The context is a desktop app using the client-side OAuth flow for authentication.
When I first built this app nearly a year ago, Facebook's documentation said to use the following URL to generate the login/authorization dialog:
https://graph.facebook.com/oauth/authorize?client_id=XXXXXXXX&redirect_uri=YYYYYYY
This is working right now. However, I've reviewed the newly updated Authentication Guide and now see that Facebook is saying to use:
https://www.facebook.com/dialog/oauth?client_id=XXXXXXXX&redirect_uri=YYYYYYY
Does anyone know what the difference is between them, and more importantly do I need to change it? Like I said, it is working now, but I'm a little concerned about something changing when the 10/01/2011 deadline comes around.
My second question is: Does anyone know what enabling the "OAuth Migration" setting in the Apps -> AppName -> Advanced page does?
The URLs redirect to each other. But still, please make the change to the new URL. Whenever the docs change urls and the semantics are the same, you should update so as to avoid unnecessary breaking changes. Even more so with desktop apps.
Second answer: That will issue you different access tokens for now.
Related
This is additional question in regards to another relevant question:
Facebook Authorization url, scoped authorization url and token url
, I am new to OAuth2.0, so assume I didn't learn literature well back in high school!! (I have seen some people with very short learning curve recommended to read the Facebook login API documentation)
I have looked at it, but didn't find the
Authorization URL
AND
Access Token URL
While I was searching for some demos, in one video it used
https://www.facebook.com/v6.0/dialog/oauth?
key being: v6.0
in another it used:
https://www.facebook.com/v15.0/dialog/oauth?
key being: v15.0
and in the original post, the kind person who answered seemed to suggest to use:
https://www.facebook.com/dialog/oauth
(which didn't mention the version ID at all, that worked for me, and I like it; easier to remember and use. HOWEVER, previous two also kinda make sense, I don't think Facebook gonna stop enhancing and upgrading its OAuth2 APIs.
and if I go back to the original question, how can I find the latest URL info for above mentioned endpoints?
Thank you a million in advance!!
if this question was too basic, please be tolerant, I am new to OAuth2.0!
I recently asked this question and user's #DalmTo and #Sergio NH they gave me an exhaustive answer for which I thank them very much.
Moving forward to question, we started publishing the application, and its verification was not required, since no scope was added (here it is a little unclear why the requests worked in an application with a test mode in which these scope were not added (google drive, google sheet and google ads)).
However, this time the application in the "In Production" mode began to give us an "Unverified app screen" (see Unverified app screen). We decided that we still need to add scope to the list, and, of course, that the scope list (their list is described above) requires verification by Google.
We started filling in the necessary fields, while studying the Google documentation at the same time, and came across the following information (see block Verification process -> What are the requirements for verification?):
Apps not applicable for verification
Apps for internal use only
(single domain use) Apps for personal use only Apps that are Gmail
SMTP plugins for WordPress Apps that are in development or
staging/testing
Apps for personal use only
And this is just our case: we have already received permission from Google Ads and are just generating simple reports that we want to integrate with Google Sheet. I.e., this is an elementary script that works within this account (however, we still need to request the first concert screen, even for this developer account) and cannot be distributed to any other accounts.
But when adding our scope, Google requires us to pass verification, forcing us to fill in the required fields, in the form of domains and their verification via the Search Console (we have already done this and this stage does not cause difficulties) and links to Youtube videos - where we must show how scope is used.
And just this stage is not clear. We do not allow other people's accounts to connect to this application, and the software does not have any interface, it is just a script that receives data from Google Ads and saves it to Google Sheet (creating a file via Google Drive). We have described all this in the scope usage description field. But the link to the Youtube video is require field, and we sincerely do not understand why (considering our case) we should record something, and most importantly, what exactly we should record in this case. If the documentation itself says that in our case we do not even need a verification.
Maybe we did not understand something and now we are doing it wrong? We will be glad to receive any tips from experts working with Google Cloud Console and apologize in advance for broken English.
We also apologize in advance to the StackOverflow community that we have to publish such elementary (which we are absolutely sure of from our side) questions here. We come here from Google Cloud Console - > Support - > Community support, and we must first try to publish posts in the Google Groups specified there, but they simply do not answer us, apparently considering our questions too elementary and not worthy of attention (however, these same questions in Google Groups are moderated) (for example, the previous question). And we are no longer able to contact any other support. Once again, we apologize for having to ask about this here.
