I want to realize account linking to Google account with Google Home.
On realizing this, our app's flow of account linking follow to
this page.
It page shows this.
...so we send back a message saying they need to visit our website to authorize us to access their Google services. We may require them to switch to a mobile device to do this part and even include a link to the login page.
At this part, we use GoogleHome's rich response to send authentication link to user's mobile device.
For example,
payload: {
google: {
expectUserResponse: true,
richResponse: {
items: [
{
simpleResponse: {
textToSpeech: "textToSpeech"
}
},
{
basicCard: {
title: "Title",
formattedText: "formattedText",
buttons: [
{
title: "ButtonTitle",
openUrlAction: {
url: "https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&scope=https//www.googleapis.com/auth/calendar.readonly&response_type=code&client_id=xxx.apps.googleusercontent.com&redirect_uri=https//project.com"
}
}
],
}
}
]
}
}
}
We can do account linking using Android OS, but iOS can't do that due to 403 error.
We've investigated the cause, it needs to use a specific browser to see google authentication page.
How can I do account linking to avoid such problem?
Or could you tell me another way to do account linking to Google account.
Please excuse my poor English. Thank you.
As per Actions on Google policy, your account linking should be owned or controlled by you. It seems like your account linking is trying to use Google OAuth directly.
You could use Google Sign-in directly, which provides a better UX, although that flow will not give you the ability to request any scopes like calendar. You would need to handle users who don't have authorized scopes until they grant the scopes to your service in another matter such as visiting your website in a web browser.
Related
I'm fighting with the identity parts of ASP.NET Core 2.2 again. This time its Facebook login. Google and Microsoft work with some small tweaks but Facebook has me stumped.
Here's my config.
"Facebook": {
"ClientId": "See secrets.json",
"ClientSecret": "See secrets.json",
"AuthorizationEndpoint": "https://www.facebook.com/v5.0/dialog/oauth",
"TokenEndpoint": "https://graph.facebook.com/oauth/access_token",
"UserInformationEndpoint": "https://graph.facebook.com/me?fields=id,name,first_name,email",
"CallbackPath": "/oauth2/facebook",
"Scope": [ "public_profile", "email" ]
}
Using Fiddler I cannot see any attempt to call the /me resource to get the profile. I can see the backchannel call out to get the access token and I see the response looks like good JSON to me and the token works; I can call the Facebook Graph API manually and get my profile.
I had Fiddler trace a working Google login and I see a token come back with what appears to be the same JSON schema as Facebook uses, and then another clear request/response on the backchannel to get my Google profile.
Facebook returns { "access_token", "token_type", "expires_in" } while
Google return { "access_token", "expires_in", "scope", "token_type", "id_token" }.
Sadly, because I'm using the Microsoft framework and didn't roll my own OAuth code this time, I am unable to see what's happening internally and I think Microsoft chose not to log anything for fear of leaking secrets into logs.
I'm out of ideas.
Exact same issue after setting up LinkedIn. Token comes back looking fine but it doesn't even try to call to get the profile.
What a severely costly nightmare the Identity framework is.
I have the Facebook login working. I was looking at why the Microsoft and Google ones work and saw that they use their own extension methods, like AddGoogle and not the vanilla AddOAuth.
Looking at the code on GitHub reveals that each of the named ones uses a custom handler.
This tells me that each OAuth provider is incapable of following a standard and so custom code is needed for each one! Lovely job everyone. Top marks.
I'll try using the Google (etc) handlers for LinkedIn and see if any are "compatible".
I'm starting to investigate how to work with Facebook programmatically.
I've set URL scheme in my app, so that I could open it from browser using "myappopenup://".
Then I created an app in Facebook. Copied an AppId and tried to make like this:
let url = NSURL(string: "https://www.facebook.com/dialog/oauth?client_id={MY_APP_ID_WAS_HERE}&redirect_uri=myappopenup://fbcallback")
UIApplication.sharedApplication().openURL(url!)
After running this code, simulator opened safari (I've tried with SFSafariViewController first). but everything I saw was:
So, I'd like to know: Is it possible to redirect from the Facebook oauth to my app?
Yes it is possible. Here's the necessary redirect_uri:
https://graph.facebook.com/oauth/authorize
?response_type=token
&client_id='+'1247676148624015
&redirect_uri=fb1247676148624015://authorize
Make sure your facebook app is set up:
And make sure your custom URL scheme is set up:
Disappointing comment above -- likely misled many people. This stuff is not well-documented at all, though.
I contacted Facebook support and they confirmed that it's not supported:
Thanks for getting in touch. We'll make the messaging more clear on this, but we do not support custom URI schemes as valid redirect URIs. To perform login in a native app without opening the browser, please use the official SDKs (is https://github.com/xamarin/FacebookComponents what you're looking for?).
They responded in less that 12 hours, which at least was impressive.
I managed to make Alex Paterson solution work here. I had to add the redirect_uri URL on Facebook Login settings too. On section Valid OAuth redirect URIs I've added the callback URL like this:
https://graph.facebook.com/oauth/authorize?
response_type=token&
client_id=12345678910&
redirect_uri=fb12345678910://authorize
As some of the other answers & comments indicate, I don't think that what you're trying to do is supported by Facebook - my impression is that they really want you to use the FBSDK to accomplish authenticating and receiving a token from facebook.
It feels like I've tried every possible configuration under the sun with the someapp://authorize strategy, but it really seems likes they only want you to do this for web apps.
