I want to display a user's wall feed and news feed on my site. How can I do this?
Is there any way to pull the feed without having to get an authorization token?
If I need a token, how do I get that?
The proper (I would go so far as to say "required by Facebook's terms and conditions") way to do this would be to get an authorization token, which involves a pop-up div asking the user if they would like to permit your site (application) to access their information.
You can customize the level of access you'd need and they would be prompted only for that. By accepting, you'd be able to access a token within their cookie. Armed with that token and your application ID and your "application secret" you can make requests to the Facebook Graph API for any data you'd like. (You use the application secret to decrypt the user's cookie, from which you obtain the access token to pass to Graph API requests.)
It's not as simple as just scraping their wall and displaying it, you'd be responsible for grabbing the individual pieces of data and organizing the display.
Edit:
In response to your comment, here is a quick tutorial for working with cookies in .NET. A Google search for "ASP .NET cookies" or "VB .NET cookies" will yield much more as well. There is an example (in PHP) here demonstrating how to decrypt the cookie. I haven't found any .NET examples, but the code here is pretty straightforward. The cookie name is "fbs_" + your application ID.
It appears to be a delimited string, so just read in the whole thing in your debugger and see what the value(s) look like. The value you want appears to be called "sig" (but, again, debug to make sure) and it looks like they're using an MD5 hash to obtain it. You can read up on what the md5() function in the PHP code is doing here and it should be easy to find a .NET analogue for that.
Once you have the access token, it's up to you how you want to get the information. I'd recommend doing it all in JavaScript just to offload the whole thing to the client's browser, not to mention that most samples you'll find online (such as in Facebook's API documentation) will be using JavaScript. But if you want to do it all server-side, Facebook's C# SDK will be of some assistance. You basically pass it the token and the Graph API path you want and it returns a JSON object with all the data.
Related
I'm implementing the Socrata API to be able to parse publicly-available data from the City of Chicago open data set. I am really just concerned about the data itself, so I did not initially think that I would need to implement OAuth2 through an app exposed via ngrok to be able to GET the data.
My initial attempt was to take the GET requests mentioned in their documentation and try to get responses through Postman.
Here's an example of such an attempt:
I also added my Socrata App Token as a param in the querystring, but the same message was shown.
So I tell myself, ok, maybe they deprecated GET requests without making the client go through OAuth2. If they didn't deprecate these GET requests, I would prefer not to have to deal with OAuth2, but I began implementing the authentication process and everything went successfully until I got to the following instructions found here:
I have every single value that needs to be included in that POST request except for 'authorization_type'. Where does this come from? I tried leaving 'authorization_type' in as a string, but received a response similar to the 'Invalid username or password' message in the top image in this question.
Are you only accessing public datasets from Chicago's data portal? From your screenshot it looks like you're trying to access the Building Permits dataset, which is public.
Authentication is only required for modifying datasets or accessing private data, so chances are very good you don't even need to authenticate. Just include an application token with your request for throttling purposes.
Glad to help you figure out your OAuth workflow, but it sounds like it might be unnecessary.
I want to integrate the foursquare API in my website but I'm not that familiar with API security so I want to make sure I'm doing it right.
I want to search for venues in an area like the documentation states:
https://api.foursquare.com/v2/venues/search
?client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&v=20130815
&ll=40.7,-74
&query=sushi
Using javascript however, I don't feel comfortable that the client secret is exposed in my code like this, because if someone looks at my source they have the client_id and client_secret which makes it possible to authenticate themselves with my code:
https://developer.foursquare.com/overview/auth
Isn't that the same as, "hey look at my source code, my username = "someusername" and my password is "somepassword"?
Shouldn't the "client_secret" remain secret like it says? Or am I looking at it the wrong way?
I think the issue is that you're trying to access the Foursquare API using Javascript, which is executed on the client side, so yes, anybody using your website can, with a little bit of investigation, see the secret key that you're using, which is something that you definitely don't want to do.
The way to get around that is not to access the API using code that is executed on the client side. Whatever language you have building the website on the server side should be the code that accesses the API (using the auth credentials that you have set up) and then returns the results of the API call to the rest of the code.
Alternately, you can get users to authenticate with Foursquare and get an access token, which you can then use in user-specific API calls, and it won't matter if those are executed on the client side. I think this is the relevant page in the documentation for using that method: https://developer.foursquare.com/overview/auth#access
I would like to programmatically query the Flickr API using my own credentials only just to grab some data from there on a frequent basis. It appears that the Flickr API is favouring OAuth now.
