I want to log in to my application via LinkedIn. This can be done via a call to Cloud.SocialIntegrations.externalAccountLogin() .
However, the function above needs a 'token' parameter. The 'token' is provided by LinkedIn by following the oauth flow(retrieve an authorization code, exchange of the Authorization Code for a Request Token).
Is there an easy way in titanium to obtain this token? I have investigated aaronksaunders's(https://github.com/aaronksaunders/clearlyinnovative.linkedIn) code, and searched on gitt.io. Or do we need to write all of this boilerplate code ourselves?
NOTE: At the moment, I don't want to proxy the call via a server(I prefer not to set up an SSL certificate, etc) and I don't have an appcelerator team or enterprise plan, so I can't use their node(arrow) backend to proxy these calls.
Additional question: is it sufficient to configure the iOS Bundle Identifiers(on the LinkedIn app settings page)? And do I need to use this 'iOS settings' application Id(also on the LinkedIn app settings page)?
I have successfully finished my flow. Everything is explained in this blog post from Ramkumar M: http://shareourideas.com/2012/12/18/linkedin-connect-for-appcelerator-titanium/. The result is achieved by using a modified commonjs module version of the social.js library: https://gist.github.com/rampicos/4320296
This library has a very clean api, the whole flow is nothing more than:
var social = require('social');
var linkedin = social.create({
consumerSecret : CONSUMER_SECRET,
consumerKey : CONSUMER_KEY,
site: 'linkedin'
});
linkedin.authorize(function(){
//callback
});
I don't use the
Cloud.SocialIntegrations.externalAccountLogin()
because the login is done by the social.js library.
LinkedIn app: I have only configured the iOS bundle identifiers.
Related
I am using dropbox javascript sdk for file uploads using following end points.
For file below 150MB
/upload
For file above 150MB
/files/upload_session/start
/files/upload_session/append_v2
For Authorization, I am using the following code for now.
const ACCESS_TOKEN = 'my_access_token_created_manualy_from_app_console';
var dbx = new Dropbox.Dropbox({ accessToken: ACCESS_TOKEN, refresh_token });
Now I don't want to go to the app console every now and then to get access token.
Is there any way I could handle it in my code? Any API/ajax request to get access token in response to app_key and app_secret?
Getting a Dropbox access token for a user's account always requires some initial manual interaction from the user to authorize the app in some way. This cannot be done entirely programmatically. For the developer's own account, such as in your case, you can generate an access token on the App Console. For arbitrary end-users, this is instead processed via the OAuth app authorization flow.
You can refer to the OAuth Guide and authorization documentation for more information. For the Dropbox JavaScript SDK in particular, there's an example of processing the OAuth flow here.
How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK? - Note that i am asking for user pools - not identity pools.
Synopsis
Amazon cognito provides 3 kinds of logins:
federated logins (creates identity pools) - using social connects like FB, Twitter, G+ etc
AWS managed logins (creates user pools) - using Amazon's own managed signup, signin, forgot password, reset password services
developer provided logins (my custom designed authentication service managed by myself)
I am using the second one (with User Pools)
Amazon cognito has several SDKs for android, iOS, javascript, Xamarin etc. Cognito also provides REST APIs for building on platforms other than those supported by official SDKs. I am building an app for a different platform and, hence, REST API is my only way as there is no official SDK for my platform.
The Cognito REST API provides various endpoints for 'sign up', 'forgot password', 'confirm verification' etc, but surprisingly, the REST API does not have any endpoint for simple signin / login.
From Cognito CLI API docs I have all the OFFICIAL CLI APIs necessary to "signup users", "confirm signups", "change passwords", "verify phone numbers", "forgot passwords" etc. Surprisingly there is no CLI API mentioned for LOGINs. I was hoping there should be some CLI API like "$ aws cognito-idp log-in" just like there is for "$ aws cognito-idp sign-up" or for "$ aws cognito-idp forgot-password" etc.
Also from this getting started tutorial it talks about "*what should be done with tokens received AFTER successful authentication of a user*". However, it doesn't talk about HOW TO make the successful authentication happen on the first place with Cognito User Pool APIs. Examples are available only for Android, iOS, javascript SDKs. There are no authentication examples available for platforms which do not have SDKs.