It is true that if your app is a single use app then you do not need to be verified.
However if you don't get your app verified then there will be some restrictions.
you will see the unverified app screen
your refresh tokens will probably only be good for two weeks.
In the case of the YouTube api uploaded videos will be suck private.
If you can live with those points then you don't need to verify your app and you can continue as is.
If on the other hand you don't want to see the unverified app screen and you want a refresh token that will last longer then two weeks. You will need to verify your app. Yes, Even if your app is a console application running as a job some where you still show the consent screen. This is the YouTube video you will need to show Google. Show the consent screen popping up show the URL bar and then show your script running. You also need to set up the homepage and privacy policy screens. Yes i 100% agree with you that this is silly.
When you go though the process. Explain to google that this is a single use script running as a job some where.
Unfortunately when Google changed it so that Refresh tokens expire for unverified apps they pretty much tied the hands of all developers who are running such single user scripts. We now have to get our apps verified if we don't want to have to request a new refresh token every two weeks.
If your program needs to access the requested scopes of the Google account privacy, even though the user is yourself, you also need to provide a youtube video to demonstrate how you use this program. The auditor cannot guarantee whether you will make this program public.
I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
Could someone please give me a single up to date tutorial for implementing OAuth with twitter. I have gone through so many tutorials I have lost count, and not a single one of them is up to date with the new xCode. I tried the MGTTwitter, but there is no tutorial for it. On his own website, where it gives link to tutorial, it just links you to this
http://ww35.2bros1blog.com/2010/07/switching-from-basic-to-xauth-with-mgtwitterengine-on-iphone/
So no idea that that is about
I tried
http://www.icodeblog.com/2010/09/16/dealing-with-the-twitter-oauth-apocalypse/
But I dont know how to add the static folders to xCode. I tried adding the targets, but nothing to add.
Tried following
http://mobile.tutsplus.com/tutorials/iphone/twitter-api-iphone/
However, it is out of date. When I run the app, using my consumer key and secret, when I click authorise, it just closes window, then brings up authorisation window again. I enter user and pass again, does the same thing over and over again.
I downloaded latest version of sharekit, didnt really want to go down this root as all I want is the twitter authorisation and I think adding over 50 files or so is a bit much for one feature, but thought I would give it a shot. But when I open it up, comes up with error around facebook
(null): error: /Users/adam/Downloads/ShareKit-ShareKit-7a05403/Classes/ShareKit/Sharers/Services/Facebook/../../../../../Submodules/facebook-ios-sdk/src/FBDialog.bundle: No such file or directory
All I want is a simple authentication so users can accept and then send tweets from the app. I dont want to use the twitter framework as then users have click send twice, i.e type message into textview, then then twitter viewcontroller appears, then they click send again. I want them to be able to tweet from within the app. Yet I just cannot seem to find any tutorial that explains how to do this in detail.
Could someone please point me in the direction of a tutorial that does this, I didnt think it would be this much hassle to implement a simple authorisation into iPhone, but this is driving me insane!!!
Edit:
I got
http://www.icodeblog.com/2010/09/16/dealing-with-the-twitter-oauth-apocalypse/
This one working, however when I sign in, app crashes and the log says
Authenticated with user (null)
Anyone have any idea about that one?
Found out why I was having a problem with these twitter tools. They were using http rather than https to authenticate with Twitter which is no longer allowed. Just changed it to https and works fine
So I am working on an iPad app that needs to talk to our company server to pull in some XML. In a browser, when the user tries to first navigate to the site, they are redirected to an SSO form that generates a cookie that is saved.
Now my application may need to replicate this behavior and generate the cookie so we can pull xml data off various parts of the site. I have never done anything like this before and there is very little documentation on the web so I am really looking for some general guidance. So far I have tried doing something like this, here.
That works to return the web form, but where to go from there eludes me. Does anyone have any ideas they would like to throw out? Essentially all that I need to do right now is authenticate the user's credentials, and save that verification. If there is an easier way to do that based on this template, I would definitely be open to suggestions. Any help at all would be greatly appreciated.
What i use for a lot of my networking is ASIHTTPRequest it is an API that is available, instead of trying to use low level sockets or the Apple APIs, with a decent guide and an active Google Group for questions. It can certainly handle xml requests as well as authentication. Here is a link to the site, ASIHTTPRequest