Successfully implemented OAuth flow within Google Actions context via account linking. However, after token expiration, it asks for user to link the account. Is there a configuration in Google Actions for token auto-refresh in this context so that the user is not re-prompted to link account after doing so already?
There are multiple problems with the app, to the point I'm a little surprised it got approved.
The first is that if you're using https://stackoverflow.com/a/44296039/1204142, then you should look at the update which indicates that Google is no longer allowing their endpoints to be used for account linking. This may explain why the card doesn't go away. Since it didn't prompt me for scopes after I authenticated myself... I'm not actually sure what it thinks it's doing.
But some code must have been sent, since the Assistant thinks we're linked. Even if the card doesn't go away.
However, when I connect, it prompts me with
OK, would you like anything else?
for the initial prompt. Which doesn't make sense in this context. But if I say "yes" it says
Sorry, I don't understand what you're asking. Say "help" to know how I can assist you.
If I ask for help, it says
Here's how piggy piggy can help.
and then leaves the mic open without saying anything further.
Your server can send an error code that will tell Google's OAuth server to send a request for a new access token using their refresh token.
Related
I have a server side application that requires that a user sign in using his browser and then the server continues to use that token to do stuff on its own.
I'm using the flow described here, pretty much verbatim, but with a few additional scopes: https://developers.google.com/identity/sign-in/web/server-side-flow. In this flow, Google takes over through the login process. I create an auth2 object with gapi.auth2.init(), then I call .grantOfflineAccess() on that object, and later I get a callback with a token if succcessful. I don't know if this is the latest/greatest way to do it, but it works fine.
Today, I received an email from Google warning me that I am using the plus.me scope and that is deprecated and will stop working in March 2019.
Thing is, I'm not requesting that scope anywhere in my code and my app doesn't use Google Plus. I only request:
https://www.googleapis.com/auth/calendar.readonly
https://www.googleapis.com/auth/gmail.compose
profile
email
It looks like the insertion of the request for plus.me and a few other scopes is coming from Google's code, something that comes from https://apis.google.com/js/client:platform.js, or something that Google downloads later on as part of the login process -- that's the beauty of this process: Google does fancy stuff I don't need to know about.
But ultimately, the token I get back from Google includes:
scope: "openid email profile https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/gmail.compose https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/userinfo.email"
There is definitely stuff there I didn't ask for, including the plus.me which is I guess what I'm concerned about. How do I control or stop this? Or maybe I don't need to do anything and Google will take care of it themselves before they shutdown the plus.me scope?
You are right, your scope request is fine. plus.me is implied from your profile scope request. Unfortunately, the email notification went out to a number of developers in this situation. If you've done a code search and all we notified you about was plus.me, you should be fine. Just make sure you're not using any 3P libs that may also have this dependency.
I don't believe I need OAuth
Then again, what do I know
All I want to do is take someone's credit card information and charge them. I am not accessing other people's QuickBooks accounts (only my own) and I am not trying to access any other personal information other than what they input into my form. For this reason it seems absolutely asinine to think that I'd have to redirect them to intuit.com and force them through an OAuth prompt (what account would they even be authorizing? They probably don't have a QuickBooks account)
I've spent the last hour reading through QuickBook's API documentation and I've run in circles and found the whole thing utterly confusing. Every page which references a particular API endpoint makes no mention of authentication -- only the headers, query parameters, and request body that are expected. The API explorer does not show any form of authentication in their examples:
No basic auth header, nothing in the request body with an API token,.. nothing
Checking the console while hitting submit isn't any more helpful. The request gets sent to their back-end server where it does the real request:
It even includes "apikey", "apisecret", and "oauth" attributes in the body which are all empty -- it acts like the endpoint doesn't even NEED authentication.
Out of dumb curiosity I tried making the request with no authentication to see what would happen:
401 Not Authorized. So some authentication is needed. I continued to scour the docs and turned up nothing but page after page linking me back to OAuth and saying that I need to set up OAuth. Why do I need to set up OAuth to take a credit card number that was given to me and hand it to QuickBooks?
I even tried looking at their sample app. The "take the code for a test drive" (https://developer.intuit.com/v2/ui#/emulator?workflow=ecommerce) was utterly worthless. It only gave me some pseudo-code with zero idea for how to handle authentication:
I even looked at the actual code and don't see anywhere that they provide an API key or secret key.