Hence, How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK?
This curl command works for me:
curl -X POST --data #aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com/
Where aws-auth-data.json is:
{
"AuthParameters" : {
"USERNAME" : "yourusername#example.com",
"PASSWORD" : "yourpassword"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "75........................"
}
The user pool client must allow USER_PASSWORD_AUTH for this to work - that's an AWS-side setting.
Update:
As you pointed out in the comments below, the authentication flow is documented here: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html. This might help to clarify the authentication flow
It is somewhat counter-intuitive, but it does make sense for mobile apps where you don't want to have the user explicitly sign in, but instead carry tokens around for the user. Note that there is an explicit signin (login) API in the AWS Userpools SDK for iOS. I have not used it, but I suppose it is just an alternate client side API to get through the same InitiateAuth() followed by a RespondToAuthChallenge() flow. The iOS signin example is documented here - IOS SDK Example: Sign in a User
Original Post:
The Cognito User Pools API documentation for initiating auth is available here
The way it works becomes clearer if you implement a user pools application in one of the SDK's (I did one in Swift for iOS, it is clarified because the logging of the JSON responses is verbose and you can kind of see what is going on if you look through the log).
But assuming I understand your question: In summary you should InitiateAuth() and the response to that (from the Cognito User Pools server) is a challenge. Then you do RespondToAuthChallenge() (also documented in that API doc) and the response to that is an authentication result - assuming that the password / session / token were accepted.
The combination of those two things is, I believe, what you are calling LOGIN, and it works like a login. In the API's, the way it is set up is that attempts to get user information when the user is unauthenticated kicks off that InitiateAuth() and (in iOS anyway) the API does a callback to the code you write to ask for passwords, and send a RespondToAuthChallenge() request etc.
Just to add to #andrewjj's answer. You might get back a challenge (NEW_PASSWORD_REQUIRED) as InitiateAuth response. It is when you are being asked to change passport on initial signin.
You can use Postman or curl command. This example expects Postman being used.
InitiateAuth - This step is same as #andrewjj
Add this to Body as raw values
{
"AuthParameters": {
"USERNAME": "youremail#example.com",
"PASSWORD": "temporary-password",
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "2s........................"
}
Set headers
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Content-Type: application/x-amz-json-1.1
Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.
If you receive this response then your are ok, otherwise continue with step 2.
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge - this is new step
In case you receive Challenge back like this one:
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "1231-......",
"requiredAttributes": "[]",
"userAttributes": "{\"email_verified\":\"true\",\"email\":\"youremail#example.com\"}"
},
"Session": "Sfas......"
}
You need to set new password. Add this to Body as raw values
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "youremail#example.com",
"NEW_PASSWORD": "newpassword"
},
"ClientId": "2s........................",
"Session": "Sfas......(use one from the InitiateAuth response)"
}
Set headers
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge
Content-Type: application/x-amz-json-1.1
Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.
Do step 1 again to receive tokens.
Sharing curl direct may help to anyone
curl -X POST --data #user-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<just-replace-region>.amazonaws.com/
file json user-data.json
{"AuthParameters" : {"USERNAME" : "sadfsf", "PASSWORD" : "password"}, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "csdfhripnv7sq027kktf75"}
make sure your app client does not contain app-secret or create new app without secret. also inside app enable USER_PASSWORD_AUTH
One of the developers from AWS Cognito team here.
To add to #md-abdul-munim's answer, we recommend using one of the client side SDKs. If you are building a REST API and then a front end which talks to those APIs, it is better to just integrate Cognito from your front end.
If you absolutely need to use Cognito from a back end, the authentication APIs will be available with our GA release. In our Cognito User Pools beta release authentication is only available through client SDKs.
From what you have discussed, I consider you are trying to do that from a web frontend. Cause, cognito is providing you the necessary backend support and it expects you to communicate(e.g. authenticate, sign up etc.) from a presentation layer- that's why you found SDK's for different mobile platforms. They also have SDK for web app- the access is available via their Javascript SDK.
