We have an external website (let's say abc.com) that use Google as only log-in mechanism, and allows to embed the content created in this service on external websites using iframes.
We are embeding content from abc.com on our website xyz.com. Our website is using our own authentication mechanism, and we need our clients to be able to see content embeded in iframes, without having them to create Google accounts and login using Google.
Is it possible to create a single Google account that we could use to authorize to be able to display the content from abc.com in iframes on our website? and to do it programatically, so that a customer who already logged in on our website does not have to take any action to see the iframe contents? Thanks.
We simply cannot the contents from the abc.com website via API which would allow us to use service accounts and different authorization methods. The content is only available via web service after logging in using Google account.
Related
Working on a site.
If I force a site to only allow logged users to access the site how do I parse the pages so google doesn't block the site?
If you want the Google Spider to access your site, you need to have some public pages accessible to it.
You can communicate to Google which page to crawl using a site map and robots.txt files in your site.
Another technique could be to server different content based type of visitor, if the visitor is a search engine bots, the server return your content, if the visitor is a browser/user you can return only the login page. This technique is not bullet proof as content indexed in the Google Serp is cached and a user can see the cache result any time (you can potentially even do not allow caching for your pages in the serp).
I'm building an application in which users can receive a javascript line that they can embed on their own website to load a widget and make certain information available to the website visitors and allow interaction from the end users.
The widget is a javascript that loads in an iframe from a page that is hosted on my server. The page is a react front-end that talks my .NET backend through API. In the url I get the users id to know which widget to load. www.example.com/widget/userid
The widget doesn't require the end users to sign in or get authenticated however, I don't want to make my APIs public and I need authentication at least from my own users before they receive the javascript that they can embed or any other practice someone can suggest.
What would be the best practice for authentications for the APIs that the page can talk to even when its loaded in the iframe on my users websites and doesn't require my users website visitors to sign in?
If I understood your question correctly, you should use postmessage.
In the sender side:
parent.postMessage({ type: 'something',more data...}, '*')
and then on the receiver side you can do:
window.addEventListener('message', function (event) {
switch (event.data.type) {
case 'something':
// Do something
break;
}
}
This way you can make an iFrame communicate with other JS element.
Hope it some how helps.
I have a website in which i have a paypal set up, After getting the amount the i will give an embedding code to other websites to use my iframe.
Is there a way to generate unique code for every website?
also i will have to check that only authorised websites are using my iframe.
I'm implementing a Google+ Sign-In for our web service, and stumbled on "Authorized JavaScript Origins". Our clients have web addresses either as a sub-domain of our main domain, or as a custom domain name. Since the login page is under that sub-domain (or custom domain), and in order to make the Google+ Sing-In button work, that custom domain/sub-domain should be (manually) entered in the "Authorized JavaScript Origins" list (with both http and https).
Does anybody know a way to do that automatically (through some API maybe)?
If not, then how do you do it?
Not sure if there is an API for this. At first glance I don't see one. The alternative (aside from manually adding domains all the time) is to use a hidden iframe on each site - this iframe would come from your domain and would be the only thing that calls google services. The main sites would communicate with the iframe (postMessage) to tell it what to send google. This of course, opens up a security risk (anybody could load your iframe into their page and do bad things on your behalf) so you'll want to make sure that the iframe code refuses to do anything unless it's running within a page on a known-good domain.
You can also have a common URL which all subdomains point to when trying to log in with Google. Then have this URL redirect to your actual Google login path. Beats having to deal with an iframe this way.
Finally I made it to work, however there may be some fixes to apply.
So a server is host for many domain and subdomains (childs) which all of them needs google sign-in and there is a main domain (parent).
I implemented a general login page on parent which childs open this page via window.open() as popup. As client is in a popup, it is very likely that auth2 cannot open another popup, so the parent will do the google auth with {ux_mode: 'redirect'} parameter as gapi.auth2.SignInOptions.
Process will continue to your callback page which you provided as another gapi.auth2.SignInOptions parameter which is redirect_uri and is on parent.
On this page google may have provided you the golden id_token which you must authenticate this token on your server. And this was the main twist which you should use this information to create a token on your server which parent asked server to create, but send it to child on client side (for example via query parameter) to use it for later usage.
I will happily take any advice for security leaks or any comment which may ease the process just a little.
Is it possible to create a custom login page to use with facebook's PHP/JavaScript SDK? I'm developing a web app and it doesn't seem very user-friendly to redirect the user to the facebook page to login. For example, once you hit login it doesn't even let the user know its loading, just sits there until it logs in.
I was wondering if it's possible to use ajax or cURL to log the user into facebook through a form within my app.
No this is not possible, you have to use Facebook's OAuth protocol.
Have you tried their javascript solution? This does not take the user away from the page, but instead opens a popup which is less of an intrusion on the page.
The facebook api is just for you to obtain access credentials from their system. I do not know and until then I never saw no way to get credentials and log into facebook without the facebook api.