I'm having trouble finding out how to do something RELATIVELY simple..
I'm writing a node.js application which I would like to utilize the Google Tracks API https://developers.google.com/maps/documentation/tracks/
The tracks API uses OAuth2 to authenticate the server against the API account - https://developers.google.com/maps/documentation/tracks/auth
What I am trying to do is simply to authenticate my application with Google using node.js
The problem I'm having is that every module or framework I can find relating to this topic is all about redirecting a user to google and returning them to the application, this isn't what I want to achieve... Instead I want to simply hard-code my API credentials into the server and authenticate it directly so it can use the API, I also need some way to keep the session alive when the token expires.
Any help would be much appreciated
Found the answer myself! :-)
https://github.com/extrabacon/google-oauth-jwt
Related
I'm trying to create an integration to OneDrive using the Microsoft Graph API. Our app is fully client-side, there's no moving parts on a server, so authentication has to be directly browser to Microsoft.
We have an existing integration with OneDrive that uses the older OneDrive API. That does permit client-flow authentication.
There is an example for AngularJS, but that turns out to require a NodeJS server and have a server-flow authentication, again. NodeJS authentication requires a secret to be passed over, which I obviously can't put in public JS.
I cannot find any examples of authenticating to the graph API without a secret, am I right in saying that client-flow authentication is not supported?
p.s. I have looked at Writing a simple microsoft graph client without using a web server, but this question seems to be asking whether it's possible to make API calls without user interaction, rather than what I'm asking.
If I understand your scenario correctly, you're looking for the implicit grant. I wrote a blog post on using this a while back that might also be helpful.
I am trying to build a REST API with NodeJS and Passport, for a Single page javascript application, and i cannot figure out how to secure my REST API with Google OAuth, but i cannot figure out how to do it.
How would i do that?
At first You can use scopes to determine which client or user has which roles and grant accesses. Secondly you should communicate with your api on ssl protocol.
I'm trying to build my first API to be consumed by a mobile application built with Ionic.
Before starting I'm looking into the architecture and I can not understand exactly how to make secure my API routes.
Let's say I have an endpoint like http://myapi/v1/get-items and my application doesn't need an user to be authenticated to view those items in the mobile app.
How should I protect that route from external queries, using Postman for example?
I wish that route to be not accessible unless is not requested by the application.
Looking on Google I can find many solution using basic authentication but all of those require an user to log in... What if my app doesn't have users to log in?
I'm a bit confused but I think there is a solution and I don't know it yet...
I hope you can help me to understand it.
EDIT:
My Question is totally different from the following: How to implement a secure REST API with node.js
I'm looking for solution that DO NOT require a User Authentication.
If you don't want to use User Auth through something like Passport then you can institute a whitelist in your Node API instead. express-ipfilter is an express middleware module that allows you to filter requests based on the request IP.
Requiring a login would be the cleanest and safest way to make sure your api remains private. However, if you want to keep external users out of your services without requiring a login, you will need to "sign" your requests. By that I mean doing something like encrypting a current timestamp on the client using a key known to both the server and the client app, adding that encrypted string as a header, receiving that header in your server, decrypting it and checking that it's not too old of a timestamp before you return a response.
It's not really safe (if someone can see the code they can see the encryption key) but it's an obstacle and it down't require logging in. See this for an example on encryption/decryption
Im looking for the safe way to authenticate with Oauth2 and send the credentials(email and token) to my server. I want to achieve this by using a Google Chrome extension, and must be in Javascript language. I need to synchronize a Google Chrome extension login with my server database and then with an android app.
I've found this tutorial provided by Google:
developer.chrome.com/extensions/tut_oauth
The tutorial shows how to implement an authentication but I'm not sure if this is safe for what i want to achieve.
The image below shows an schema of what I think Google proposes:
Google Oauth Schema
If someone send to my server a custom token I have no way to validate if the token belongs to a Google session. What i want to:Custom authentication
My questions: Is there any safe way to send credentials(email and token) to my server database? What is the best practice to do this?
As long as you use SSL it should be safe enough. The credentials are already accessible client side so at this point you just have to worry about protecting the credentials in transit and on your server.
Think this solves what I was asking:
Google+ Sign-In for server-side apps
As its explained I can send the one-time authorization code to my server and validate the session there. I can get the token on my own server and return it to the Javascript client.
Hope this help to someone! :D
I am attempting to write a plugin for a webapp that integrates it with facebook using the Javascript API. The application is installed by our customers on their own servers each with their own site names. This poses a problem to me as Facebook wants me to specify a site url for the application. This url is going to be different for every customer. Creating a new application for each customer is not an option.
In my research of this problem it seems that I have to pretend to be a desktop app and follow that authentication path. I cannot figure out how to do this.
Anyone have any idea how this can be done?
Are you going to host the app as a canvas app or outside facebook?
Is the url important to you? There is a strict one-to-one relation between base-url and application.
What many apps do is host the apps as directories in their domain. For example http://crazy-fb-app.com/customername
That's your options basically if you want to use Javascript SDK.
If you're going to be using server side technology you could have the user authorize the application while requesting permission to access user's data while he's offline. in that case you will receive a non-expiring (or long-expiring) authentication token which you can use from the server to make Graph API calls on behalf of the user. For some stuff you can obtain an Application Auth token (which is shorter and non-user-specific) to make calls to the graph.
Rotem