I have attempted to use SDK to do cross site authentications: get code and then on the server side obtain a token for that code, but I am not sure that is implemented/working yet using Google+ sign in. Can anyone confirm that this is the case?
Since I could not get that to work I attempted to do the same using Web server applications method. But still have some problems questions that need clarification.
I have 2 entries for client ids:
Client ID for web application
Client ID for iOS application
I assumed that I would request a code on iOS, usine Client ID for iOS and than pass it to the server which in turn will request token. But I think that would not work because code is issued for a different client.
Do I request code and then token for web application on iOS and then pass that token to my server?
What is the correct way of doing this?
The only way I was able to get this to work as of today is through the use of webview, using web application id and redirect mechanism to authenticate my server. And handle authentication on the server sending response back to the client app on ios again through web view response mechanism. Will have to live with this for now, more work but not sure there is anyway around it at this time.
This is now supported by Google Plus Button functionality. Instructions are at Google+ Platform for iOS
Related
This question already has answers here:
How do I authorise an app (web or installed) without user intervention?
(2 answers)
Closed 5 years ago.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground). It's an app to be run only for my account, in headless mode, on a trusted machine, to manage my cluster.
NOTE: must not require any proprietary software installations (e.g. the Google SDK).
Google provides an API Client Library for Java, which itself depends on an OAuth client library.
For the project of 9Cards launcher for Android, within the back-end, we had to use this library to fetch applications usage statistics from Google Analytics. In our code, because it is a case of "server to server" authentication, we use a Service Account's credentials. The code issues a request from Google a short-lived OAuth2 Auth Token. The library may provide similar features if you use a Client-ID and Client-Secret.
Regarding the issue of licenses, the library is published under Apache License v2, so in that regard it is not too proprietary.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
Good start. I guess by "the JSON API endpoints" you mean the Google APIS. Make sure you created OAuth Client IDs and not one of the other options.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
Yes the OAuth Playground will do that for you. The detailed steps and sample code to consume the token is at How do I authorise an app (web or installed) without user intervention? (canonical ?)
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground).
Follow the steps linked to above and you will see that you don't need to write any code at all. Once you have the refresh token (a one time procedure), you're all set. I exaggerate slightly, you do need one line of code to post the refresh token to the Google Oauth endpoint to fetch an access token. See the bottom of the linked answer for an example. Or you could just compose a curl to do it from the command line and put the Access Token into an environment variable.
I just wanted to avoid the whole thing and get a code printed on the screen
A bit like https://youtu.be/hfWe1gPCnzc?t=198
I was trying to integrate the Trello authentication flow for a server side application (using Java).
Now If I do the OAuth dance manually I'm able to get the OAuth access token and I can make API calls (so far so good).
BUT when using in production the callback POST to my server does not carry the oauth_token and oauth_verifier or code query string parameters ... instead it delivers the token as a URL fragment
http://example.com/rest/callback#token=32849234
This is useless for a server side application as fragments are omitted by the browser and are never recieved on the backend side.
So I'm not able to perform the last step - getting the access token!
Now is there a way to get the OAuth callback to call my server the correct way (as specified), the two provided options postMessage and fragment will not work for a server side implementation.
I have read:
https://developers.trello.com/authorize
https://trello.com/c/fD8ErOzA/26-getting-a-user-token-and-oauth-urls
and it seems other developers have similar issues.
Now I can make the user copy past the verification code manually ... but this is not user friendly.
This questions does not pertain to a specific OS (iOS, Android, WP8), but is about programming in general.
I have an app on a mobile device, that requests information from my web server. I want to ensure that my server returns data only to MY app, and not to third party apps.
Here is what I have so far:
Solution: Have the app encrypt the requested data, and use a nonce and timestamp to prevent replay attacks. Connect to the server using HTTPS, to prevent eavesdropping on the returned data.
Problem: The encryption key used by the app will have to be stored in the app, which presents a problem itself, since it can be extracted from the app.
How have other people solved this problem?
I've been trying to integrate my application (ruby) with a Google AppScript (published as a Web Application with access level as 'only me') on behalf of a Google Apps account for quite some time, but I can't get a handle of it. Maybe I'm missing a key concept here or that sort of authentication/authorization isn't available when making requests in the background.
The script works fine when I'm logged in to gmail and access the script endpoint. I can also successfully connect to it using a sinatra application authenticated with openid.
I've already tried to use google-api-ruby-client, but I can't get the authorization scope right (service name). I've also tried clientlogin in gdata-ruby-util, to use Gmail login/password and get an authorization error message when trying to fetch from the script url.
Is it doable? Can anyone point me in the right direction?
Unfortunately, Contentservice in Apps Script (which I think you are using to create your webservice) doesn't provide any authentication mechanism. If you are accessing it from a server side script, you can use a token string which is known by your webservice app and your server to provide a level of security to your publicly accessible webservice.
Here are some similar discussion
How to use Google Apps Script ContentService as a REST server
Google App Script: ContentService web app usage
I'm trying to figure out, how to use OAuth 2.0 to access Google APIs from my web app. The problem is, that the protocol require developer to register redirect_uri (URL of page receiving access token). But my application can be distributed to many customers and can be hosted on endless number of servers. There is no way to know redirect_uri beforehand.
Google offers another option for installed applications, but I cannot use this variant neither. Auth server returns access code in window title and this information cannot be accessed from javascript of our page (JS cannot access content of window opened using window.open(); if that content comes from different server).
To conclude:
Cannot use method for web applications, because I don't know all URLs where will our app run in the future.
Cannot use method for installed applications, because window title is not accessible from our JavaScript code.
Is there any recommendation, how to use Google's OAuth 2.0 from distributable web application running on a lots of servers? Thank you.
Are you sure you cannot access the window title? If your app is opening the window, it should be able to access it. It should be possible to do this in a similar way you would do it in a mobile app.
If all attempts fail, you could set up a proxy server (that has a known redirect URI) and hands out the Google tokens to all your clients. Or better each of the apps could have its own proxy server - the server it was downloaded from. But then if each OAuth client can only have one redirect URI, each app would have to be a separate OAuth client.