Ok i have a project where i need to build a api oauth and to be honest i am completely lost and confused and really in need of some advice to help me get started.
The service i have allows users to create apps which will then generate two keys and store them into a database.
My database has table called apps with 4 fields.
name (VARCHAR 250)
description (TEXT)
key (VARCHAR 250)
secret (VARCHAR 250)
So the user create a app like below.
name = 'myapp';
description = 'Access to my api';
key = '5788334367';
secret = '91708741625783470472';
Now here is the part where i am completely lost building the api with oauth. I want to use https://github.com/chriskacerguis/codeigniter-restserver as i have work with it before to build a api but it was a open api only running get requests and just for me a single user so no apps.
Correct me if i am wrong, oauth is just a framework that you will include like any other library where do i find a oauth library that fit with codeigniter.
I found this which explains the process quite well and has helped http://knpuniversity.com/screencast/oauth but like everything only helps me so far.
The process i have for the api (i think).
When i am a user using my api, they will send of the key and secret to my api.
My api takes the two keys via a oauth endpoint from my codeigniter oauth library via post method checks them against the database and sends a token back which my user can then access the api with.
Just really trying to get started my process please help.
Install codeigniter
Include codeigniters rest api library
Install a oauth library
Setup a function within the oauth library to check my users app keys against the database to check they are valid and return a token
Start to build out the api with endpoints and calls like /api/list_files
My users can then use other frameworks to access my api.
Would love some help to get me of the ground i am completely new to building a full oauth api.
Thanks
Related
I try to migrate from eBay Finding API to Browse API. My technical setting is quiet easy:
A Server searches the Browse API to find products by a keyword. Thats it.
Does anybody know if I need to implement OAuth, a redirection page for eBay-Users to log in etc.? I don't need all those features..
Thanks!
You can use the browse API with the client credential flow that mints the Application access token.
Application tokens are general-use tokens that give access to interfaces that return application data. For example, many GET requests require only an Application token for authorization.
See Documentation
The client credential flow does not require a User to Login via eBay and the redirect etc. However, you can only use the "GET" methods like getItem, getItemByLegacyId or search for example.
If you using NodeJs or Browser you can checkout the "Get Item" example here. (The library will get the Application access token automatically and return the result.)
I am trying to make a post call in Exact Online REST API. I'm trying to create a SalesInvoiceLine. I can perfectly do a GET call via my browser. I am logged in in Exact Online so I don't need authentication since this should be passed via a cookie. I tried POST via a browser. The browser prompts me to login, when I do nothing happens. I've also tried this in Postman:
I am 100% certain these initials are correct, I can login with them in Exact Online. What am I doing wrong?
If this is not the way, how can I post data to Exact Online? There are not that many concrete examples to find online.
You can't log on to the Exact Online REST API with Basic authentication, the mode you are using now.
The web service uses OAuth as authentication mechanism, meaning you have to acquire a token first. The steps to do so are outlined in the official documentation.
It will need some work on your end to register an app, get the flow up and running. Depending on your business needs, you might be helped with one of the apps for Exact Online by the company I work for.
You need to retrieve the CurrentDivision through GET Request https://{Base Uri}/api/v1/current/Me only from OAuth then you need to assign
CurrentDivision to whatever may be the API call .../api/v1/{CurrentDivision}/../....
Without authorization by Auth 2.0, neither is impossible.
To authorize the ExactOnline API calls you have to do the following:
Register the app in the developer portal. Bear in mind that you have to do a separate registration for French, UK or Dutch version of ExactOnline (this is indeed a pain).
In case you want your application to be used by other accounts than yours, you have to submit the app for validation, this usually takes 2-3 weeks.
EO uses standard OAuth 2.0 schema (very similar to what Google is using with their services). You have to use endpoint GET /api/oauth2/auth for building an authorization link and endpoint POST /api/oauth2/token for obtaining both access and refresh tokens.
Please bear in mind that many Auth 2.0 services are proving long-lasting refresh token. This is not the case of EO. The refresh token is invalidated every time when the access token is requested (endpoint POST /api/oauth2/token). With access token new refresh token is supplied, so make sure you update you refresh token as well.
The access token is placed in HTTP header as "Authorization: Bearer {{ACCESS_TOKEN}}"
In case you want to automate the EO API calls and do not want to code anything on your own, you can try one of the pre-build Exact Online API connectors, created by the company I work for.
all,
I need a little bit of guidance here. I have a Polymer frontend that handles Google oAuth to allow the user in the app. The front end captures the user's email address from oAuth and uses that for GET requests to a Flask API that I built on the backend. I did not build authentication into my Flask API because I didn't think I needed to since I have Polymer as the gatekeeper. I realized though that folks can see the source code and retried the API URL to use if they wanted to capture other user's data.
I am looking for guidance on how I can lock down the API backend given I am only using Google oAuth on the front end.
Thank you,
Marcos
I am not sure if this is the correct answer, but I will post my result anyway. If wrong, send feedback. I am going to have my frontend send the user's access token from the auth process in the header with every API call. My backend API will take that access token and use it to query the Google API to find what email address the token was created by. If the email matches the email the API call is requesting data for, data will be returned. If not, it will return an error.