Here's a detailed tutorial to achieve what you have asked from a web frontend using their JS SDK-
Accessing Your User Pools using the Amazon Cognito Identity SDK for JavaScript
I have a similar problem and was wondering how to integrate Cognito within an Elixir backend and found this library: https://github.com/aws-beam/aws-elixir
From what I can understand by reading its source code, they ultimately make a POST request that contains the header "X-Amz-Target": "AWSCognitoIdentityProviderService.#{name_of_api_action}" (this is here: https://github.com/aws-beam/aws-elixir/blob/master/lib/aws/cognito_identity_provider.ex#L564). That's without the authorization headers, they are added elsewhere, but I found it interesting. The functions that construct the request URL are following, so you should be able to get an idea of the endpoint that gets called.
I must say I tried following this article written in Japanese - https://qiita.com/yujikawa/items/e79929ed14277102f4b8, and couldn't manage to make it work, maybe because I was not sure what the proper AWS_ENDPOINT environment variable should be. I am currently thinking of trying out the Ruby SDK, from the looks of the documentation it seems fine. But, nonetheless, this information may still help someone.
Thank #andrewjj, your answer is a big help.
Here is additional info for someone who has trouble with client secret. You don't need to turn it off.
You need to generate a secret hash from username, clientId, client secret, as following:
message = bytes(username+app_client_id,'utf-8')
key= bytes(clientSecret,'utf-8')
secret_hash = base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
src: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-unable-to-verify-secret-hash/
Then add the secret hash to your AuthParameters, as following:
{
"AuthParameters" : {
"USERNAME" : "...",
"PASSWORD" : "...",
"SECRET_HASH" : "..."
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "..."
}
I am trying to create a Web API that allows the API's clients (native mobile apps) to login using a 3rd party cloud storage provider. I'm using the following general flow from Microsoft:
Here is what I am trying to achieve:
I am using the default ASP.NET Web API Visual Studio template with external authentication, along with the OWin.Security.Providers Nuget package for Dropbox login functionality, and the existing built-in login functionality for Google (Drive) and Microsoft (OneDrive).
The issue I'm having is that the built-in functionality all seems to do the authentication and authorization as part of one flow. For example, if I set up the following in Startup.Auth.cs:
DropboxAuthenticationOptions dropboxAuthOptions = new DropboxAuthenticationOptions
{
AppKey = _dropboxAppKey,
AppSecret = _dropboxAppSecret
};
app.UseDropboxAuthentication(dropboxAuthOptions);
... and navigate to this url from my web browser:
http://<api_base_url>/api/Account/ExternalLogin?provider=Dropbox&response_type=token&client_id=self&redirect_uri=<api_base_url>
I am successfully redirected to Dropbox to login:
https://www.dropbox.com/1/oauth2/authorize?response_type=code&client_id=<id>&redirect_uri=<redirect_uri>
... and then after I grant access, am redirected back to:
http://<api_base_url>/Help#access_token=<access_token>&token_type=bearer&expires_in=1209600
... as you can see the token is part of that, so could be extracted. The problem is that the client needs to be the one navigating to Dropbox and returning the authorization code back up to the Web API, and the Web API would send the authorization code back to the third party to get the token which would then be returned to the client... as shown in the diagram above. I need the ExternalLogin action in the AccountController to somehow retrieve the Dropbox url and return that to the client (it would just be a json response), but I don't see a way to retrieve that (it just returns a ChallengeResult, and the actual Dropbox url is buried somewhere). Also, I think I need a way to separately request the token from the third party based on the authorization code.
This post seems a little similar to what I am trying to do:
Registering Web API 2 external logins from multiple API clients with OWIN Identity
... but the solution there seems to require the client to be an MVC application, which is not necessarily the case for me. I want to keep this as simple as possible on the client side, follow the flow from my diagram above, but also not reinvent the wheel (reuse as much as possible of what already exists in the OWIN/OAuth2 implementation). Ideally I don't want the client to have to reference any of the OWIN/OAuth libraries since all I really need the client to do is access an external url provided by the API (Dropbox in my example), have the user input their credentials and give permission, and send the resulting authorization code back up to the api.
