Well, since I am facing some issues with OAuth implementation, I decided to go back to normal method where users will input their login id and password and I will use them in my code to validate their google account to fetch calendar information. So when user enters login id and password, the page is getting stuck. When I check the code, setUserCredentials is the method where it is getting stuck. But when I enter my login id and password and debug on development site, it works fine. There is no problem when I debug. And importantly , the problem appears for first time only, once I debug the code and next time I try it without breakpoint, it works fine.
Does anyone know why setUserCredentials takes time or any way I can track why it is taking so time?
I have asked the same question on Google data api forum, but nobody answered it.
I reverted back to old Google Data API version from 1.41 to 1.40 and it worked.
What issues are you facing with the OAuth implementation? Using client login can potentially cause accounts to be flagged as hijacked.
Related
We keep playing this cat and mouse game with Robinhood.com. I have a trading app which used to trade stocks with Robinhood, but they keep changing the unsupported unofficial API to make it difficult for traders to use. I know that many people are doing the same thing and I want to reach out to them to see if there is a new answer. The latest problem is when I try to get a Bearer token using the URL https://api.robinhood.com/oauth2/token/ the API returns the following JSON: {"detail":"This version of Robinhood is no longer supported. Please update your app or use Robinhood for Web to log in to your account."}. This started happening on 4/26/2019.
Has anyone found a work around for this, yet, or have they finally beaten us into submission?
A more complete solution (not need browser):
Use requests.session.
Obtain the login page by making a GET request to "https://robinhood.com/login".
At this point the session's cookies will contain 'device_id'.
Obtain this device_id and use it in making the oauth2 token request to "https://api.robinhood.com/oauth2/token/" also add in the data request "challenge_type" (either "sms" or "email").
This request will fail with a 400 error code. Robinhood will send an SMS message or Email with a temporary (5 minute) code.
Also at this point use the 400 response's body to get "id" from "challenge" inside of the JSON object.
Confirm the challenge by making a POST request to "https://api.robinhood.com/challenge/CHALLENGEID/respond/" where CHALLENGEID is the same id mentioned in the first failed /oauth2/token/ POST request.
Make the same POST request to "https://api.robinhood.com/oauth2/token/" and include in the header "X-ROBINHOOD-CHALLENGE-RESPONSE-ID" with the value CHALLENGEID.
You can reuse a device_id with user/pass after this even after logging out.
Be cautious with storing device_id as it is the result of user/pass login and successful SMS/email 2FA.
Just got it working. At the risk of them seeing this post and changing it more, here we go:
First, you're going to want to log into your RH account in a web browser
View Source on the page, and look for clientId - it should be a big hex number separated by dashes
Add that number to your POST requests to /oauth2/token under the field device_token
There's probably another way to retrieve the device token, and I'm not even sure it's unique, but that way should work.
Good to be back here after a very long time.
Not sure if anyone is still looking for answers to this, but I have a very simple solution.
At Robinhood's login screen, enter your username/email and your password, press F12 on your keyboard to bring up the console panel and switch to the "Network" tab then wait for the page to load completely. (During this time you will see a list of items being loaded rapidly depending on the connection speed.)
At this time you can keep clearing the list by clicking on the button highlighted in the below image.
Click on button highlighted repeatedly until the list is empty
Now, log into your Robinhood account. At this point your console should display a list similar to the one shown below.
Look for the name "token/", most likely it will be the second one you get all the information you need. And this information will be under the Headers then Request Payload
I was able to find this with past knowledge and experience of web scraping for fun. And also, I needed to know this as well, since I recently started doing trades via Robinhood.
Hope this help you curious ones out there.
For my Robinhood account I am using Google Authenticator for my 2FA. What I have so far is that I send the original call that I was sending before to https://api.robinhood.com/oauth2/token/. This is giving me a response of:
{"mfa_required":true,"mfa_type":"app"}
I then repeat my oauth token request, but this time providing the value from Google Authenticator (so my GUI has to prompt me to fill it in) with this payload in the request to https://api.robinhood.com/oauth2/token/:
{"grant_type":"password","scope":"internal","client_id":"c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS","expires_in":86400,"device_token":"***","username":"***","password":"****","mfa_code":"***"}
and then I am getting an access token in reply
Successfully implemented OAuth flow within Google Actions context via account linking. However, after token expiration, it asks for user to link the account. Is there a configuration in Google Actions for token auto-refresh in this context so that the user is not re-prompted to link account after doing so already?
