I’m currently storing the Token in order to access the social tables web service but now realise tokens expire after just 2 weeks. I presume I need to use the POST token function to get a new one? If so, where do I find the values for client_id and client_secret?
You will need to make a Social Tables App in order to use our oauth routes. Here are some nice instructions from our docs:
https://developer-portal.socialtables.com/docs/apps/
Once you have your client_id and client_secret, you will be able to use the oauth authorization flow to allow user to grant your app access to their data.
https://developer-portal.socialtables.com/docs/authentication
Please feel free to post a follow up if this process gives you any trouble.
Related
I am new to using Google API and I am struggling to understand how it works. I want to be able to access a calendar and add events to it. I don't want the user to login every time because it will be a universal calendar that holds invoice due dates so from what I understand I want to use a service account. I created a calendar api project and a service account. I set the calendar share permissions to the project email. I have an API key and a service account key. However, I get confused with understanding how it needs to be authenticated. Unfortunately I am using Filemaker so I don't have any helper libraries to help me. I basically just have a POST option.
The google api documentation states that the insert event call requires authorization:
"This request requires authorization with the following scope (read more about authentication and authorization)" https://www.googleapis.com/auth/calendar"
https://developers.google.com/google-apps/calendar/v3/reference/events/insert
So if I was just using basic POST requests how would I authorize this and which keys do I need? Do I need the API key and Service Account Key? Do i have to use a client key even if I want all users to access the same calendar?
If I need to clarify anything just let me know.
Thanks!
You will need to include a valid access_token in the HTTP headers of your POST request, e.g. Authorization: Bearer ya29.xxxxxxxxxxxxxxxxxx
In order to get a valid access_token, you will need to go through the OAuth2 Authorization process as described at https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
Note: Please click on "HTTP/REST" to see the details of doing that without using any specific client libraries.
I am trying to build a ZendFramework2 Rest API and want to implement two-legged OAuth2 authentication.
I have been looking around and can not find any resources to help point me in the right direction with this.
Has anyone done this before or know of a good source I am missing?
In OAuth you can make access tokens client specific by assigning a client_id.
This client_id can be stored in some local storage on the client side and reused on the next user login from that client.
When the user logs in first time from a new client (no client_id in the storage for this user) then a new client_id is created and some 2nd verification step can be added to this part of the authentication process. For example sending an text message to his phone number. You could add an expires_at field to the client table so that you can repeat this process if the client_id has expired.
I doing research about OAuth2. A lot of things are clear for me but I have 2 questions.
Question 1, client_id, and client_secret
With OAuth an client can be identified with the client_id and client_secret.
But I cann't find the difference between these 2. I only found that the client_id is public and the client_secret is private.
I think it works like this but I'm not sure about it.
*When there is an app called "GreatApp" which would to get data from the OAuth2 API. It registers by the API and it gets 2 id's one client_id which is the same for every individual installation of the GreatApp. And they get the client_secret which is unique for each individual installation of the GreatApp.
This means you can recognize the application which connects to the API with the client_id and you can recognize an individual phone or tablet by the client_secret.
Is this correct or am I wrong?
Second question: Different types of flows
There are more than one kind of flow used by OAuth2. I read a lot about this and watched some videos on YouTube. They explain 2 or 3 kinds but they don't say clearly the name of each flow. I Googled a lot but I can't find a clear explanation about what type of flows there are and which I should use in what situation.
I found this documentation but this is Oracle-specific I think.**
Is there someone who can explain to me the flows and when I should use which flow?
Client ids and secrets are used for confidential clients, meaning those that can keep a secret such as web applications that live on web servers. They are typically not used to register individual instances like mobile apps.
Which grant flow to use when I've described in this answer. HTH
I am building a service in which users do not have to create an account to sign up, but use Google account as exactly does Stackoverflow.com
My Question is there is any unique information of an user in OAuth2 which never change, so I can use it as user id in my database.
After looking through Google OAuth2 API, I've ended up that all tokens are arbitrary every time session is established.
I would like to know how such sites as Stackoverflow extract the user information to sign up.
After getting the initial access token use the tokeninfo endpoint to get user_id.
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=" +
Uri.EscapeDataString(response.AccessToken))
The title speaks to the majority of the question, but I'm having a hard time wrapping my brain around how I have Facebook authenticated users gain access to my own site's API.
After the user has authenticated with FB I have a little bit of information available about the user, but no API key or username/password to pass along to my own secure API server for authentication.
I've found several related questions, but nothing that seems like an ideal answers:
Facebook Connect to authenticate on a personal API
Authorizing facebook connect users with other third parties
Any help will be greatly appreciated!
Since you are authenticating your users through Facebook connect, you know enough about the user.
Regardless of the authentication flow you are using, you'll
STEP #1: receive an access_token and a expire parameter. Most likely, you've requested the user_id too (if you are using the JS-SDK it would handle most of this).
STEP #2: encapsulate these info (access_token, expire & user_id) in a hashed string, e.g. mimic the Facebook signed_request format.
STEP #3: send this hashed string in your own API calls:
https://mydomain.com/apis/getUserSecretData?fb_oauth=my_hashed_string&vars=my_other_vars
STEP #4: in your API end-point, decrypt/decode your hashed string and verify the expire parameter and if the access_token is expired, then you need to request a new one and repeat your API call.