I am adding the ability for a user to link their foursquare account with their account on my website. Foursquare's oauth account authorization takes the user to foursquare's website, and after authorizing my website it redirects the user back to a url.
I want to avoid breaking the user's context on my website when they decide to add foursquare functionality to their account, so I'm planning on doing foursquare's account authorization in a new window using
var foursquare_popup = window.open("foursquare_url_to_authenticate_user");
and redirecting the popup to a static success page once the authorization has been completed.
I've seen oauth popups done in a couple places like Wired's tweet button.
Is this a good way to handle oauth with things like twitter/facebook/foursquare?
i would recommend against opening a popup window as part of the oauth signin process, purely because some browsers do not support popup windows - particularly browsers on mobile phones. also, the browser may support popups but the user may have a popup blocker turned on.
a better way would be to redirect the user from your website to the service provider all in the same window.
i am currently working on a way to do this with an invisible iframe on the page of my website. this way, if the user is already logged in to the service provider then they would not need to be directed away from my website. however, i am half way through this functionality so i cannot confirm that it will work yet.
You can specify display=webpopup if you want to use a pop-up window (see https://developer.foursquare.com/overview/auth#display).
Also, you can specify additional parameters in your callback URL, which will be preserved by the oauth flow. So if you passed "&state=settings/accounts" or something as parameter of your redirect_uri, you can parse it out upon success and resume your session with the user appropriately.
Related
I have multiple ember apps, but just one of them has the login page. I want to authenticate all of them with this unique page. How can I redirect other apps to an external login page using ember-simple-auth and redirect to the corresponding app after the authentication?
You need to write custom authenticator. In it's authenticate method I suggest to not redirect, but open a child window with login page. And that login page should be able to communicate with your ember app in some way (window.postMessage for example) in order to give your app auth token. Authenticator must wait until it receive answer (promise and timer will help with waiting). I used such method with google's oauth in node-webkit application (my authenticator opens google's oauth page where user prompted to give my app an access). I don't want to share a code because its too big, complex and have code specific to nw.js but I hope my answer will help. I used code of oauth2 authenticator to develop my own, it helped me a lot.
I have a console application that uses Google's OAuth for devices workflow to authenticate users using their Google accounts (see: https://developers.google.com/identity/protocols/OAuth2ForDevices).
During the authentication process, the user is required to visit https://www.google.com/device and copy-paste a code printed by my app.
Is it possible to include the code as part of the auth url such that the code will already be filled in, and the user only has to click on to authenticate (I'm thinking on opening a browser window programatically)?
Looking for an option like https://www.google.com/device?code=ABCD-EFGH
I implement G+ sign-in function in my site, document here. The problem is google show sign-in dialog by popup. This way make my site break in iOS if I bookmark it home screen. It cannot close the popup. Does it has some options to open sign-in by another way?
There is another way, but it's slightly more complicated.
You can follow the instructions in the Google OpenID Connect documentation. Broadly, it involves directing the user to an authorization endpoint from which you get back a code. You then exchange that code at the token endpoint for access, ID, and refresh tokens.
The best way to learn how this flow works in an interactive way is using the OAuth Playground. Try entering profile email openid in the "input your own scopes" box, then tap Authorize APIs. Here's an example auth URL.
The docs for verifying the ID Token detail how to use the ID Token to authenticate the user, by extracting the sub value.
While implementing the Facebook Connect to a web application , its possible to show Facebook Sign up page in a pop up and once logging in and Granting permissions are complete, its possible to Authenticate Again in PHP and to get the necessary details of the user, - id, email etc.
I believe, thats secure because, the User Insertion is not based on the Ajax Request Parameters.
Is it possible to do the same with Google Plus Login also ?
Means - Logging in to Google - Using Javascript SDK, asking permissions, Authenticating all done in a Pop Up Window. and then, Creating a new user with the Help of google-api-php-client ??
Yes, what you're trying to do is outlined with https://developers.google.com/+/web/signin/server-side-flow which includes some PHP code samples to help you do this. In general, the steps at authentication time are:
User clicks the "Sign in with Google" button which may pop-up a new window at Google prompting them to log in and authorize your webapp.
After they do so, a one-time code is sent to a JavaScript callback you specify.
Your Javascript method sends this code to your PHP server.
Your PHP server uses the client library to contact Google's server and exchange this one-time code for an access token and refresh token, which you keep and use to perform actions on the user's behalf.
We are developing applications for different platforms including ones with no browser interaction support. And we have decided to emulate browser from our application. So is it ok with Facebook's TOS?
This theme have been mentioned already in this topic (the last post):
http://facebook.stackoverflow.com/questions/4000896/logging-into-facebook-without-a-browser#comment4285566_4000963
By emulation of browser I mean following:
We are getting the user login HTML form and fill it with information that user supplied. Then we are sending it.
When we are receiving the authentication page we are asking the user to authorize the Facebook application to post messages.
If user agrees then we are sending authentication form and then get access token.