I find this on official doc for client ID :
During your initial setup you will need to contact Valve with the following information:
What permissions you need the user to obtain. The required permissions are listed below with each API call.
The token lifetime.
The redirect URI to send the user back to after completing authentication/authorization.
In return, Valve will assign a Client ID for your implementation.
But they didn't mention how to contact valve for the same. I found many same questions on different platform but can't find any solution to this.
https://steamcommunity.com/oauth/login?response_type=token&client_id=client_id_here&state=whatever_you_want
I am little confuse in steam-ID and Client-ID. Are they the same? if not then how to retrive client-id from valve.
Sorry If i miss anything here
Answering my own question for someone's reference.
O-auth is not supported in stream any more, But official documentation is still there which is useless right now.
Need to implement it using Open-ID which is the only solution.
There are many PHP and other language's reference on git-hub.
If anyone need any help feel free to ask here i have implemented it successfully.
And also client-id and steam-Id are not same.
Related
I just started using dynatables and am still heavily dependent on examples from https://www.dynatable.com/. Unfortunately the site is down with the following message:
You have requested a site that is currently offline. This generally happens when a site is temporarily disabled for some reason, but has not been permanently removed.
If you are one of our members and you expected to see your site here, please visit our Member Home Page and check the following:
Make sure your site is enabled.
Make sure you have funds on deposit.
Try the Site Troubleshooting Wizard.
Submit a Secure Support Request for assistance.
If you are not the member of our service who owns this site, please don't ask us about it. We have a very strict privacy policy and won't be able to tell you anything.
Does anybody know if the site is really just down temporarily, or if it's gone for good? I'm asking here because on the dynatable github site it says to ask questions here with and to use the dynatable tag...
And like that, the site is back up...guess it really was just temporary....
Its down again, same message, I'm using Google Cache
I want to get list of endpoints in Kaa, I see many REST functions here but all of them need informations like Endpoint Hash Key and ... but I don't know how I can find them. Anybody can help me how I can do this ? and is there a way for geting event on device discovery in Kaa ?
Thanks in advance
On your link for each Rest call, there is the description with the endpoint cresponding to the request. For example:
Get user authentication status
URL : /kaaAdmin/rest/api/auth/checkAuth
Same for parameter needed.
If that's not what you are looking for, you might have to explain a little bit more.
You are able to get endpoint key hash in 3 ways :
Get information from Client SDK on your device. Check appropriate documentation of you desirable SDK.
Look at Admin UI in Endpoint profiles menu.
Get via Admin REST API .
Please, check profiling section.
I think it will help you to find your desired information.
We have realized that this URL http://Keyword:redacted#example.com/ redirects to http://example.com/ when copied and pasted into the browser's address bar.
As far as I understand this might be used in some ftp connections but we have no such use on our website. We are suspecting that we are targeted by an attack and have been warned by Google that we are passing PII (mostly email addresses) in our URL requests to their Google Adsense network. We have not been able to find the source, but we have been warned that the violation is in the form of http://Keyword:redacted#example.com/
How can we stop this from happening?
What URL redirect method we can use to not accept this and return an error message?
FYI I experienced a similar issue for a client website and followed up with Adsense support. The matter was escalated to a specialist team who investigated and determined that flagged violations with the format http://Keyword:redacted#example.com/ will be considered false positives. I'm not sure if this applies to all publishers or was specific to our case, but it might be worth following up with Adsense support.
There is nothing you can do. This is handled entirely by your browser long before it even thinks about "talking" to your server.
That's a strange URL for people to copy/paste into the browser's address bar unless they have been told/trained to do so. Your best bet is to tell them to STOP IT! :-)
I suppose you could look at the HTTP Authorization Headers and report an error if they come in populated... (This would $_SERVER['PHP_AUTH_USER'] in PHP.) I've never looked at these values when the header doesn't request them, so I'm not sure if it would work or not...
The syntax http://abc:def#something.com means you're sending userid='abc', password='def' as basic authentication parameters. Your browser will pull out the userid & password and send them along as authentication information, leaving the url without them.
As Peter Bowers mentioned, you could check the authorization headers and see if they're coming in that way, but you can't stop others from doing it if they want. If it happens a lot then I'd suspect that somewhere there's a web form asking users to enter their user/password and it's getting encoded that way. One way to sleuth it out would be to see if you can identify someone by the userid specified.
Having Keyword:redacted sounds odd. It's possible Google Adsense changed the values to avoid including confidential info.
I'm thinking of adding a feature to my iOS game to allow players to create their own game levels, share them with other players, rate them, etc. There'd be a public repository of user-created levels, sortable by creation date, rating, difficulty, or other criteria.
This kind of functionality would necessitate a third-party server. I was thinking I'd create a RESTful API using Sinatra and run it on Heroku. My question is: what would be the best way to authenticate requests to this API? I would prefer not to require players to create a username and password. I'd like to just use Game Center's ID system.