I'm building with react native (so this may not directly apply. I'm sure the obj-C is somewhat similar in practice), so I'm using the react-native-fbsdk library which exposes LoginButton and AccessToken components, and you can use them as such:
<LoginButton
readPermissions={["email", "public_profile"]}
onLoginFinished={
(error, result) => {
if (error) {
alert("Login failed with error: " + result.error);
} else if (result.isCancelled) {
alert("Login was cancelled");
} else {
AccessToken.getCurrentAccessToken().then((data) => {
const token = data.accessToken;
// send the token to your backend
}
)
alert("Login was successful with permissions: " + result.grantedPermissions)
}
}
}
onLogoutFinished={() => alert("User logged out")}
/>
Tried searching google and StackOverflow but with no luck, perhaps your knowledge of Google-OAuth can help...
I installed the base google-oauth package via meteor.
meteor add accounts-ui
meteor add accounts-google
Then I tested it out and saw that it requests the user to permit access to 2 main groups on information, the first being the user's email and the second being "basic information" about the users account, e.g. Name, Gender, Public Profile URL etc etc.
I only want the email and no other information. I tried to look for where the URI request is built in my meteor app, someurlprobablygoogle.com/scope=email&profile or whatever, but I can't seem to find it.
To configure Google OAuth in Meteor you need to meteor add service-configuration and meteor add accounts-google.
You should be able to modify the requestPermissions setting when calling your login method like so:
Meteor.loginWithGoogle({
requestPermissions: ['email']
}, function (err) {
if (err)
Session.set('errorMessage', err.reason || 'Unknown error');
});
Shooooots
I am trying to automate the entire process of creating a google apps account through my company's reseller account with google, without any human having to manually enable anything.
Here's a quick scenario of what I am doing.
Create Customer (Domain) with Reseller API
Create Subscription with Reseller API
Create Admin Account for the Sold Domain
I am having trouble automating step 3.
There are 2 different APIs that can accomplish this tast, Provisioning (depricated) and Directory.
I have already successfully created user accounts with the Directory API, but this step requires you to enable API access for that domain, and that can only be done manually by a human - So thats a break in automation flow, and wont work for what I am trying to accomplish.
I was instructed by google tech support to use the Provisioning API, wich is deprecated, because it supposedly allows you to create an admin user without the need to enable the API access manually per domain. When I attempt to do this, I face this error:
Uncaught exception 'Zend_Gdata_App_HttpException' with message 'Expected response code 200, got 403 <HTML> <HEAD> <TITLE>You are not authorized to perform operations on the domain mydomain.com</TITLE>
Here's the code im attempting to run:
// .....
$customerid = "somedomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient("mylogin#foo.com", "mypassword",Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
$gdata->createUser('Admin', 'Firstname', 'Lastname', 'somerandompassword', TRUE);
//......
When I consulted google tech support, they told me I needed to enable the provisioning api following the same instruction I posted earlier (enable api access per domain). I have done this on both my reseller domain, and the customer domain Im trying to provision on (just to test, becasue the entire point is to be able to make an admin account WITHOUT enabling it on the customer domain.) - But it still returns this error.
Here's my settings -- as you can see, its enabled.
In google's docs, under "Enabling the Provisioning API", it has some instructions, but they appear to be out of date and dont really reflect sections available in the current google apps admin panel.
Im at a loss. Am I missing something obvious, or is it just not possible to do at this time?
Just for reference, I have found a few other people asking a similar question, but with less detail:
Google Reseller Customer Admin User Creation Admin SDK How
How to create the domain administrator of a Google Apps domain purchased via the reseller API
EDIT: Added image showing settings, and code sample.
try to delete "TRUE" parameter in createUser , it's works for me.
$customerid = "sampledomain.com";
$client = Zend_Gdata_ClientLogin::getHttpClient($email, $password, Zend_Gdata_Gapps::AUTH_SERVICE_NAME);
$gdata = new Zend_Gdata_Gapps($client, $customerid);
var_dump($gdata->createUser('trial', 'Firstname', 'Lastname', 'somerandompassword'));
in Google app console
domain settings ->user settings
check the box "enable API access"
in Google app console --> advanced tools --> Manage third party OAuth Client access
Add the scope :
https://apps-apis.google.com/a/feeds/user
I've made an app that posts to a Twitter account of mine. Currently I have hard-coded into the system the consumer key, consumer secret, access token key and access token secret.
Now I would like to use this app for two accounts and perhaps later even more. Which values have to be changed to make the same app post into the other account and how to get the values? I can see none of them in dev.twitter.com.
The python-twitter package is probably going to be what you want here.
the way you should set this up is in settings.py put
TWITTER_ACCOUNTS = {
'public': {
'consumer_key': 'PUT_C_KEY_HERE',
'consumer_secret': 'PUT_C_SEC_HERE',
'access_token_key': 'PUT_A_KEY_HERE',
'access_token_secret': 'PUT_A_SEC_HERE',
},
'personal': {
'consumer_key': 'PUT_C_KEY_HERE',
'consumer_secret': 'PUT_C_SEC_HERE',
'access_token_key': 'PUT_A_KEY_HERE',
'access_token_secret': 'PUT_A_SEC_HERE',
},
}
from twitter api page:
For applications with single-user use cases, we now offer the ability to issue an access token for your own account (and your own applications). You can generate these keys from your application details pages.
go to https://dev.twitter.com/apps to get your keys
Then in your code when doing your initialisation, (e.g. for personal account) put
import twitter
from django.conf import settings
account = settings.TWITTER_ACCOUNTS['personal']
api = twitter.Api(**account) # <----This will inject your account settings as keyword args
status = api.PostUpdate('I love python-twitter!')
Hope this helps you.
EDIT:
To register your second account with the application, Follow these instructions from Step 3: http://jeffmiller.github.com/2010/05/31/twitter-from-the-command-line-in-python-using-oauth