Use case: When coming to work I want to ask Alexa things like "Alexa, which employees are ill today?" or "Alexa which project managers are already at work?"
So essentially the Alexa Skill has to access sensitive (employee-)data from inside the company's network. As far as I know Alexa Skills only works with HTTPS and Amazon Lambda(ARN) endpoints. So to enable the Alexa-Skill to access the data we would have to publish some sort of endpoint exposing the data to the web. But this would obviously violate several security/privacy policies.
I'm not really into authentication/authorization of API requests so I would really appreciate some suggestions on how I to make sure only authorized users have access to the employee-data.
Thanks in advance.
You could have an API which Alexa talks to. Your API should handle the collection of sensitive data from your organization. Whatever authentication is required by your organization that can be done through Alexa as well (eg Account Linking) which can basically link the user's organization account. If that is done then we can authenticate the user and they only will be able to ask for sensitive data through Alexa. Your API would be the main point of control between Alexa and accessing sensitive data. Hope this makes sense.
Related
Recently google has added multiple user support to the assistant so how would use the API to identify the person by voice?
It depends what you mean by "identify the person".
There is no way for an Action to get the raw audio, so there is no way for it to do voice printing or anything along those lines.
Although each voice has to be reported against a Google User ID, you do not have direct access to that user ID.
What developers do have access to is a UID that is sent along with each request to your fulfillment server. This UID is consistent across requests, although it can be reset by a user (for example, if they reset their Google Home). You can think of this the same way you think of an HTTP cookie - you can track the UID and, if you see it again, have reasonable assurance it is the same user that accessed it last time. This breaks down, however, for the "default" account on Google Home, since anybody who doesn't have an account will map to this user.
Beyond this, you can also use Account Linking to connect a Google Account consistently to an account in your own system. If you have sufficient authentication in place, or are using one from Google or Facebook for example, this can act as an identity.
There isn't an API for developers to identify users by voice.
The Instagram new API policy have become super strict. They are not allowing fetching public content at all. We are literally following all Instagram policies and still cant get approval of public_content.
Is there any workaround or any possibility of fetching the data.
This is the response that I have recieved from instagram
General issues:
Policy Violation (Ad network, Influencer network, Other related): Your
app should not attempt to build an ad network on Instagram, nor
transfer any data that you receive from us (including anonymous,
aggregate, or derived data) to any ad network, data broker, influencer
network, or other advertising or monetization-related service. In
working to build a high quality platform, we ask that you comply with
our Platform Policy
(http://wwww.instagram.com/about/legal/terms/api/).
Yeah, they now grant permissions only to applications with some specific usage cases.
According to Instagram official website, these are:
To help individuals share their own content with 3rd party apps
To help brands and advertisers understand and manage their audience and digital media rights
To help broadcasters and publishers discover content, get digital rights to media, and share media with proper attribution
Note that in order to get public_content permission, you need to fall under the 2nd or the 3rd use case. Otherwise, consider changing your application / service in such way that is now uses basic permission and acquires only your users' media.
There is no valid and legal possibility to fetch public data except for successful passing the Instagram permission review.
This official developer documentation page may be useful to you.
You need to enable scopes invividually for your client https://api.instagram.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=APPCALLBACK&access_token=ACCESSTOKEN&response_type=code&scope=public_content in your browser, using your values for the uppercase words? This should enable your registered client to work with the public_content scope.
https://api.instagram.com/oauth/authorize?client_id=xxxxx&redirect_uri=xxxxx&access_token=xxxxx&response_type=code&scope=public_content
your comment
Read the error message, did you supply a valid client-id from your instagram developer account. Did you setup a redirect_uri for that client? Do you authenticate to instagram to get an access token?
This worked for me this weekend. Double check the values you set in the url and call it directly in your browser.
I have a web application backend for my clients web site. Authorised staff can log in to the backend and view data.
I want to pull some data from Google Analytics to be viewed in the backend, but GA seems to insist that the user is logged in to their Google account themselves using OAuth2
I want to be able to authenticate the server not the user. They already have permission and it seems unnecessary and possibly intrusive to ask them to link their Google accounts to the GA account and possibly even have to create one first.
The server already has to supply a client id, client secret and an api key, so it's not as if there isn't already an authenticated connection.
I'm guessing that there must be a way to pass the Google Analytics account credentials to OAuth2 somehow but I am not that familiar with OAuth2
Is this possible and how would it be done. A simple example or a nudge in the right direction would be appreciated
There are similar questions around but the ones I have found do not answer my question in the way I need.