Any suggestions? I've never done any server-side stuff before so any help is appreciated!
Clarification
Yes, I'm aware that Apple doesn't provide its own system. But it does give developers access to unique Game Center identifiers (developer.apple.com/library/mac/#documentation/…) and I was hoping I could use that somehow to roll my own authentication system without requiring users to sign on via Facebook/Twitter/etc. If that's possible.
Looks like as of iOS 7, this is possible with Game Center using:
[localPlayer generateIdentityVerificationSignatureWithCompletionHandler]
Once you have verified the identity of the player using the generateIdentity call,
Associate the player id with a user on your server's db
Use whatever access token / authentication pattern your REST framework provides for subsequent calls
https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/Reference/Reference.html
Also for reference, here is the dictionary that we end up sending off to our server based on the response from generateIdentityVerificationSignatureWithCompletionHandler
NSDictionary *paramsDict = #{
#"publicKeyUrl":[publicKeyUrl absoluteString],
#"timestamp":[NSString stringWithFormat:#"%llu", timestamp],
#"signature":[signature base64EncodedStringWithOptions:0],
#"salt":[salt base64EncodedStringWithOptions:0],
#"playerID":localPlayer.playerID,
#"bundleID":[[NSBundle mainBundle] bundleIdentifier]
};
edit: as if when I posted this there was no official solution from Apple, but there is now. See the other answers for that, or read on purely for historical / backwards-compatibility interest.
Apple doesn't provide any sort of system for using Apple ID authentication (which includes Game Center) with third-party services. You're on your own for authentication, though you could look into OAuth for allowing single-sign-on via Facebook/Twitter/etc. (Just beware that not everyone has a Facebook/Twitter/etc identity, or one that they want to use for your game.)
In theory, the playerID property on GKPlayer is unique, constant, and not known to anyone else. So, in theory, you could use it for "poor man's authentication": present it to your server, and that's all the server needs to look up and provide player-specific stuff. But this is like authentication by UDID, or by user name only -- the only security it provides is obscurity. And what happens when you have a user who's not signed into Game Center?
Andy's answer is on the right track, but to finish the story: in those docs that he links to, there's an explanation of how to actually authenticate against Apple services that the GameCenter user actually is who he is claiming to be. Link to that part of the docs is below. Basically, the call on the client to generateIdentityVerificationSignatureWithCompletionHandler gives your some data including a URL. You give that data and the URL to your own server, and then from your server you can hit that URL to authenticate the user with the rest of the data that was provided by the call to generateIdentityVerificationSignatureWithCompletionHandler.
https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/index.html#//apple_ref/occ/instm/GKLocalPlayer/generateIdentityVerificationSignatureWithCompletionHandler:
I had a heck of a time figuring this out. I finally used a few hints from this answer, a couple of other SO answers, the php docs and some lucky guessing to come up with this complete answer.
NOTE: This method seems very open to hacking, as anyone could sign whatever they want with their own certificate then pass the server the data, signature and URL to their certificate and get back a "that's a valid GameCenter login" answer so, while this code "works" in the sense that it implements the GC algorithm, the algorithm itself seems flawed. Ideally, we would also check that the certificate came from a trusted source. Extra-paranoia to check that it is Apple's Game Center certificate would be good, too.
My Problem might be simple, but i just dont know how the pageViewer/pageOwner concept work or its better to say i dont know how i can get rid of this system.
I just want to make a Gadget, which handles all Oauth-authentifications for Networks like Twitter, Google+ etc.
So basicly i want to let the User say how many Networks he wants to access and then i make all Oauth-authentifications, i use Liferay and Opensocial for that task but get this error:
OAuth error: UNKNOWN_PROBLEM: Client state belongs to a different person (state owner=G-10180, pageViewer=10196) ==== Original request: GET /m8/feeds/contacts/default/base?alt=json Host: www.google.com X-Shindig-AuthType: oauth X-Forwarded-For: 87.139.78.177 X-shindig-dos: on ====
I guess i have to change something in the shindig.properties file, but this is where i need your help.
-------------------------------UPDATE----------------------------------
I know that the first part of my Authentication works because i get a authentication token, but it is invalid. I assume that the gadget expects a token identical to the token the owner stored.
It would be perfect if you have a little code example for me to identify the viewer as new user if he isnt already a member. Please tell me where i have to put this code in my gadget because the documentation of opensocial costed much lifetime til now, but i cant find an answere to this issue :).
Thanks in advance
Please see my response to your other question: link
You're basically encountering the same problem where the viewer is not the page owner. As I mentioned in your other question, the page viewer must be the page owner for OAuth gadgets (in other words, you must add the OAuth gadget to a page you own).
I'm hoping that a future version of Shindig will fully support adding OAuth gadgets to pages where the viewer != owner, but I'm having difficulty getting feedback from the Shindig community (see here)