There are multiple problems with the app, to the point I'm a little surprised it got approved.
The first is that if you're using https://stackoverflow.com/a/44296039/1204142, then you should look at the update which indicates that Google is no longer allowing their endpoints to be used for account linking. This may explain why the card doesn't go away. Since it didn't prompt me for scopes after I authenticated myself... I'm not actually sure what it thinks it's doing.
But some code must have been sent, since the Assistant thinks we're linked. Even if the card doesn't go away.
However, when I connect, it prompts me with
OK, would you like anything else?
for the initial prompt. Which doesn't make sense in this context. But if I say "yes" it says
Sorry, I don't understand what you're asking. Say "help" to know how I can assist you.
If I ask for help, it says
Here's how piggy piggy can help.
and then leaves the mic open without saying anything further.
Your server can send an error code that will tell Google's OAuth server to send a request for a new access token using their refresh token.
So I am updating an older desktop app (written in VB, .net 4.0) with facebook integration and followed the guide found here, and have been able to successfully get a token (by parsing the uri of the embedded webview if it contains "token="). Now my problem is if I try to login with a facebook account that has already approved the app in a prior session, the webview just gets redirected to https://www.facebook.com/connect/login_success.html without any token information.
Do I HAVE to log all of the tokens I generate manually (ie on successful token generation, I can call their profile info, use their FB ID as key and save the token)? Even if I do, since the email and password is input directly into the facebook login window, how do I check if the user already has a token?
Thanks in advance
The access token can change any time, you need to get it everytime. After getting the token, I immediately get the user information https://graph.facebook.com/me?access_token=??? and use that ID to find their database information.
I couldn't quickly find facebook information but on google's oauth information it says "The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen."
https://code.google.com/p/google-api-php-client/wiki/OAuth2
Ok so I finally figured it out myself. My mistake was apparently requesting the access_token directly (ie https://www.facebook.com/dialog/oauth?response_type=token...) to try and save time.
I fixed it by making a request for a 'code' instead (ie https://www.facebook.com/dialog/oauth?response_type=code), which I then use to make a second request to retrieve an access token as documented here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/, "Exchanging code for an access token" section a bit lower on the page.
Hope this helps someone in the future, this was very frustrating on my part.
Regards,
Prince
I'm using the out-of-the-box OAuthWebSecurity.RegisterTwitterClient function in ASP.NET MVC 4. I have set up a Twitter app, and I have enabled "sign in with twitter". The problem is that when I click the button, it makes me log into Twitter EVERY TIME, even if I'm already logged in in a different tab. Note that I have read the following question/answers:
Twitter Sign in page always showing
Simple Twitter Oauth authorization asking for credentials every time
which detail that it needs to go to the /authenticate/ endpoint instead of /authorize/. I have already done this, the URL that it redirects to is:
https://api.twitter.com/oauth/authenticate?oauth_token=token_here&force_login=false
I have also tried it with the /authorize/ endpoint, but that doesn't work either. Can anyone shed some light on this?
It turns out that the 'force_login' parameter doesn't work how you'd think it would work. If the 'force_login' parameter is present then it will always force a login, regardless if it is true or false. If you remove it, it will work as expected.
Change:
https://api.twitter.com/oauth/authenticate?oauth_token=token_here&force_login=false
To:
https://api.twitter.com/oauth/authenticate?oauth_token=token_here
Unfortunately, there is no easy way to take this param out.
Sooo, to fix this you could implement the Twitter SDK. Or leave it and wait for Microsoft to fix it; but I wouldn't hold my breath.
EDIT:
This answer works. I've tried it myself.
MVC4's DotNetOpenAuth TwitterClient sample does not respect prior login
This question was previously asked here but the OP never responded to the comment left and therefore it is left unanswered. I'm looking to sign into a specific Box account via API and am hoping there's a way to automatically set the login and password instead of asking users for theirs. I'm coding my app in PHP and so far I'm using the basic OAuth2 process that asks the user to login (/auth/ticket&api_key). So far the only suggestions I've found requires saving files to local storage but that's not an option as I need my app users to do as little work as possible to get in. I just need to tweak this authentication process. Any suggestions??
Thanks!
this is the answer i got from Box API technical support:
Unfortunately, there's no way to do this at this point. You do have to go through the web based login to authenticate, however once you authenticate the first time, you can automate the refresh token so you won't have to do it again. I apologize for that and just let me know if you have anymore questions about this.