Conceptually this doesn't sound that hard but I have no idea how to implement it and still use as much of the existing OAuth code as possible. Please help!
To be clear, the sample I mentioned in the link you posted CAN be used with any OAuth2 client, using any supported flow (implicit, code or custom). When communicating with your own authorization server, you can of course use the implicit flow if you want to use JS or mobile apps: you just have to build an authorization request using response_type=token and extract the access token from the URI fragment on the JS side.
http://localhost:55985/connect/authorize?client_id=myClient&redirect_uri=http%3a%2f%2flocalhost%3a56854%2f&response_type=token
For reference, here's the sample: https://github.com/aspnet-security/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Mvc/Mvc.Server
In case you'd prefer a simpler approach (that would involve no custom OAuth2 authorization server), here's another option using the OAuth2 bearer authentication middleware and implementing a custom IAuthenticationTokenProvider to manually validate the opaque token issued by Dropbox. Unlike the mentioned sample (that acts like an authorization proxy server between Dropbox and the MVC client app), the JS app is directly registered with Dropbox.
You'll have to make a request against the Dropbox profile endpoint (https://api.dropbox.com/1/account/info) with the received token to validate it and build an adequate ClaimsIdentity instance for each request received by your API. Here's a sample (but please don't use it as-is, it hasn't been tested):
public sealed class DropboxAccessTokenProvider : AuthenticationTokenProvider {
public override async Task ReceiveAsync(AuthenticationTokenReceiveContext context) {
using (var client = new HttpClient()) {
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.dropbox.com/1/account/info");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.Token);
var response = await client.SendAsync(request);
if (response.StatusCode != HttpStatusCode.OK) {
return;
}
var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
var identity = new ClaimsIdentity("Dropbox");
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, payload.Value<string>("uid")));
context.SetTicket(new AuthenticationTicket(identity, new AuthenticationProperties()));
}
}
}
You can easily plug it via the AccessTokenProvider property:
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions {
AccessTokenProvider = new DropboxAccessTokenProvider()
});
It has its own downsides: it requires caching to avoid flooding the Dropbox endpoint and is not the right way to go if you want to accept tokens issued by different providers (e.g Dropbox, Microsoft, Google, Facebook).
Not to mention that if offers a very low security level: since you can't verify the audience of the access token (i.e the party the token was issued to), you can't ensure that the access token was issued to a client application you fully trust, which allows any third party developer to use his own Dropbox tokens with your API without having to request user's consent.
This is - obviously - a major security concern and that's why you SHOULD prefer the approach used in the linked sample. You can read more about confused deputy attacks on this thread: https://stackoverflow.com/a/17439317/542757.
Good luck, and don't hesitate if you still need help.
I'm just trying to make a little, simple application (that i already made two years ago in Objective-C with api V1) that presents a screen with time of event and description and a button : "insert event in your calendar".
Every user has, obviously, to configure the application with his google username and password.
The app simplifies some process using the first calendar available.
I had infinite problem trying to do it with javascript (this app will be made in html5), so, looking at docs, I ended up trying to make a back-end on my server in php5 (thought it could be easier...ohohoho).
So, i read docs from here : https://developers.google.com/google-apps/calendar/
What i did :
1)
Get to the Google Developers Console.
Created a project.
I now have this (not real keys):
OAuth 2.0
Client ID 352xxxyy9.apps.googleusercontent.com
Email address 3527xxxy#developer.gserviceaccount.com
Service Account
Client ID 3523xxxyy419-vpfgdfg9u77s0.apps.googleusercontent.com
Email address 35ssss9-zzzzsnhavna78ea0b9gvn6a9u77s0#developer.gserviceaccount.com
Public key fingerprints :ac15ddfxdffrtg5565fgfg545r
2)
I installed Google APIs Client Library for PHP (beta) in my server.
doc says:
Using the Google APIs Client Library for PHP requires that you download the PHP source. In the future, packages will be provided. Refer to the project page for more details.
Run the following commands to download and install the source: svn blaj blah blah.
I copied the entire source in my server. Easy :)
Then..
