To learn some new technologies, I am building a small chat application that allows users to send messages to each other. I have set up my app with auth0 for client authentication and user management. My chat messages include the sub of a user as the unique author_id.
Now, for my use case, I would like everyone who has received a message to pull up a small user profile card for the message author. This means querying the user management system with the author_id to retrieve the user profile.
I have found the get users by id endpoint which seems to fit my needs. The problem here is that this API requires a management API token, which will not be available on the client side.
Should I set up a pass-through API which authorizes users based on their app JWT token, and then requests the user profile from the auth0 API with the management token? Or should I be looking at a different approach (the fact that this API requires a management token seems to suggest so)?
Due to the rate limit of the management API it is considered better practice to use an external database to save and retreive user data.
Related
I am developing an app on Microsoft Teams, and I would like to send a mail with an instance of a logged in user.
This means that a user logs into my Microsoft Teams app, wants to send a custom mail that the app generated, now I want to send a request to my REST API to send this mail as the user.
I could not find any relevant information regarding sending an email like this, I only found methods to send emails with supplying username/password or using the current logged user on the machine (which I can't use since I want to do that using my REST API).
Example of what I found but is irrelevant:
https://www.add-in-express.com/creating-addins-blog/2011/09/02/outlook-create-send-message/
You don't mention if your app is a Tab or a Bot app (or something else), but I'm presuming a Tab. In any case, both Bots and Tab's offer the ability to do SSO sign-in of the user, in which case you can easily get a token for the user. In your backend API, you can exchange this for an "on behalf of" (OBO) token, which lets you access the Microsoft Graph API on the user's behalf. Once that's done, you can call the "send mail" operation on Graph.
To find out more about the above, see:
here for an excellent video overview on SSO with Tabs
here for a blog post on how to exchange the tokens and make the graph call securely
here for the specific operation in Graph (sending email)
I wrote this same question to #Linkedin support service and I was redirected to this link where they indicate to ask questions in Stackoverflow.
We are developing a mobile App for the Polytechnic University of Madrid and we plan to expand to other Universities in the future. This aplication will need in a first instance OAuth via Linkedin. It will also need to allow the authenticated user to send connection invitations to other users contained in a list. For creating that list of users, it will be useful if the admin of the system could search in a bar similar to the one which Linkedin has, write a user name and select it, retrieving its user ID or what is needed to identify the invitation destination.
Summing up, the App needs:
OAuth API
Connection request API
User search API
I have read on the web that some of Linkedin's APIs suffered some modifications in which most of them where limited to allowed users or apps. So the aim of this post is knowing:
Do the APIs my mobile application needs exist?
What do I need to do to obtain the access to those APIs in case they exist?
User search API
For this feature you could use something like Algolia Instant Search
LinkedIn has changed many things related to user data. If you need access to its data then you must follow the given guidelines.
Basically you have to create a LinkedIn App and then the users have to grant permissions to your app by installing it in their device(s) and then only you can collect their data.
Our ReServe Interactive Social Tables account/app (unleashedadmin#reserveint...) has been authorized for the Layout Automation API endpoint. Does this authorization extend to all users of the API (the other Social Tables users that authorize and communicate to Social Tables through our application)?
Access to the /4.0/layout-automation endpoint set is currently gated on the requesting user's team's product access. This means that as of today (9/7), the endpoint will reject requests made with OAuth bearer tokens on behalf of users who do not have access to the product, event if the tokens were issued to an app belonging to a team that has access.
It sounds like your use case involves invoking layout automation on behalf of your end users, and we want to support it. We are treating this lack of access propagation as a bug, and will be rolling out a resolution and responding to this thread as soon as possible.
Thank you for your patience, and for helping us improve our platform.
I'm having trouble deciding on / understanding which method of authentication would be best in the following situation:
I have 3 separate "clients". A website, mobile app and browser extension.
Users information and data is stored in a database.
The 3 clients will access the data via an API.
What I am trying to get my head around is how users of the system would login via one of the three clients and authenticate with the API so they can then proceed to get and post data to the API.
I do not require 3rd party applications to access the API. Users can only access it by logging into the clients I provide. For this reason am I right in thinking that OAuth1/2 would be over kill?
I have attached an image which details how I envision the system.
An additional question:
Where is it in the system the authentication comes in? Would I authenticate within the API? So the user uses a form on one of the three clients to send a password. The API then returns a "what" if they provide valid credentials?
I am new to linkedin api. I have a doubt regarding the api.
I am integrating the api in my application, so different user have to register in the linkedin to get the data using that api? Can it be pre registered and the user can get the data whatever he wants.
Suppose user wants to search about company. He will type the company name and will get the names of the company related to search. He should not log in in linked in before searching.
Is it possible?
If you are using the JavaScript API, then yes, you may need to have the user log in each time as the JavaScript API's authorization is cleared every time the user closes their browser.
If you are using the REST API, you can store the user's OAuth token and use that to make the calls on behalf of the user, saving them having to sign-in each time.