My question is: how should I authenticate the API without user intervention just for myself? Is it possible any more?
Once you have received an oauth_token (Access Token), you can use it for multiple subsequent API calls. You should be able to persist the token in a data store (I haven't done this myself) and use it even after your application restarts. Of course, you still need to write the code to get the Access Token the first time.
If your application is already coded using the old authentication API, it looks like there is a one-time call that you can make to get a new-style Access Token. See http://www.flickr.com/services/api/auth.oauth.html#transition
Even if you don't have a coded application, you might be able to use the API Explorer for any of the calls that requires authentication (flickr.activity.userComments, for example) to harvest an api_sig and auth_token.
The scenario which you are describing is sometimes referred to as 2-legged OAuth. (https://developers.google.com/identity/protocols/OAuth2ServiceAccount)
Google APIs support this via a 'service account'.
Unfortunately Flickr doesn't seem to support this kind of interaction.
For public data interaction (like downloading your public photos (photostream) from your account), there's no need to authenticate. You can get the data using only the Flickr user-id.
For other interactions (like downloading private photos (camera roll) from your account), you'll need to follow the full OAuth procedure at least once.
I'm trying to get access to the Google's todo feed with this url:
https://www.google.com/calendar/tdl?secid=<SECID>&tdl={%22action_list%22%3A[{%22action_type%22%3A%22get_all%22%2C%22action_id%22%3A%221%22%2C%22list_id%22%3A%2215052708471047222911%3A0%3A0%22%2C%22get_deleted%22%3Afalse}]%2C%22client_version%22%3A-1}
If I open this in my browser with a correct secid, it shows me right what I want.
Now, the question is: how do I get secid programmatically (specifically, in a java program)? I have access to the authToken (from CalendarService), but I have no clue how to use it to authorize my access to the URL above.
I tried to use the url http://google.com/accounts/ServiceLogin, but I didn't find any examples.
Any help, please?
From what I read secid is a session ID obtained from browser's cookies. Whereas your case uses Java which implies a server app. If that is the case, you want to drop the idea of using secid entirely.
Instead, you want to check out Google's OAuth2 documentation. If you are using Java, most likely you would be interested in the web-server OAuth flow. Pay special attention to the sequence diagrams.
The key steps include:
1) Obtain an authorization code from Google OAuth with the user's consent. For that, you redirect the user to Google with the appropriate scope. Check the list of calendar scopes for your case. Once the user consents, Google redirects back to you with an authorization code.
2) Call Google OAuth with the authorization code and your app's credentials to exchange for an access token.
3) Call Google's Calendar API using the access token.
And if you use Google's Java client as suggested by #ChaosPredictor, chances are some of the steps are already wrapped into the Java client (and your code will be much simpler).
I'm trying to search Netflix through their API, but without logging anyone in (because I want to do this on the back-end, not necessarily related to any user action). I'm just starting off with their API so please forgive me if I'm doing something completely stupid. Here's the URL I'm trying to access:
http://api.netflix.com/catalog/titles/?oauth_consumer_key=MY_CONSUMER_KEY&oauth_token_secret=MY_SECRET&term=fight+club
However, that gives me a 400 Bad Request error. Is there no way to browse/search the Netflix catalog without having a user first sign in to my application? Or am I doing something wrong?
Note: I'm accessing said URL through my browser, since I only want to perform a GET request, which is what a browser does by default.
When using OAuth you need to compute a signature for the request, even if you're using 2-legged authentication which just uses your shared-secret and no user token (this means that your application is logged in, but no user is logged in).
If it's an HTTP (as in non-SSL) URL then you need to be using the HMAC-SHA1* signature method rather than PLAINTEXT because you don't want your consumer secret being passed across the wire in plain text.
If they allow an HTTPS URL then you can use the PLAINTEXT method, but you'll still need to calculate it as per https://datatracker.ietf.org/doc/html/draft-hammer-oauth-10#page-27 and pass that as the oauth_signature query string parameter instead of passing oauth_token_secret. Note that you'll also need to pass oauth_signature_method=PLAINTEXT as a parameter too.
Also, it might be worth looking at the response that comes back. If they implement the OAuth Problem Reporting extension then that could give you some help with what's wrong.
*or another method that encryptes your shared secret