I'm trying to make a bot for Tumblr or Twitter, but both require OAuth requests. I'm not sure how to use a Net.WebRquest this way. I've searched all over and found very scarce information. I believe I am supposed to add some credentials in the header. This is what I have tried:
<pre>
Dim request As WebRequest = WebRequest.Create(URL)
request.Headers.Add(HttpRequestHeader.Authorization,
$"OAuth realm=""https://api.tumblr.com/"",
oauth_consumer_key=""{APIKEY}"",
oauth_token=""{TOKEN}"",
oauth_signature_method=""HMAC-SHA1"",
oauth_signature=""?"",
oauth_timestamp=""{(Now - New DateTime(1970, 1, 1)).TotalSeconds}"",
oauth_nonce=""{Now.GetHashCode()}"",
oauth_version=""1.0""")
<pre>
Assuming APIKEY and TOKEN are valid, I am still getting Error 401: Unauthorized. Also, what do I put in "oauth_signature"? That did not make any sense to me. This website contained the most useful information: https://oauth.net/core/1.0a/
Has anyone else here dealt with OAuth requests before, that can help me? If there were any examples out there, that would be wonderful. Thank you so much in advance.
~Nic
What jumps out at me immediately is that your parameters are not sorted alphabetically (which OAUTH requires).
Writing an OAUTH library from scratch is terrible terrible business and you should use an existing library unless you have a really good reason not to.
I am the author of TwitterVB, a .NET library for accessing the Twitter API. The code is hosted on GitHub and has a very permissive license. You'll find code can classes there that will make your implementation of OAUTH much easier.
Please note that I no longer maintain this library and there are a few things that have changed about the API that interfere with its functionality. The OAUTH pieces should all work as-is, however.
Related
This is additional question in regards to another relevant question:
Facebook Authorization url, scoped authorization url and token url
, I am new to OAuth2.0, so assume I didn't learn literature well back in high school!! (I have seen some people with very short learning curve recommended to read the Facebook login API documentation)
I have looked at it, but didn't find the
Authorization URL
AND
Access Token URL
While I was searching for some demos, in one video it used
https://www.facebook.com/v6.0/dialog/oauth?
key being: v6.0
in another it used:
https://www.facebook.com/v15.0/dialog/oauth?
key being: v15.0
and in the original post, the kind person who answered seemed to suggest to use:
https://www.facebook.com/dialog/oauth
(which didn't mention the version ID at all, that worked for me, and I like it; easier to remember and use. HOWEVER, previous two also kinda make sense, I don't think Facebook gonna stop enhancing and upgrading its OAuth2 APIs.
and if I go back to the original question, how can I find the latest URL info for above mentioned endpoints?
Thank you a million in advance!!
if this question was too basic, please be tolerant, I am new to OAuth2.0!
I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
I built a web app in Laravel 5.2, and now, I would like to use Angular or Vue, so I am separating an API from my controllers.
Thing is actually, in my controllers, I use a lot :
Auth::user() to refer to the logged user.
What is the best way to deal with it???
Read books about API design. If the existing app isn't designed to be a RESTful API in the first place then you're in for a lot of learning. Laracasts has a great series called Incremental APIs.
Laracasts.com
Build APIs You Won't Hate
OK, I'm expanding my answer, despite this is not a great question, it is probably too broad. You need to look into Oauth 2.0 authentication for your API, you can still use a username and password, but OAuth 2.0 tokens over SSL is probably the best simple way to provide authentication for your API. If it is only used internally, or is read only then you may not really require authentication for the API at all. There's not enough information about your use case to even make a guess about that. Good luck!
I would like to use the twitter site-streams but I can't find a way to use them. There is no API-docs online and how to access site-streams.
Does someon have an example in php or better c#?
Are there any API-samples or a full API-doc?
Thanks
Matthias
I called oAuth before doing something similar to Shannon Whitley's user streams example. Use the curl commands generated for you at dev.twitter.com to double check your C# generate urls.
The site stream url is buried in the top middle of the doc (/2b/site.json?follow=1,2,3,4,5) # dev.twitter.com
I'd also follow #sitestreams as well to get heads up on site stream restarts.
The API looks to still be in beta, I found this. It's not a lot of detail, but the post was only a few weeks ago so it is something pretty new. It uses the same REST API that all of twitter uses so if you are familiar with that you should be able to use what it gives you.
If you need a tutorial on REST with twitter here is a decent tutorial. It is using basic authentication so I do strongly recommend that you use OAuth instead.
I've been looking around at various APIs, and since twitter seems to be a common discussion point, I'll use it as an example.
A lot of APIs are implementing oAuth which is great for allowing the service to authenicate and authorize the application connecting to it, however, from what I have seen there doesnt seem to be a way for the application to verify that Twitter is actually Twitter (and not a man in the middle based attack)? I would expect to see some kind of signature (using a shared / public key) of the response body which I can use to validate that twitter signed it.
Is it just because currently there isnt really a point to a man in the middle attack with twitter tweets since currently, whats the worst that can happen (and why would someone want to give me invalid tweets)
On this point, if you were to sign the response, what method would you use? Im currently considering a HMAC-SHA1 signature of the response body using a shared key.
This is what the 'trust' part of SSL does.
-- Edit
I note this has been downvoted, but it's important that other readers realise it's due to a personal disagreement, not due to incorrectness.
In the .NET world we use WCF, which has many different security models, including signing (and if desired encrypting) each message/response. This adds up to a non-trivial amount of overhead, but can give you more 'trust' in the security model. You can switch to using binary-serialized data to cut down on the bloat and message size if you desire.
I'm not sure what other Web Service APIs offer in that area, though I'm sure someone else can add further details as needed.