How does http://auth0.com's authentication features compare to Firebase's authentication?
Does Auth0.com, on the Free or Silver plan, provide any authentication features that Firebase does not provide?
One major difference between the two (not mentioned in the blog linked in Jake's answer) is pricing. Auth0's pricing increases pretty quick along with the number of active users (source) whereas Firebase Auth is free to use; you only pay for optional features like SMS, and database usage in case you need to store additional user metadata.
See this question for more about Firebase Auth pricing.
Related
We are working on a system which retrieves data from customers' Shopify shops and provides some services based on this data. In order to make it as convenient as possible for an end-user we would like to update this data on a daily\weekly\monthly basis.
For now we only came up with a solution of implementing unlisted app, prompt a user to provide all necessary permissions for the app to access their shops and fetch the data. But the token we get doesn't seem to be valid for a long time and we probably won't be able to reuse it a day later.
We appreciate it if you can share any success cases of implementing this kind of approach.
You provide an App to the merchant they can install using oAuth. When the merchant is prompted to approve the App, Shopify will then provide your App with a long-lived access token you can use as much as you want, for as long as you want. I use a custom App from my Partner App dashboard to create these kinds of one-off Apps. It is superior to the one where the merchant has to tick off scopes and permissions IMO.
There are two kinds of token you can ask for and receive. One is considered for offline access, or long-lived. It works for everything. It is for webhooks as an example, or other access where no person is involved. But, there is also, online access tokens! Say a person clicks into the App from Shopify to do some work. You can request an online token for them to do their thing, and that token is only good for say 24 hours.
So you have options!
Our team is currently trying to better understand what data is collected by Google and Facebook in their implementation of OAuth (“sign-in with Google” and “Login with Facebook”).
Both developers’ docs are extensive on the data that you, as an app or
website developer, can request from the user
(https://developers.facebook.com/docs/facebook-login/permissions/ and
https://developers.google.com/identity/protocols/googlescopes) but not
much is mentionned about what the platforms collect.
Given that the generated token is renewed everytime a user login we can
assume that each connection is received and potentially stored. But is
there anything else that they could have access to based on their
implementation of OAuth?
We have already used MITMproxy on apps using offering Facebook logins (https://privacyinternational.org/appdata) and could identify some data being sent but it's only limited to Android apps
The Instagram new API policy have become super strict. They are not allowing fetching public content at all. We are literally following all Instagram policies and still cant get approval of public_content.
Is there any workaround or any possibility of fetching the data.
This is the response that I have recieved from instagram
General issues:
Policy Violation (Ad network, Influencer network, Other related): Your
app should not attempt to build an ad network on Instagram, nor
transfer any data that you receive from us (including anonymous,
aggregate, or derived data) to any ad network, data broker, influencer
network, or other advertising or monetization-related service. In
working to build a high quality platform, we ask that you comply with
our Platform Policy
(http://wwww.instagram.com/about/legal/terms/api/).
Yeah, they now grant permissions only to applications with some specific usage cases.
According to Instagram official website, these are:
To help individuals share their own content with 3rd party apps
To help brands and advertisers understand and manage their audience and digital media rights
To help broadcasters and publishers discover content, get digital rights to media, and share media with proper attribution
Note that in order to get public_content permission, you need to fall under the 2nd or the 3rd use case. Otherwise, consider changing your application / service in such way that is now uses basic permission and acquires only your users' media.
There is no valid and legal possibility to fetch public data except for successful passing the Instagram permission review.
This official developer documentation page may be useful to you.
You need to enable scopes invividually for your client https://api.instagram.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=APPCALLBACK&access_token=ACCESSTOKEN&response_type=code&scope=public_content in your browser, using your values for the uppercase words? This should enable your registered client to work with the public_content scope.
https://api.instagram.com/oauth/authorize?client_id=xxxxx&redirect_uri=xxxxx&access_token=xxxxx&response_type=code&scope=public_content
your comment
Read the error message, did you supply a valid client-id from your instagram developer account. Did you setup a redirect_uri for that client? Do you authenticate to instagram to get an access token?
This worked for me this weekend. Double check the values you set in the url and call it directly in your browser.
What is the difference between the “Google+ API” and the “Google+ API (Sign-in)”?
The Google+ API (Sign-In) seems to be suited at allowing a developer to integrate the Google login in into their application to allow their app to have an OAuth token to interact with Google services.
The Google+ API on the other hand is just the Google API that allows access to a users Google+ API data, you will need an authentication token to access this data.
The two different quota buckets refer to two different subsets of the API that are available. You can see https://developers.google.com/+/api/#quota for the details, but broadly speaking:
The Sign-In portion applies to methods that specifically need the plus.login scope. These include people.get, people.list, moments.insert, moments.remove and moments.list. This is a much larger quota to encourage people to use these methods.
The other, more broad, bucket is for all other methods, including those for Activities and Comments and a few others for People.
Can I use Adwords API developer token for multiple applications? In more detail, say if I have a website where I am using adwords API developer token, Can I use the same token for another application. Ofcourse both applications accessing the same account after all.
Thanks,
Murali.
You can use the AdWords API across different applications with just one API token, just make sure though that you are caching the authentication response and re-using those tokens otherwise you'll hit the throttle limit. (Incidentally, logging in is possibly the slowest part of their API, so caching the response will speed up your application considerably)
No doubt you can use same development token for your multiple applications which are accessing same account. If your applications will access different account then it needs to get different developer token.
For the reference, you can read http://goo.gl/zLBPF
Hope it will help you.
Murali,
You need just one developer token, whether your application(s) access same account or different accounts (whether linked under the same MCC hierarchy or not). As a matter of fact, AdWords API Terms and Conditions explicitly prohibits you from getting more than one developer token.
If you use a developer token to make calls, you will be charged for API cost to the account holding the developer token. This is another reason why you should treat your developer token as a password and should reset it immediately if you expose it to the public by say, posting it publicly on a forum.
I also wish to point out that the official AdWords API forum is http://groups.google.com/group/adwords-api, you can ask your questions there and someone will answer your questions in a day or two.
Cheers,
Anash
Yes, Adwords even has channels that you can create to separate your ad campaigns
Adword Docs - Campaigns