Facebook's guide on authenticating with the javascript SDK says:
"The Facebook SDK for JavaScript automatically handles access token storage and tracking of login status, so apps using it do not need to create their own mechanisms for doing so, and can proceed to making API calls."
Most of my code will be server-side PHP, but I plan on using this Javascript SDK for authentication. Ideally, I'd like my users to log in as little as possible. From what I understand, that means that once I get a token I should convert it to a long-lived token and store that token in my database for calls over the next 59 days. At that point, I should renew the token before it expires and repeat until the user de-authorizes my application.
I don't understand how I can take advantage of the fact that Facebook is keeping track of my tokens for me. Won't I need the token to make calls using the PHP SDK? If not- what's the difference between PHP calls with PHP authentication and PHP calls with JS authentication? If so- how do I get the token when Facebook says they're keeping track of things for me?
Related
I'm building my authentication manually using Auth0 API's since there is no SDK for SvelteKit at the time I'm writing this question.
So far I managed to get an Access Token, send it in a cookie to the browser and send it back at every request for a check using the Auth0 API for user profiles before passing the request to an endpoint.
The problem is the lack of speed. It takes about 1s to navigate from one page to another in the browser.
I don't think I can keep Access Tokens in memory server-side (due to the nature of SvelteKit) but I want to keep things simple.
Is there an alternative to Auth0 with a faster API?
When reading the doc of google oauth API, I found that it does not offer refresh token to Javascript (JS) web app, as mentioned in below link. It says "Refresh tokens are not typically used in client-side (JavaScript) web applications."
https://developers.google.com/identity/protocols/oauth2/web-server
However in the following page it offers the refresh token (as well as client secret) to native app. Seems strange that both JS web app and native app are not confidential. Shoudn't it also not to offer refresh token and client secret to native app?
https://developers.google.com/identity/protocols/oauth2/native-app
Thanks
A refresh token in a client sided application where anyone could view source and see the refresh token and client id and client secret. This would mean that anyone could then create a new access token to access the data.
If I understand what you mean by native apps they are run on a users machine and there by the only one in theory who would be accessing that machine would be the user who is accessing their own data. Native apps can also better protect the various secrets from both the user and other apps. So while it is still an exposure risk - the risk is significantly lower.
Use a server side web language if you want a refresh token.
I am building a speech to text application for browser. Right now I am recording and sending the voice from frontend to backend, from backend calling the google api for converstion. Now the problem is processing time is high.
what I need is to call the google api from frontend itself. problem with this step is api key is getting exposed to user and leads to security issue.
So can I generate a session based auth token for speech to text api, which will be valid for client for some duration of time. any tutorial link will also do.
Just about everything Google creates supports OAuth 2.0. Text to Speech certainly does.
Authenticating is easy. Here is a link on how to use OAuth 2.0 with Google APIs.
Using OAuth 2.0 to Access Google APIs
Here is link on how to integrate Google Sign-In to your Web App:
Add Google Sign-In to Your Web App
And a link for adding OAuth 2 to your backend server in PHP:
Using OAuth 2.0 for Web Server Applications
I would use Google Accounts to start. Google Sign-In makes this easy to implement for the client. Either implement OAuth 2.0 on the backend (recommended) or on the client.
Once you complete the OAuth 2 flow, you will have a token that consists of an Access Token, Refresh Token and Client ID Token. You will use the Access Token to authorize API calls. You will use the Refresh Token to refresh the Access Token as it expires every 60 minutes. The Client ID Token will provide you with their identity information.
This question already has answers here:
How do I authorise an app (web or installed) without user intervention?
(2 answers)
Closed 5 years ago.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground). It's an app to be run only for my account, in headless mode, on a trusted machine, to manage my cluster.
NOTE: must not require any proprietary software installations (e.g. the Google SDK).
Google provides an API Client Library for Java, which itself depends on an OAuth client library.
For the project of 9Cards launcher for Android, within the back-end, we had to use this library to fetch applications usage statistics from Google Analytics. In our code, because it is a case of "server to server" authentication, we use a Service Account's credentials. The code issues a request from Google a short-lived OAuth2 Auth Token. The library may provide similar features if you use a Client-ID and Client-Secret.
Regarding the issue of licenses, the library is published under Apache License v2, so in that regard it is not too proprietary.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
Good start. I guess by "the JSON API endpoints" you mean the Google APIS. Make sure you created OAuth Client IDs and not one of the other options.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
Yes the OAuth Playground will do that for you. The detailed steps and sample code to consume the token is at How do I authorise an app (web or installed) without user intervention? (canonical ?)
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground).
Follow the steps linked to above and you will see that you don't need to write any code at all. Once you have the refresh token (a one time procedure), you're all set. I exaggerate slightly, you do need one line of code to post the refresh token to the Google Oauth endpoint to fetch an access token. See the bottom of the linked answer for an example. Or you could just compose a curl to do it from the command line and put the Access Token into an environment variable.
I just wanted to avoid the whole thing and get a code printed on the screen
A bit like https://youtu.be/hfWe1gPCnzc?t=198
I've an ETL tool that is capable of making REST API calls against the Yammer network and retrieving data for analysis. Currently, how I make Yammer REST API calls is through an App that I've created. I then generated the authentication token and then used this token in the REST API calls to get at the data.
What I'd really like to do now is to provide an app that allows me to call the REST API (using the same ETL tool) without the person installing the app to have to go through the rigmarole of generating the auth token.
I suppose one approach could be to use some JavaScript that displayed the token to the user so that they could then pass it on to us... Do you folks have any other suggestions as to how I might do this?
There isn't a recommended way to skip the OAuth authorization, but you can automate a lot of it away. I created a Python script that uses the YamPy library to acquire a token. It even fires up the browser to the correct URL for authorization. You should be able to do something similar with other languages.
Calling the impersonation endpoint is another possibility. This will get you an OAuth token for another user so you'd need to have an app is just for producing OAuth tokens. It's probably a bit trickier to build right and secure than my script. Impersonation was designed for a specific category of app which means I don't recommend it by default. Even when it is a workable option it hides the authorization from end users which can potentially be a security issue, if say you app is compromised and handing out OAuth tokens. At least if the Yammer screen is in the way it's a bit more visible to the user what is happening.