3) You can now import the classes you will need using the following statements:
require_once "../src/apiClient.php";
require_once "../src/contrib/apiCalendarService.php";
Ok, i'll insert them in my php script !
4)" Configure your app"
You must instantiate a client to make requests to the API. All requests to the Google Calendar API require authorization.
The following code demonstrates how to configure an authorized service object using OAuth 2.0 for native applications. For more information, see Authorize Requests.
To find your project's client ID and client secret, do the following:
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the displayed list of APIs, make sure the Google Calendar API status is set to ON.
In the sidebar on the left, select Credentials.
Find the lines labeled Client ID and Client secret. Note that there may be a client ID without a client secret, for use with Compute Engine and App Engine; in that case, create a new client ID and client secret by selecting Create New Client ID.
Edit the src/config.php file to put in your developer API information.
global $apiConfig;
$apiConfig = array(
// Site name to show in Google's OAuth authentication screen
'site_name' => 'www.example.org',
// OAuth2 Setting, you can get these keys in Google Developers Console
'oauth2_client_id' => 'YOUR_CLIENT_ID',
'oauth2_client_secret' => 'YOUR_CLIENT_SECRET',
'oauth2_redirect_uri' => 'YOUR_REDIRECT_URL',
// The developer key; you get this from Google Developers Console
'developer_key' => 'YOUR_DEVELOPER_KEY',
...
// Which Authentication, Storage and HTTP IO classes to use.
'authClass' => 'apiOAuth2',
....
// Definition of service specific values like scopes, OAuth token URLs, etc
'services' => array(
'calendar' => array('scope' => 'https://www.googleapis.com/auth/calendar'),
)
);
But they are DIFFERENT from the key i have, what's wrong ????
What are client secrets ? redirect_url??
Please help.
I think you need to setup a service account access as described here:
https://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
I had difficulties to get it work as I made many trial and errors and my cache got filled with non-working token.
If ever you find yourself not able to access the calendar even after following all the steps, try to change this line of code:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key));
to this:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key, 'notasecret','http://oauth.net/grant_type/jwt/1.0/bearer',false,false));
The last false tells AssertionCredential class to not use any cache. I did it once and then it worked with it set to true afterward.
First go here https://console.developers.google.com/project that is where you configure your app...
Click on your project, then on the left side you will see APIs & Auth, click on Credentials. You will need to create your OAuth, and Public API Access keys.
Once you have done that you will then enter those into the appropriate client_id, secret, redirect etc.
The redirect uri is the same page your app is on, its the page the user gets sent back to after authorizing.
I had the same problem.
On this page, when you click on the Create new Client Id, choose Web application and it shoudl give you the client secret key as well.
https://console.developers.google.com/project
Add a project etc.
Hope it helps
I am trying to build an app with Meteor that involves the user signing in with twitter, facebook, or google+, and then posting to those accounts from within the application.
First I'm trying to get twitter to work. I have my twitter sign in working, with the permission to tweet on their behalf working, but how to I actually send a tweet?
I think I need this: https://dev.twitter.com/docs/api/1.1/post/statuses/update but I can't figure out how the authentication works with Meteor.
Are there any examples that can help me here? Or tutorials?
You need an API to help you a bit unless you want to do it manually using REST with Meteor.http. I'd recommend you get meteorite: https://github.com/oortcloud/meteorite
Its installed like a node module via npm install -g meteorite
Meteorite is a wrapper for meteor that lets you use the community packages over at http://atmosphere.meteor.com
The twitter package you could use is twitter-api installed via mrt add twitter-api : https://github.com/Sewdn/meteor-twitter-api
Once added using the server api you can add a tweet via:
Server JS
var twitter = new Twitter();
Meteor.methods({
postTweet: function (text) {
if(Meteor.user())
twitter.postTweet(text),
return true;
}
});
Client JS
//Use this in your click handler where you want to post a tweet:
Meteor.call("postTweet", "This is Twweeeeeetttt!", function(err,result) {
if(!err) {
alert("Tweet posted");
}
});
The api takes care of the user's oauth tokens so you don't have to worry too much