I'm just trying to make a little, simple application (that i already made two years ago in Objective-C with api V1) that presents a screen with time of event and description and a button : "insert event in your calendar".
Every user has, obviously, to configure the application with his google username and password.
The app simplifies some process using the first calendar available.
I had infinite problem trying to do it with javascript (this app will be made in html5), so, looking at docs, I ended up trying to make a back-end on my server in php5 (thought it could be easier...ohohoho).
So, i read docs from here : https://developers.google.com/google-apps/calendar/
What i did :
1)
Get to the Google Developers Console.
Created a project.
I now have this (not real keys):
OAuth 2.0
Client ID 352xxxyy9.apps.googleusercontent.com
Email address 3527xxxy#developer.gserviceaccount.com
Service Account
Client ID 3523xxxyy419-vpfgdfg9u77s0.apps.googleusercontent.com
Email address 35ssss9-zzzzsnhavna78ea0b9gvn6a9u77s0#developer.gserviceaccount.com
Public key fingerprints :ac15ddfxdffrtg5565fgfg545r
2)
I installed Google APIs Client Library for PHP (beta) in my server.
doc says:
Using the Google APIs Client Library for PHP requires that you download the PHP source. In the future, packages will be provided. Refer to the project page for more details.
Run the following commands to download and install the source: svn blaj blah blah.
I copied the entire source in my server. Easy :)
Then..
3) You can now import the classes you will need using the following statements:
require_once "../src/apiClient.php";
require_once "../src/contrib/apiCalendarService.php";
Ok, i'll insert them in my php script !
4)" Configure your app"
You must instantiate a client to make requests to the API. All requests to the Google Calendar API require authorization.
The following code demonstrates how to configure an authorized service object using OAuth 2.0 for native applications. For more information, see Authorize Requests.
To find your project's client ID and client secret, do the following:
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the displayed list of APIs, make sure the Google Calendar API status is set to ON.
In the sidebar on the left, select Credentials.
Find the lines labeled Client ID and Client secret. Note that there may be a client ID without a client secret, for use with Compute Engine and App Engine; in that case, create a new client ID and client secret by selecting Create New Client ID.
Edit the src/config.php file to put in your developer API information.
global $apiConfig;
$apiConfig = array(
// Site name to show in Google's OAuth authentication screen
'site_name' => 'www.example.org',
// OAuth2 Setting, you can get these keys in Google Developers Console
'oauth2_client_id' => 'YOUR_CLIENT_ID',
'oauth2_client_secret' => 'YOUR_CLIENT_SECRET',
'oauth2_redirect_uri' => 'YOUR_REDIRECT_URL',
// The developer key; you get this from Google Developers Console
'developer_key' => 'YOUR_DEVELOPER_KEY',
...
// Which Authentication, Storage and HTTP IO classes to use.
'authClass' => 'apiOAuth2',
....
// Definition of service specific values like scopes, OAuth token URLs, etc
'services' => array(
'calendar' => array('scope' => 'https://www.googleapis.com/auth/calendar'),
)
);
But they are DIFFERENT from the key i have, what's wrong ????
What are client secrets ? redirect_url??
Please help.
I think you need to setup a service account access as described here:
https://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
I had difficulties to get it work as I made many trial and errors and my cache got filled with non-working token.
If ever you find yourself not able to access the calendar even after following all the steps, try to change this line of code:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key));
to this:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key, 'notasecret','http://oauth.net/grant_type/jwt/1.0/bearer',false,false));
The last false tells AssertionCredential class to not use any cache. I did it once and then it worked with it set to true afterward.
First go here https://console.developers.google.com/project that is where you configure your app...
Click on your project, then on the left side you will see APIs & Auth, click on Credentials. You will need to create your OAuth, and Public API Access keys.
Once you have done that you will then enter those into the appropriate client_id, secret, redirect etc.
The redirect uri is the same page your app is on, its the page the user gets sent back to after authorizing.
I had the same problem.
On this page, when you click on the Create new Client Id, choose Web application and it shoudl give you the client secret key as well.
https://console.developers.google.com/project
Add a project etc.
Hope it helps
Recently I started coding a Google Maps service integration. I went ahead and generated an API Key associated with my business email account on bronze level. When I use the service sans API Key everything works swimmingly.
If I use the API Key parameter, with my API key generated in my developer console I get the error message:
This API project is not authorized to use this API.
The URL used to access maps is below:
https://maps.googleapis.com/maps/api/distancematrix/xml?origins={origin_address}&destinations={destination_addresses}&mode=driving&language=en-US&sensor=false&key={APIKey}
How does one get the API Key to be authorized for v3 Maps JavaScript API. I am making the call as a raw post in the ASPX code behind to that address. It seems to me this used to work fine when I first started all this, now today all of the sudden I'm getting this error.
I need this to work since I will also be using places and that service seems to only work with the API Key. I would like to be able to have the key configured once and be done with it.
You'll need to enable each API you want to use.
The maps-javascript-API is one API, the DistanceMatrix-API(Webservice) another.
Go to the developer-console->API's and enable the Distance Matrix API
Note: this is only related to the DistanceMatrix-Webservice, when you use the DistanceMatrix-Service of the Javascript-API you don't need to enable this service.