generally provides a callback so that it shouldn't really be a large disruption. In exchange, your users can feel safer and you can avoid any issues of having to store (and then dispose of) user passwords.
In short, I don't think you'll be able to get around this. It's true that Twitter does currently allow it ("Basic Auth", where the username and password are sent directly), but that feature is planned to be deprecated by this summer.
Related
I have a problem to find the right way of implementing a login service.
First my environment:
An Android or IOS APP
My own web-api in PHP
Now the users have to login to get specific data from the api. So I have to check if the user is logged in with the API.
First i thought I could do this with JWT (JSON Web Token). But users with existing Google or Facebook account should also login to my side.
Is there a way to implement the login in PHP (the API site)? The most examples to login with Google or Facebook are simple Websites and not an APP with API.
How could I implement this login system?
Some time ago I thougt I could use GIT (Google Identity Toolkit). But now they switch to firebase and the website only contains examples for Webapps and Android/IOS.
Is there a common technique to do a login system like mine?
Do I have to implement OAuth2?
Oh. Besides the Google/Facebook login, there sould be a way to login with email and password.
I'm a little bit confused. It can not be, that I'm the only one with this problem. Or do I am a blockhead?
Yes, it is posible and it is well documented on the API's page.
For Facebook login, you can check this link.
For the Google's case, you should check this link
Side note: I know that I should quote the relevant parts of the link, but there are too much steps to follow, specially on the Google's case, so I haven't done it to avoid a huge block of quotes.
Solution:
Implement the Login in the Android- or IOS-App and get there the access token. Now send this token to the API. There you can check it and to everything you want with the Facebook-/Google-API.
I'm using several social providers on my site, including Google. I would like to ask for password to Google account each time user requests one of my actions. This is for security reasons.
With Facebook, we can send auth_type=reauthenticate parameter. Is there something like this in Google API?
I'm not looking for refreshing tokens, I need to make sure user types his password at any state: whether already authenticated or not.
I read your posts and I can relate to your frustration on this matter (including some of poor responses inline above).
You want to be able to prompt users to reauthenticate with Google in order to prove that the user behind the computer is indeed the account holder. Having required similar functionality myself, I've concluded that they do not implement it. This creates a problem of trust for an application that relies on a Google login for access, but also provides some destructive functionality which should require a reaffirmation of the identity of the user. Wish I had better news for you.
Having implemented this feature with Facebook's API, I was certain Google would provide similar since it's so essential to security, however they don't.
I've only known how to use the authorization URL to have a user connect their account to my website. Is there a way to do this authorization via an HTML form? For instance, the user inputs their Google email and password on my website and it authenticates that account without them ever having to sign in and out of accounts on Google and then visit the auth URL.
The reason for this is to connect multiple Google accounts to one account on my website. It would be a huge pain to ask them to log in and out of Google for every single account they want to attach. It'd be a lot better for the user experience to just type the info in a form on my site and have it authenticate. Is this possible in PHP or in any language?
This is a bad idea, do you really want to be responsible for user's Google password? Do you think users will trust you with that information? I know I wouldn't and I'd be highly suspicious that your sight is a phishing scheme with that behavior implemented.
Use OAuth 2.0 or OpenID instead and save yourself the headache of dealing with user passwords.
This is a tough question to ask so I hope I can make it clear!
I'm writing a PHP script that access a users Gmail calendar. I first wrote it using Zend and it was fantastic, but found that I have to use the Oauth to get to tasks - therefore I rewrote it for Oauth instead.
In order to use Oauth I have to go to my API console and set up the account and then I have access and everything works great. Here is my problem: I can't ask every single user to go through this somewhat technical step of creating a key and all of that just so my app can work with their Gmail.
Zend was really easy, the user provides me with their name and password and I have access. Now I don't see any way to change accounts using the Oauth method, all of the credentials are for a SINGLE Gmail account (as far as I can tell).
Is there a way to do what I'm trying to do without making the users go through fifteen hoops to allow me access? I would like to register my app and get my keys, then be able to point to ANY Gmail account, the user grant me access, and I'm in. Otherwise each user has to go to the API console in their own Gmail, create branding, create a key and then create a server ID, THEN provide that all to me so I can plug it in and THEN redirect them back to Google so they can say "yes, I accept this". That's a lot of steps to integrate.
I hope this was clear enough :).
