Using oauth2 in an iframe application - google-oauth

I have a web application that uses google & facebook oauth2 to authorize the users.
But, the application can also be hosted in other sites in a frame.
The problem is that in that case google blocks the login phase (since it's in a frame), is there a way to overcome it?

I don't think so. If possible stay away from embedding other site with frames.

You could contrive something where your client makes an ajax call to your server. If your server send the login redirect, your client can use the 302 location to open a popup window. You will of course need to make sure the user isn't blocking popups.

Related

Browserless Authentication using the Web API

I am trying to authenticate a user inside a desktop application using the web api. I am not using a browser, I am using straight up GET and PUSH calls to the endpoints of the Spotify servers. Immediately I ran into some problems. It appears that upon the initial GET command to "accounts.spotify.com", the returned response includes HTML with a javascript function that runs and is responsible for dynamically generating HTML that you see on the initial login page. If you look at the Javascript function, it is clear that this is what is going on, however, you can also see this code is obfuscated and not meant to be used by us, the developers! (Link to Javascript code here for reference: Javascript function)
So my question is, while I can probably reverse engineer the code to get this working, would this be against the Spotify developer TOS?
Thanks!
Spotify's authentication happens through oauth, and a big part of user authentication as per the oauth rfc is where the user delegates permissions to your app to carry out API calls that affect their account, or return information about them. That's the web page you're seeing - it must be presented to your users so that they can delegate permissions so that Spotify can give your app an access token. It doesn't necessarily need to happen in a browser - it can happen in a web view inside your desktop application - but it does need to be loaded over https, and your application must not alter or reverse engineer the Spotify permissions delegations page.
As you correctly guessed, reverse engineering any Spotify APIs is against terms of service.
For more information on authorization on the Spotify platform, I'd recommend having a look at this guide.
Hope that helps! Please ping me if you have any more questions.
Hugh
Spotify Developer Support

Google OAuth: custom scheme for desktop app

I'm trying to authenticate a desktop application with OAuth. I already asked a question, but I deleted it as I discovered that the method was obsolete (integrated web view).
The idea is to open the browser and then have the page call back my application with a custom:// URI scheme.
Of course it doesn't work, Google asks that the scheme contains a dot (like com.org.myapp), but the native app can only have a fmp:// uri scheme, which I can't change.
The documentation doesn't mention anything, and I can't create a local temporary server.
1- Can I use the fmp:// scheme as a callback in any way?
2- If not, is it possible to redirect the call to another centralised web server? Everything I try generates a 400 error on the google page, saying "redirect_uri_mismatch" or similar stuff.
As stated in the comments above, the only solution is to create an intermediate web server that serves a page which then opens the URL. OR creates a record in the database with the authentication code.

Foursquare authorization without losing context on a website

I am adding the ability for a user to link their foursquare account with their account on my website. Foursquare's oauth account authorization takes the user to foursquare's website, and after authorizing my website it redirects the user back to a url.
I want to avoid breaking the user's context on my website when they decide to add foursquare functionality to their account, so I'm planning on doing foursquare's account authorization in a new window using
var foursquare_popup = window.open("foursquare_url_to_authenticate_user");
and redirecting the popup to a static success page once the authorization has been completed.
I've seen oauth popups done in a couple places like Wired's tweet button.
Is this a good way to handle oauth with things like twitter/facebook/foursquare?
i would recommend against opening a popup window as part of the oauth signin process, purely because some browsers do not support popup windows - particularly browsers on mobile phones. also, the browser may support popups but the user may have a popup blocker turned on.
a better way would be to redirect the user from your website to the service provider all in the same window.
i am currently working on a way to do this with an invisible iframe on the page of my website. this way, if the user is already logged in to the service provider then they would not need to be directed away from my website. however, i am half way through this functionality so i cannot confirm that it will work yet.
You can specify display=webpopup if you want to use a pop-up window (see https://developer.foursquare.com/overview/auth#display).
Also, you can specify additional parameters in your callback URL, which will be preserved by the oauth flow. So if you passed "&state=settings/accounts" or something as parameter of your redirect_uri, you can parse it out upon success and resume your session with the user appropriately.

Retrieving Page from HTTPS Website

I am registered user of a website that provides stock quotes values and I want to create a desktop application where in I will display the stock updates of a specific quotes.
For that, I need to parse a web page which is visible only when I login to the website. If I try to access that page, without logging in, it redirects me to the login page.
The Website does not provide any API for developing such a client application. Is there any way I can login to the website using the desktop client and thus access the required web page?
Regards,
TheLameProgrammer
You'll need to first do a HTTP POST to the login page, store the cookies that come back, then pass these along with any furture request you make.
Same as the browser does.
Hopefully this question is in earnest and not spam but the answer is no

Facebook RESTful API require_login() callback

I'm trying to authenticate a user through the RESTful API (not Connect) but I can't since the callback system does not work for me. I have a local app that creates the Facebook API object with my key and secret, then calls the Facebook API require_login() method; I am sent to Facebook login, I login, and then I am sent to http://www.facebook.com/login.php?auth_token=<...>, where there's another login with just a field for password (not username), I write it again, and after that I am redirected to normal Facebook home. What am I doing wrong? I have set the callback URL in the Facebook app proprieties. Does it have anything to do with the fact that it's localhost?
Thanks!
Yes, if you tell facebook to go to localhost, it has no way of knowing where to go. Is your app fbml or iframe? If iframe I'm guessing there's a remote chance that localhost would actually work since the frame loads and then your browser can find localhost. I'm not sure of that, I wouldn't bother trying. But if it's fbml, Facebook needs to be able to hit your server. Give it your external IP instead.
I managed to make the redirect in the end. It appears the "Canvas Callback URL" is what I needed to set, and not the Authentication one.