About to open up a public api with OAuth access, no problem with that. Main site uses the api but with basic authentication instead (restricted for our internal ip range)
Next step is to plan a mobile application but how should one handle authentication there?
First thought was to create a special log in screen just for our appid to make it look like authentication (instead of authorization) but it would not be very hard to revers engineer our appid.
How does (for example) facebook handle log in within the facebook iphone app?
Look and feel says they're using authentication but if so, how do they keep others from using it?
Suggestions appreciated.
I think you will find your answer in this document, and particular paragraph:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-07#section-5.2.3.4
Related
I am trying to integrate docusign with a React Native app I am building. My desired workflow is to have the user launch a remote signing envelope based on a template.
From the Node JS examples, eg009 seems to be the end result I am after. However, I am wanting to complete this with Axios/Fetch and Javascript.
My intended flow is to have the user enter in their name and email, and their spouses name and email. From there they press a submit button which sends the API call, and that is the extent of what the app does.
I am wanting the API call to then start the template flow, sending a document to sign via email to both that were entered into the app. I want the users to authorize themselves from the email, not the app. After both parties have signed, I want it sent to a third static email.
I do not want the users to have to authorize inside the app or be redirected anywhere. It seems a JWT would be best.
Does this seem possible? How would you suggest going about this?
I appreciate the help!
Looks like the JWT grant flow is the right fit for you here. Please see this article for more details: https://developers.docusign.com/platform/auth
There's no good solution for running DocuSign API calls from client as a result of CORS limitations.
Larry has some blog posts on this topic - https://www.docusign.com/blog/dsdev-building-single-page-applications-with-docusign-and-cors-part-2
You could use something like AWS lambda which is not a server per-se, but gives you server capabilities without the hassle of a server.
Check also the latest blog by Larry on this topic which superficially covers using React for single-page apps.
I am attempting to create an angular application that authenticates to the Google APIs as our administrator account so that it can gather details, such as a user's Google Drive info (number of files, total size, etc.)
I'm attempting to use OAuth 2.0 to give the application our "administrator" credentials. The examples provided in the Google API documentation shows how to accomplish such tasks by allowing a user to log themselves in, but I've yet to find anything demonstrating how to programmaticly authenticate an application as admin (or anything else, for that matter).
Is this possible?
After a bit more research, I finally found a question relevant to the issue with what appears to be a detailed solution! It's all about using the right key words... "programatically" was the word that finally got me there :)
Of course, I'll be using JavaScript/Angular, not Python, but I believe the concepts will be the same.
I need to access the active version on SAP Cloud Platform of HTML5 apps through an api.
I know for the java apps you have the lifecycle api: doc
But you can't access HTML5 information with this API.
What I found is this service: https://account.hana.ondemand.com/ajax/getHtml5AppDetails/{subaccountName}/{appName}
This will return a JSON string with the required info, but I'm not authorized to access this page, although I have all the possible admin rights.
So I'm wondering If any of you has any idea to solve my issue, and other people's issues.
Well, we needed something similar and used this kinda hack to get the active versions via WebIde Api (need basic Auth to login) replace XXXX with your account
https://webide-XXXX.dispatcher.hana.ondemand.com/api/html5api/accounts/XXXXX/applications
You get back a json array with all your applications of that sub account, including active version and other interesting information
Hope it helps ;))
Regards Mathias
You could create a HTTP Proxy Servlet based on https://github.com/SAP/cloud-connectivityproxy that provides read only access to https://dispatcher.hanatrial.ondemand.com/hcproxy/b/api/accounts/<subaccount>/applications/<app> for your app.
I'm trying to create a webpage that can incorporate LinkedIn info's (profile,people,company, etc...).
The things that it can/would do are the following:
When the user enters a name that is registered in LinkedIn, he gets the following
*Name, Company, Email
*List of LinkedIn messages that are waiting for reply
The same process goes on everytime the user adds a profile, I'm planning to use the Profile API of LinkedIn to get the Name, Company and Email but I can't find a working example to be my basis.
As for the 2nd one I still don't know how to get the LinkedIn messages.
Here's my Layout and expected result.
How can I achieved this? Opinions and Suggestions are highly appreciated tnx
This is far to broad a question for me to invest the necessary time in to figure the answers (multiple) for you, but do let me give you some hints. First of all, from my experience with the linkedin API not all the data you wish to access is available (do double check this though, I used the API quite awhile back and stuff might have changed in the meantime). As this data is not available through the API the only alternative would be to somehow bypass the cross domain policy, which in conclusion would require the user to install a chrome extension/firefox plugin which will function as a proxy for your application or even 'better', make you entire application a browser plugin based web app. Not that I am a fan of those whatsoever but if you application is meant in any way whatsoever as a linkedin (dedicated) plugin (probably as part of a greater service you're developing) then it might make most sense.
The whole system you are describing is very long winded and requires a large amount of development time. Alot of the data is not accessible directly or indirectly too. You cannot get email address's out from the API as a security feature (bots could just harvest emails for marketing campaigns).
First of all, you will need to make an application that allows for oAuth2 connections with the linkedin API service. People will log onto your website, click to join their linkedin account with your website and your website will receive back an access token to do the calls.
You will then need to build the queries which will access the data you require. The linkedin API documentation (http://developer.linkedin.com/) isn't greatly indepth but it gives you a good understand and points you where you need to go. There are also a couple of pre-done php API's around such as https://code.google.com/p/simple-linkedinphp/.
I have worked with many API's from twitters, facebooks and LinkedIn's and they all require a lot of back-end work to make sure that they are secure and get the correct data.
It would take me hours to go through exactly how to do it and has taken me many hours to get a solid implementation in place and working with all the different calls available.
If you have minimal coding knowledge, it would be best to go to an external company with a large amount of resources and knowledge in the field who can do it for you. Otherwise it may take many months to get a working prototype.
I have a browser extension (google chrome) that fetches and displays some public tweets, based on user input.
I've been using the Search API just fine, but according to the API changes, I have to migrate to API v1.1 where authenticated requests via oauth is required.
I have no previous experience with oauth, but it seems like a bad idea to implement it in pure client-side javascript, as the consumer key/secret will be exposed.
If I implement the authentication via a browser npapi/ppapi plugin, will it provide the needed security ? or does this mean that I have to dump this project and simply move on ?
Thanks.
You need to obtain an access token so that you can read data on behalf of your users. This involves implementing Twitter's 3-legged auth, which is very similar to implementing Twitter sign in (which thankfully is well documented).
The link below will take you to Twitter's overview of the differences between the two approaches to authenticating. From there you can get to the code samples that you'll need to implement this securely yourself.
https://dev.twitter.com/docs/auth/3-legged-authorization