That's basically how OAuth works. ONLY the developer that wrote the app needs to register it, get the keys and add that to the configuration.
Users of the app simply get taken to a page (after signing into their Google account) where they will grant access to your app in a single click. Google will remember their decision and the next time will be even faster.
I'm working on a web project that isn't all that dissimilar in principal to power.com, where I am attempting to unify several different social networking sites under a single website, allowing users to register once with the system, and then add as many of their individual social networking accounts (Facebook, MySpace, Orkut, etc) as the system is built to handle, allowing them to browse their respective profile information in a single place.
Simply put, I can't seem to find a way to authenticate arbitrary users into their social network accounts.
I've been poring over the OpenSocial specifications, as well as the OpenSocial PHP client project, but I seem to be missing something, as everything is appearing to be circularly dependent.
My first problem is that, for testing purposes, I have a MySpace consumer key and consumer secret, but whenever I attempt to perform a 3-legged authentication with MySpace, there's no option for logging in as someone else. Plus, it performs an external redirect, which is somewhat undesirable (as a user of this eventual social networking "portal", I'd rather not have to go through that redirection process every time I add a new account).
How would I programmatically authenticate an arbitrary user and allow them access to their account information (preferably without the external redirection)?
Second, the 2-legged authentication requires a userId (usually an arbitrary integer) that identifies the arbitrary user to retrieve information for. However, when I enter my MySpace OpenSocial ID, along with the given consumer key and consumer secret, I am given a 401 Access Denied error. Furthermore, in order to use this ID in the future, it seems that I would need to authenticate the user first...but that authentication appears to require the ID.
I'm pretty convinced that I'm missing something trivial, but for the life of me can't figure out what it is. Help is greatly appreciated!
Technically this isn't my answer, but the developers at OpenSocial have provided me with the following information regarding my question (emphasis mine):
3-legged OAuth is built around the
redirect back to the site you're
authenticating with, and there's no
way to avoid it. It's not the most
convenient experience, but allows
users to share their data with your
website while keeping their passwords
private. Any design which requires
users to enter their MySpace password
into a form on your website is
considered an anti-pattern and should
be avoided. You could potentially
attempt the redirect in a popup window
in order to make the experience a bit
less jarring for the user (currently
the PHP client doesn't make this that
easy, but if you followed up at
opensocial-client-libraries#googlegroups.com
someone could help you work through
that process).
With regard to not being able to
change the user, what I believe
MySpace is doing in your case is
checking for a MySpace cookie and
pre-populating your account
information. If you were a user
visiting the site and not logged into
MySpace, you should get a full
username/login box combination. There
should also be a button or link
somewhere to say "I'm not this user"
and log in with other credentials.
As for 2-legged, you would need to
have the application associated with
the consumer key/secret installed on
the profile of any user whose data you
wish to access. 2-legged is mostly
intended for developers who are
currently running a social gadget on a
container and wish to access social
data for their application users out
of band with a gadget render. In this
case, the application server would
already have the user's OpenSocial ID
(from a signed makeRequest) and the
user would already have the app
installed on their MySpace profile).
Most of this is covered
in http://wiki.opensocial.org/index.php?title=OAuth_Use_Casesif
you want more information.
Essentially, this makes any use of 2-legged authentication on an external application impossible; 2-legged was explicitly designed not to be used in this sort of situation. Furthermore, it seems that power.com is indeed employing the anti-pattern of having users supply their actual Orkut/MySpace/etc credentials, so that explains that bit.
Clearing out my cookies worked to authenticate me through MySpace. However, I followed up with another question about how Orkut authentication would work, since it doesn't seem to support 3-legged auth. Here was the response I received:
Orkut is interested in supporting
this, so you'll be able to allow users
to share their information with your
application "correctly" in the future.
The corresponding two-legged app would
need to forward the current viewer's
OpenSocial ID back to your server,
probably along with an authorization
token you generate yourself so that
you can link a user's session on orkut
with a session on your own server.
Honestly, it's probably not usable
enough to support a standalone login
system.
Essentially, no, Orkut really can't be hooked into an external app (at least, not yet) without resorting to the anti-pattern.
If anyone has any further information on this topic, please feel free to share!
The pattern is also mentioned here http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
Essentially a lot of the mashups would want this feature :
A 3rd party site which DOES NOT have a
gadget wants to get the end-users
permission to access their data at the
social network, for example to
download their friend list, or to get
permission to post to their activity
stream