Authenticate sites with different domain names using the Facebook API - api

We have a CMS that supports multiple sites, one of our features allows our users (The site admin) to connect to the site facebook account to allow status updates, create events and upload pictures to FB from with in the CMS.
The authentication needs to occur once since each site may have multiple site admins that do not have access to the site FB user name and password. We use iframe and authenticate using $facebook->require_login() which redirects the user to the FB login and authentication pages.
All this works just fine but when the user hits "Allow" the authentication will break as it will only redirect to whatever is in the "Post-Authorize Redirect URL" field making the app obsolete for any other domain except the one in the "Post-Authorize Redirect URL"
I know other API's authentication methods like in Vimeo and YouTube will allow you to specify a NEXT parameter which is the equivalent of the "Post-Authorize Redirect URL" and it can be set at run time.
How can I make this work for multiple domain names?
Any hints on this issue will be of great help

If the call back page is in your domain, that page could acts as a proxy, all you have to do is pass the parameters needed by the proxy page to redirect the user to the proper location. For example I used the URL of the domain I want to redirect and an ID needed for me to know which user I am dealing with.
My code end up looking something like this:
Authorize link:
$authorizeURL = "http://www.facebook.com/authorize.php?api_key=" . $facebookApiKey . "&v=1.0&ext_perm=status_update&domainName=$domainName&path=/path/to/my/next/page.php";
and the "proxy" code would like something like this:
$path = $_GET['path'];
$query = $_GET['query'];
$domainName = $_GET['domainName'];
//if you happen to have a query, get the values like this:
parse_str($query, $queryValues);
$id = $queryValues['id'];
// construct the url where your user came from or where you want them to be redirected.
$url = "http://$domainName/$path?$query";
header("Location: " . $url);
exit;
This is not the whole code, but it will give you an idea on how to do it.

make a separated domain used only for FB authentication.

Related

Is it possible to use a subdomain login page to authenticate apps on multiple subdomains?

I'm looking to setup a login page on a subdomain for use with Auth0. Is it possible to have that login page serve auth for multiple other subdomains?
For example:
I want login.xyz.com to be the auth page for:
dev.xyz.com
staging.xyz.com
production.xyz.com
It is possible to set up your login page to provide authentication for different subdomains (you could even set it up for different domains). One thing you have to remember is that a user will only have to log in once, and then will use their session among the different subdomains. This is because the user will actually log in to login.xyz.com and the other subdomains will only get a confirmation from your authorization server that the user is authenticated (most probably in the form of an ID token, if you're using OpenID Connect).

Vue + Flask Gmail API

I am attempting to build a webapp using Vue for the frontend and Flask for the backend that reads in the users Gmail emails.
Desired functionality:
User clicks a button to "Link Gmail Account" on the frontend
User is authenticated with gmail Oauth2 and confirms. Once confirmed, they redirect back to the page they were on
Once the user confirms, the backend queries gmail to get all of the users emails and returns the data to the frontend
I have been trying to use https://developers.google.com/gmail/api/quickstart/python as a starting point, but I cannot authenticate the user -- I keep getting a redirect uri mistmatch error with a random port (I am doing this locally so have set the redirect uri to be the localhost port where I access my project).
I think I am doing something fundamentally wrong or not using the Gmail API in the correct way, but have searched all over google and youtube to no avail.
Specific things that I think could be causing an issue:
What is the best overall strategy to implement this? Should I use the Gmail API in Python or Javascript? Right now, the use clicks the "Link Account" button which calls an API in my backend which then runs the code in the Python Quickstart guide.
What kind of google project should I set up? I currently have my credentials configured for a "web application"
What should I put as the redirect uri? I am using localhost but am unsure exactly what to put here (I have tried http://localhost, http://localhost:5000, http://localhost:5000/, http://localhost:5000/emails [this is the url I want them to return to]). No matter what I put, I keep getting a redirect uri mismatch and it says the uri it is looking for is http://localhost:[random port]/
I would appreciate any help on how to approach achieving this. Thank you!
Depending on what you are going to use Gmail API for, you must select the device or category. In your case, as it is a website it should be set to "Web Application".
Also, you should be using the following redirect URI: http://localhost/emails/. You should not include the port number and you should be using trailing slashes (adding the last / at the end). Note that the redirect URI you set up in your backend must be an exact match of the one you have set up in your Credentials Page. Also please note that it might take some minutes to update this URI.
Moreover, this is a guide on how to create a Sign In button that will authorise your users that I believe will be useful for you.

How to understand the Google Redirect URI correctly?

