Slack OAuth 2.0 without human (Add to Slack button) - api

Before I am able to get a token, Slack wants a user to give permissions to my request like described here:
Slack OAuth 2.0
Is it possible to get a token without any human?
I would like to make my program posting modifications of another program to a special Slack channel. But if the user has give permissions everytime, he also could post the modification to slack himself and the Slack API is not useful anymore.

No, this is not how it works. You only have to run through the OAuth process once (per Slack team) to receive the access token. The received access token remains valid and should be stored for future use.
If you want to use a Slack app and all the features it enables (e.g. Interactive buttons, Events API), you will have to run the OAuth process. However, if you only want to call a few API methods there is an alternative. You can get a so called "test token" for your Slack team which will also work and which you can get here. However, this token is meant for testing and development and not supposed to be used in production level apps.

Related

Can you validate the two factor code by the api in fusionauth

I have a question about fusionauth and its 2FA API.
we want to use 2fa in our app but only under some circumstances and not on every login.
I found that there is API to send a code via SMS but I can't seem to find an API to verify it.
can anyone help me?
I looked at the docs and there is only send and enable/disable no verify, can it be somewhere else?
The API does support a trust mode, but there is not currently a separate API for selective 2FA.
There is not an API to validate the code, instead you utilize the Two Factor Login API to complete the login process. This implicitly validates the code.
https://fusionauth.io/docs/v1/tech/apis/login#complete-two-factor-authentication

obtain a Google OAuth 2.0 Bearer token from a client and secret [duplicate]

This question already has answers here:
How do I authorise an app (web or installed) without user intervention?
(2 answers)
Closed 5 years ago.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground). It's an app to be run only for my account, in headless mode, on a trusted machine, to manage my cluster.
NOTE: must not require any proprietary software installations (e.g. the Google SDK).
Google provides an API Client Library for Java, which itself depends on an OAuth client library.
For the project of 9Cards launcher for Android, within the back-end, we had to use this library to fetch applications usage statistics from Google Analytics. In our code, because it is a case of "server to server" authentication, we use a Service Account's credentials. The code issues a request from Google a short-lived OAuth2 Auth Token. The library may provide similar features if you use a Client-ID and Client-Secret.
Regarding the issue of licenses, the library is published under Apache License v2, so in that regard it is not too proprietary.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
Good start. I guess by "the JSON API endpoints" you mean the Google APIS. Make sure you created OAuth Client IDs and not one of the other options.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
Yes the OAuth Playground will do that for you. The detailed steps and sample code to consume the token is at How do I authorise an app (web or installed) without user intervention? (canonical ?)
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground).
Follow the steps linked to above and you will see that you don't need to write any code at all. Once you have the refresh token (a one time procedure), you're all set. I exaggerate slightly, you do need one line of code to post the refresh token to the Google Oauth endpoint to fetch an access token. See the bottom of the linked answer for an example. Or you could just compose a curl to do it from the command line and put the Access Token into an environment variable.
I just wanted to avoid the whole thing and get a code printed on the screen
A bit like https://youtu.be/hfWe1gPCnzc?t=198

Manually building a Google login integration flow using server-side code

I am writing a project that lets users implement login integration for multiple web services (e.g. Google, Facebook etc.) to his/her website. I see Facebook allows us to manually build a login flow. Using this I can code everything myself and also let users use the script just by configuring it a bit (like setting app_secret and app_id). I am looking for a similar thing in Google. I don't wanna use the SDK because if I do that for multiple OAuth providers, then I think I'll mess things a lot. I also want to keep the client (JavaScript) side code at a minimum. So, can I build a manual login flow for Google, as I can for Facebook?
This information is given on the following page: https://developers.google.com/identity/protocols/OAuth2UserAgent (select the OAUTH 2.0 ENDPOINTS tabs)
Some excerpts:
The OAuth endpoint is https://accounts.google.com/o/oauth2/v2/auth
Token is returned like this: https://oauth2.example.com/callback#access_token=4/P7q7W91&token_type=Bearer&expires_in=3600
You can validate the token by using the tokeninfo endpoint: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>

How would I grant user based Yammer REST API access to an ETL tool?

I've an ETL tool that is capable of making REST API calls against the Yammer network and retrieving data for analysis. Currently, how I make Yammer REST API calls is through an App that I've created. I then generated the authentication token and then used this token in the REST API calls to get at the data.
What I'd really like to do now is to provide an app that allows me to call the REST API (using the same ETL tool) without the person installing the app to have to go through the rigmarole of generating the auth token.
I suppose one approach could be to use some JavaScript that displayed the token to the user so that they could then pass it on to us... Do you folks have any other suggestions as to how I might do this?
There isn't a recommended way to skip the OAuth authorization, but you can automate a lot of it away. I created a Python script that uses the YamPy library to acquire a token. It even fires up the browser to the correct URL for authorization. You should be able to do something similar with other languages.
Calling the impersonation endpoint is another possibility. This will get you an OAuth token for another user so you'd need to have an app is just for producing OAuth tokens. It's probably a bit trickier to build right and secure than my script. Impersonation was designed for a specific category of app which means I don't recommend it by default. Even when it is a workable option it hides the authorization from end users which can potentially be a security issue, if say you app is compromised and handing out OAuth tokens. At least if the Yammer screen is in the way it's a bit more visible to the user what is happening.

Authentication for new Twitter API 1.1

I have an application that needs to display number of followers and following (users/show.json) for a random user on a public page (authentication is not required).
With the Twitter API 1.0 it was quite easy as authentication is not needed for the request. With the new Twitter API 1.1 is no more possible, so I need to authenticate the request (via OAuth).
Is it possible only "authenticate" the application and not the user too?
I mean: can I avoid to ask user to login and only authenticate with application key/secret? Or everytime I need to create a token with user credentials too, creating callback, etc.?
Yes, it is possible! If your application doesn't need to do things like post statuses or send direct messages on behalf of a user, you should be able to retrieve all of a user's public information with a single hardcoded set of Twitter OAuth credentials, and not require the user to authenticate.
Login to Twitter and go to the developer dashboard at https://dev.twitter.com/apps
Register a new application; after the application is registered, view the application details. You'll see an "OAuth Tool" tab, where you'll find all the relevant OAuth values for that application: Consumer Key, Consumer Secret, Access Token, and Access Token Secret.
Using these credentials, you'll be able to make requests to the new Twitter API.
If you're not comfortable using the Twitter API directly, there are a number of good API wrappers out there for various languages -- among others, the Temboo SDK, which will give you code snippets for calling various methods (and also gives you a place to securely store your Twitter credentials, so you don't need to bake them into your application).
Take a look at:
UserTimeline
GetFollowersByID
(Full disclosure: I work at Temboo.)
The easiest way to do what you're asking is to use Twitter API 1.1's 'application-only authentication' feature, which works for much of the API. See Application-only authentication. You can see a Python example of it in get_bearer_token.py.
Once you have a bearer token, you only need to include that in your request authorization header - signing is not necessary.