Yes you need to store the authentication, but you may be able to use Google Analytics Super Proxy for your needs. At the very least you can see its code on how it stores the authentication.
You authenticate once, input the data you need scheduled from the GA Reporting API, then take the data feed and use it to build charts in your intranet. Any user can view those charts without needing to login to GA themselves.
I am building an app using the ESPN API and I have run through all of the APIs, using all that I can. It's going to be a big, deep app, with relational connections between stories.
What I'm wondering is if there is anyway to allow the users to log in to their espn.go.com accounts via OAuth or the like?
This would be really convenient so that users can access their sports preferences, etc.. If not I can always use another backend provided to store user accounts / preferences. But I'd really like to be able to sync with their actual ESPN accounts.
Looking forward to the answer!
Cheers,
//MD
There currently is no public OAuth implementation for the ESPN API platform.
So I'm in the midst of creating a Facebook Connect enabled site. The site in question will leverage your social graph - as defined by your facebook account - to do social things (what is really not important here). Here's the big question I have:
Are people still rolling their own authentication heuristic when using something like Facebook Connect? That is, are newer (FBConnect) sites today providing only FBConnect as an authentication strategy, or are they pairing it with other auth strategies (such as Google Auth, Open ID, etc)? What do you think is the best way to go? With Facebook having over 300,000,000 users now, is having 1 authentication strategy (FBConnect) enough? Or is it proper netiquette to provide users other means?
Some of the references I have been looking at today:
http://www.kenburbary.com/2009/08/five-reasons-companies-should-be-integrating-social-media-with-facebook-connect/
Increased Registration - Data from Facebook states that sites that use Facebook Conect as an alternate to account registration have seen a 30-300% increase in registration on their sites.
• Citysearch.com – Daily site registrations have tripled in the 4 months since Facebook Connect testing began
• Huffingtonpost.com – Since integrating with Facebook Connect, more than 33% of their new commentor registrations come through Facebook
• Cbsinsider.com – Over 85% of all new user registrations are coming from Facebook Connect
http://www.simtechnologies.net/facebook-connect-integration.php
"according to the current statistics using facebook connect increases 30-40% user traffic as compared to non-facebook connect websites."
http://wiki.developers.facebook.com/index.php/Connect/Authentication_and_Authorization
Our research has shown that sites that implement Facebook Connect see user registration rates increase by 30 - 200%.
No Need to Create Separate Accounts
In general, it's not a good practice to force a new user to create a separate account when registering on your site with Facebook Connect. You'll have the user's Facebook account information, and can create a unique identifier on your system for that user.
Just make sure you understand what Facebook user data you can store, or simply cache for 24 hours. See Storable Information for details.
If the user ever deactivates his or her Facebook account, you have a chance to contact the user to request the user create a new account on your site. When a user deactivates his or her account, we ping your account reclamation URL to notify you of the deactivation. Then Facebook sends the user an email regarding the deactivation. If the user has connected accounts with any Facebook Connect sites, and if your site has specified an account reclamation URL, the email will contain a section with your application logo, name, and reclamation link, in addition to an explanation about the link's purpose. For more information, see Reclaiming Accounts.
http://www.chrisbrogan.com/how-facebook-connect-points-the-way-towards-velvet-rope-networks/
The Drawbacks
Though there are advantages to using Facebook Connect for integration, there are some drawbacks, mostly from the marketer’s point of view. If you build out a social network project using Facebook Connect, Facebook gets all the information and you get none. You don’t get a database of users. You don’t get a way to message people participating in your event, except for “in stream,” the way everyone else is using the app. You don’t have any sense of demographics, nor any control abilities to block trolls or other unwanted types.
Crystal Beasley "All of the FB Connect sites we have built so far have incorporated "standard" accounts as well, even with the added complexity of supporting dual login methods."
There are still people who use mySpace (myself not included), and I know a several people coming out of college that have completely deleted their FB accounts to get rid of information of them they don't want potential employers to find (I know, there are a lot easier ways of doing this). If there are people who for whatever reason do not want to have a FB account, at least give them the option of creating a private google account.
Using ONLY Facebook as the register/login-method seems pretty dangerous to me. If you had a regular user management system, with Facebook Connect to speed up the process from a user-perspective is a good idea.
The Problem is somewhere else
if you really want to leverage the social graph only facebook brings "pure" data
the graphs people build at e.g. myspace arent telling much about that person and its social env. - at google neither
if you are just heading for viral spreading prefer the plattforms that share the best (just facebook again)