From Google Developer Console page, it explains the meaning of "Google Redirect URI" is :
Determines where the response is sent. The value of this parameter
must exactly match one of the values registered in the APIs Console
(including the http or https schemes, case, and trailing '/').
Not sure, whether this explanation is same as my think or not:
On my app (web application), it allow user to sign-in via Google (Assume, I registered a Google project with ClientID/secrete configured on my web-app, and on Google COnsole page the redirectURI is "http://bbc.co.uk" ).
After I login to Google successfully by my Google account, my Web-app login page will be redirected to "http://bbc.co.uk" as on Google RedirectURI ?
That last sentence is a bit ambiguous. A better description is:
After I login to my Google Account successfully with my Google
credentials, Google will redirect my browser back to
Redirect URI http://bbc.co.uk that is registered for the web app in the Google > API Console.
Just to be sure: this means that the Redirect URI should be part of your web app. It is not actually Google's Redirect URI but it is the Redirect URI that you've configured in the Google API Console for your web app.
Let me see if i cant explain this in a different way.
What would happen if you didn't have a redirect URI?
If you go to the Developer console and create a Client ID for native application by default the redirect URI
This will redirect the Authentication back to where ever it was request from. In the case of native installed applications this is needed because there is no way to know where the user is that has installed the application.
Lets look at this in action
Request authentication:
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
If you place the above line in a web browser the user will see something like this
Assuming they select ok then they get this displayed back at them.
That is the Authentication code, not to be confused with the access token. This is just the first step. Once your application has the Authentication code it can then exchanged that for a refresh token and a access token. Most client library handle this step internally. You and your users never see this Authentication code.
Back Redirect URI:
In the case if a web application your web application needs to be able to get a hold of that authentication code. Now I probably shouldn't be telling you this but you could just use a native application client in your web application and it will work. Why because the authentication server will just return the Authentication code back to where ever it was that requested it. For security reasons this is probably a bad practice.
So what do you need to place in the redirect uri. It is the file that you have ready to handle this authentication code. Normally its just the same as the login page, but you can have several. Just put each of them on separate lines.
http://localhost/login.php
http://www.daimto.com/login.php
I like to do this because then it works when i am testing locally vs when its up on the server.
I think the wording "Determines where the response is sent" confuses a lot of beginners as it implies that Google will somehow call that URL directly. Then the word "redirect" leads people to confuse the URL with the page of the app that the user will get to once he's authenticated.
http://bbc.co.uk is definitely NOT the redirect URL. A redirect URL would normally look like https://myapp.com/servlet_or_php_that_i_wrote_to_process_tokens.php
Google will "call" servlet_or_php_that_i_wrote_to_process_tokens.php by redirecting the browser to it. Once servlet_or_php_that_i_wrote_to_process_tokens.php as done whatever is needed with the token, it will then issue its own redirect to (say) bbc.co.uk

one drive Redirect url not allowing query string parameters

Currently, I'm trying to integrate the OneDrive SDK onto a website. However, I'm having issue with redirecting with authentication.
Normal route:
User goes to the website. It clicks on a button to single sign onto there OneDrive
User gets redirected to OneDrive Authorization page.
Once authentication, user gets redirected to where they left off. This redirect is specified in the OneDrive's SDK account. However, it seems that they don't allow query params in the redirect URL.
Is there a way around this?
The only thing I could figure out is using a URL that is an alias for the URL with the query params, but that just seems like a hack solution. It's hard to believe that there isn't a way for a user to redirect with query params to indicate at what stage they left off on the site.
Example of invalid redirect url as http://skydpk.com/index.php?a=ap&addon=file_sharing&page=skydrive
Any advice appreciated, Thanks, D
You can pass extra parameters through the state parameter of the /authorize request. Onedrive/Skydrive will pass back the state parameter in the last redirect to you.
So if the redirect url is
http: //skydpk.com/index.php
then your first OAuth leg looks like this:
https://login.live.com/oauth20_authorize.srf?client_id=CLIENT_ID&scope=SCOPES&response_type=code&redirect_uri=http%3A%2F%2Fskydpk.com%2Findex.php&state=state=a%3Dap%26addon%3Dfile_sharing%26page%3Dskydrive
The last OAuth leg then looks like this:
http://skydpk.com/index.php?code=AUTH_CODE&state=a%3Dap%26addon%3Dfile_sharing%26page%3Dskydrive

Onedrive SDK Authentication Redirect Issue with Query Param

Currently, I'm trying to integrate the OneDrive SDK onto a website. However, I'm having issue with redirecting with authentication.
Normal route:
User goes to the website. It clicks on a button to single sign onto there OneDrive
User gets redirected to OneDrive Authorization page.
Once authentication, user gets redirected to where they left off. This redirect is specified in the OneDrive's SDK account. However, it seems that they don't allow query params in the redirect URL.
Is there a way around this?
The only thing I could figure out is using a URL that is an alias for the URL with the query params, but that just seems like a hack solution. It's hard to believe that there isn't a way for a user to redirect with query params to indicate at what stage they left off on the site.
Example of invalid redirect url as http://skydpk.com/index.php?a=ap&addon=file_sharing&page=skydrive
Any advice appreciated,
Thanks,
D
You can try registering your base URL as the redirect URL and just before initiating authorization action append the parameters to the redirect URL.
Redirect URL at one drive app dashboard : http://skydpk.com/index.php
Authorization URL
https://login.live.com/oauth20_authorize.srf?client_id=<your client id>&scope=<scope>&response_type=code&redirect_uri=http://skydpk.com/index.php?a=ap&addon=file_sharing&page=skydrive