How to identify a user during Basecamp oauth api authorization? - api

So here's my scenario. My user wants to integrate my app with basecamp. They click a link like: http://myapp.com/api/basecamp/enable/abc123xyz. The abc123xyz in this case is the users id. So my app then redirects to Basecamp to start the OAuth Process.
Once the user agrees to allow access, Basecamp redirects back to something like http://myapp.com/api/basecamp/complete?code=123456. At this point the "chain" to the user is broken, so I don't know what user this code is for. I tried using a redirect url of http://myapp.com/api/basecamp/complete/abc123xyz however basecamp rejects this URL as invalid, I'm assuming this is due to the redirect uri provided in the request not matching my registered app redirect url.
Any idea how I can pass something to github that they will pass back to me so I can associate the access token with the user requesting it be enabled? Github allows for a state property to be sent during oauth requests that are tied to a user and sent back with their requests so the user can be looked up in between request. Thanks!

So, after actually reading the docs, basecamp does support the state parameter, and with this my problem is solved.

Related

expo-auth-session, how to get redirected to the app, when not using a local redirectUri

I'm trying to make an authentication functionality in my app, so when I press the login button, a web browser opens and I get to verify my account, and then I get a token in the URL, the problem is that in order for me to get redirected to my app, I need to make the redirect_uri as so AuthSession.makeRedirectUri( 'gecond://' )
but the website from where I'm getting my authentication doesn't allow this type of redirect_uri ( this is the URI that's being used: "https://preprod.autenticacao.gov.pt/oauth/askauthorization?redirect_uri=exp%3A%2F%2F192.168.2.26%3A19000&client_id=123456789&response_type=token&state=UOgf2pE6S0"),
it only allows a specific redirect_uri (like so "https://preprod.autenticacao.gov.pt/oauth/askauthorization?redirect_uri='https://preprod.autenticacao.gov.pt/OAuth/Authorized'&client_id=123456789&response_type=token&state=UOgf2pE6S0"), but when I use this URI, I do manage to get an access token in the URL of the page, but I'm not redirected back to my app.
I'm fairly new to this type of topic, so I might be missing a few steps.
I'm quite sure you misread the documentation. The reply URL is where you add you application's page where the user is redirected after login.
The URL you used is the example URL from the documentation.
Please check the official documentation.

Spotify API authentication doesn't redirect with access token

I'm using the Spotipy library, which uses the Spotify API. When I attempt to get my access token using the 'Authorization Code Flow', I get sent to a spotify web page that asks for me authenticate the access of the app to my user's data. When I click the Okay button, that's supposed to redirect me to my redirect_uri with the access token, it simply does nothing. I get no error message or anything. When I click the Cancel button, I do get redirected to my redirect_uri page, but I don't receive the access token. Is this a bug with the API? Am I doing anything wrong?
I added the redirect_uri to the whitelist of redirect pages in my app's page by the way.
The answer for this for future readers: Make sure your redirect_uri is EXACTLY the same as the one you have saved in the developer dashboard, right down to the http and the trailing slash.

Instragram - Redirect URI dose not match with registered - Objective C

I am getting error while Login with oAuth for Instagram, it says the redirectURI is wrong. I have researched on it and I have checked many answers on stackoverflow but its not helpful for me.
Here is the complete detail of what I did in my application.
1) I set my ClientId in pList for redirect URI :
2) I have added ig and authorize while creating the URI:
3)Now, I set ClientID in Instragram API :
And Here is my RedirectURI :
https://instagram.com/oauth/authorize?response_type=token&redirect_uri=igdd5fb08a33444af0b2b9c9420e69bc35%3A%2F%2Fauthorize&scope=relationships&client_id=dd5fb08a33444af0b2b9c9420e69bc35
When I fire the URl after login, it gives me the following error:
Can anyone help to find out where I am going wrong ?
Thanks,
The redirect URI you're providing is not what you have defined in your client settings.
1) Go to http://instagram.com/developer/clients/manage/
2) For your desired client/application, look for REDIRECT URI.
3) Make sure you provide the same redirect uri in your request as it is defined in your client/application settings. In your case, https://api.instagram.com/oauth/authorize/?response_type=token&redirect_uri=REDIRECT-URI&client_id=CLIENT-ID
Note: You may provide an optional scope parameter to request additional permissions outside of the “basic” permissions scope.
Note: You may provide an optional state parameter to carry through any server-specific state you need to, for example, protect against CSRF issues.
At this point, we present the user with a login screen and then a confirmation screen where they approve your app’s access to his/her Instagram data.
4) Once a user successfully authenticates and authorizes your application, instagram will redirect the user to your redirect_uri with a code parameter that you’ll use to request the access_token like http://your-redirect-uri?code=CODE.
For more information to learn about authentication process [Link]
tl;dr. The Redirect URI you send to /authorized must be same as the registered URI in your app.

Instagram API - Redirect url

I have a plugin that need some instagram infos of my application.
This plugin just show photo feed.
I have created the application on the instagram developers and get my client id, but, what's the redirect url? I put my website link because i really don't understand what is that.
What i need is:
id: 'MY PROFILE ID',
redirectUrl: 'http://www.kyriosfestival.com.br',
clientId: 'MY CLIENT ID FROM MY APPLICATION',
accessToken: 'GENERATED FROM INTERNET'
And it's not working.
I have used a access token generated from internet, and i don't know if is this the problem.
What is the real form to use that?
Anyone?
Thanks!
Must be late, but will post an answer, so that maybe it will help anyone some day.
For all your Instagram API calls, you need to receive a valid access token.
You can get one by implementing authentication (client-side or server-side), full guide can be found here.
So for example, if you choose to go with client-side authentication,
you should direct a user to authentication URL, which will looks like this:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token
After that, user will be redirected to your redirect page (REDIRECT-URI). This REDIRECT-URI should match the URL you have specified in Manage Clients section.
After the redirect happens, you will get the access token in the URL of the page you've been redirected to.
http://your-redirect-uri#access_token=ACCESS-TOKEN
You can then extract your ACCESS-TOKEN from url and start making API calls.

Auto login user to third party site without showing a password to him

Background
We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.
For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.
The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.
Question
Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?
Edit
Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.
Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.
When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.
Possible solution but has a security risk
If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.
Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.
Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)