I'm pretty much ripping my hair out at this point, so I think I need someone with experience to point me in the right direction.
I don't believe I need OAuth
You do.
For this reason it seems absolutely asinine to think that I'd have to redirect them to intuit.com and force them through an OAuth prompt
You misunderstand what OAuth is, and how it's used.
OAuth is used to get YOUR auth tokens so that YOUR COMPANY can authenticate to Intuit and identify itself so you can charge customer credit cards. YOU are redirected to Intuit's website to authenticate ONCE, and ONCE ONLY, and then NEVER AGAIN.
You store the tokens you get back from the one-time OAuth pop-up window process, and use those for all future HTTPS requests.
The end-user (i.e. your customer) is NOT redirected.
If you're familiar/used to something like Authorize.net or other web services, where you open a web browser and go to a website and copy a secret key/API token into your code... this is the exact same process except instead of you logging in and manually copy/pasting an API token/key, you're logging in and the OAuth process automatically gives you the API token/key programatically.
I've followed through the InteractiveConsole and FriendsSmash example in Unity and learnt how to request permissions during login and get the friend list of the user.
But there's one little problem bothering me a lot.
When FB.Login("email,user_birthday", LoginCallback) is called for an authorized user. The user will be redirected to the Facebook page saying "You have already authorized App-Name".
I'm thinking to only call FB.Login("",LoginCallback) to every user, and then use the FB.API to check if the correct permissions exist, and after that call the original FB.Login method. However, this doesn't seem a very wise way to do this to me.
I did a bit of research but still can't seem to find a nice way to solve this. Can anyone please help me out on this?
Thanks.
If you have status=true in your FB.Init(), it should come back with login info if the user is logged in. You can then use FB.API() and do your permissions check.
I had PlayerPrefs.DeleteAll being called for testing purposes. I found that it was removing the Facebook data so it wasn't authorising on initialisation.
Make sure you don't call PlayerPrefs.DeleteAll()
So I am updating an older desktop app (written in VB, .net 4.0) with facebook integration and followed the guide found here, and have been able to successfully get a token (by parsing the uri of the embedded webview if it contains "token="). Now my problem is if I try to login with a facebook account that has already approved the app in a prior session, the webview just gets redirected to https://www.facebook.com/connect/login_success.html without any token information.
Do I HAVE to log all of the tokens I generate manually (ie on successful token generation, I can call their profile info, use their FB ID as key and save the token)? Even if I do, since the email and password is input directly into the facebook login window, how do I check if the user already has a token?
Thanks in advance
The access token can change any time, you need to get it everytime. After getting the token, I immediately get the user information https://graph.facebook.com/me?access_token=??? and use that ID to find their database information.
I couldn't quickly find facebook information but on google's oauth information it says "The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen."
https://code.google.com/p/google-api-php-client/wiki/OAuth2
Ok so I finally figured it out myself. My mistake was apparently requesting the access_token directly (ie https://www.facebook.com/dialog/oauth?response_type=token...) to try and save time.
I fixed it by making a request for a 'code' instead (ie https://www.facebook.com/dialog/oauth?response_type=code), which I then use to make a second request to retrieve an access token as documented here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/, "Exchanging code for an access token" section a bit lower on the page.
Hope this helps someone in the future, this was very frustrating on my part.
Regards,
Prince
This question was previously asked here but the OP never responded to the comment left and therefore it is left unanswered. I'm looking to sign into a specific Box account via API and am hoping there's a way to automatically set the login and password instead of asking users for theirs. I'm coding my app in PHP and so far I'm using the basic OAuth2 process that asks the user to login (/auth/ticket&api_key). So far the only suggestions I've found requires saving files to local storage but that's not an option as I need my app users to do as little work as possible to get in. I just need to tweak this authentication process. Any suggestions??
Thanks!
this is the answer i got from Box API technical support:
Unfortunately, there's no way to do this at this point. You do have to go through the web based login to authenticate, however once you authenticate the first time, you can automate the refresh token so you won't have to do it again. I apologize for that and just let me know if you have anymore questions about this.