I am working on an app that extracts analytic data from different social medias. Both Instagram and Facebook allow you to get this data for your team members without having to approve the app. I am in early stages and just want to play around with the API's to see what data I can get.
From my understanding LinkedIn does not allow a playground or does not allow making API calls to your own organisation for testing. It does have two test organisations found here. My Understanding was that I could make an API call to these organizations without needing approval for my app or oAuth Token. So I could test the analytics API and their responses. But when I do make the call i get the following error
{
"serviceErrorCode": 65604,
"message": "Empty oauth2 access token",
"status": 401
}
I do not have an access token since I dont have access to any scopes so I cant get an access token. If I do enter a random value for access token I get Invalid access token
Do I need to get approval for Marketing Developer Platform to even make API calls to the test organization ? Is there no way to make test API calls to see the response before applying for a program ? Approval can take upto 90 days and I dont want to run a few tests before that process.
Related
What I want to do is quite simple: provision Office 365 and Azure Account from my Web App. And I want it to be available not only for me but for all the IT Departments (from other organizations too) that logs in my App.
From my understanding the steps I have to take are:
Register App on apps.dev.microsoft.com and get ID And Secret.
Enable the Scopes I'm interested in (in my case Directory.ReadWrite.All and User.ReadWrite.All) -- Enabled from both Delegated Permissions and Application Permissions
Gone through the LOGIN PROCESS
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[My Client]&response_type=code&redirect_uri=[My Account]/Account/Office&response_mode=query&scope=openid%20User.Read%20offline_access%20Directory.ReadWrite.All
Confirm the code I receive back on my Return URL
POST https://login.microsoftonline.com/common/oauth2/v2.0/token?...secret and so on...
Now what I get is an object with Access Token, Renew Token and so on and so forth.
If I use it to get users, it's all working:
https://graph.microsoft.com/v1.0/users
But when I try to perform other operations the token seems invalid.
For instance:
Get Azure subscriptions (the account is admin of several subscription):
https://management.core.windows.net/subscriptions ==> UNAUTHORIZED
What I'm doing wrong? Is the IDEA behind it correct?
I really need to be done at a "global" level without config manual steps on every subscription or putting in some "TenantID" manually.
You've requested a token with scoped for the Microsoft Graph API which is why you can use API endpoints surfaced by https://graph.microsoft.com/.
The call to https://management.core.windows.net/subscriptions is not part of Microsoft Graph API so you're token isn't valid for that resource. That call is into the Service Management REST API. Authenticating for this API is documented here.
After reading the documents of Google API. I know that if a project we create needs to access private data, we should use oauth. But here is my situation. we will open a business account in Youtube, and we will create a project to push videos to our own account, we don't need to operate other user's' account. Can we use google youtube data api without OAuth?
There are two ways to access private user data with Google APIs.
Strait Oauth2. where you have a consent for asking the owner of the account if you can access it
Service accounts which are technically pre authorized by the developer.
Normally I would say because you are only accessing the one account that you own, use a service account. Unfortunately the YouTube API does not support service account authentication.
Due to the lack of service account support you will have to use Oauth2. I have done this in the past.
Authentication your script once, using a server sided language of some kind. The Authentication server will return to you a Refresh token. Refresh tokens can be used at any time to get a new access token. Access tokens are used to access Google APIs and are only valid for an hour. Save this refresh token someplace. You will then be able to allow access the YouTube account in question when ever you like.
Note: You will have to watch it. Refresh tokens can on rare occasion become invalid. I recommend having a script ready that will allow you to re authenticate the application again storing a new refresh token. Its rare that it happens but it can happen best to be pre-paired.
Oauth Play ground
Part of the point of Oauth is that it identifies your application to Google though the creation of your project on Google developer console. Things like quota and access to which APIs is controlled though that. If you spam the API they will know and shut you down. (never seen this happen)
When you request access of a user it pops up with the name of the project on google developer console. This is identified by the client id and client secrete for that project on google developer console. When I use oauth playground I get asked 'Google OAuth 2.0 Playground would like to ..'
So by using playground you are using Googles client id and client secrete to create a refresh token for yourself. If N other devs are also doing this the quota for YouTube may be used up in the course of a day. Also security wise you are now giving that project access to your data. Ignore that for a second what if google suddenly decides to remove change the client id or generate a new one. Your refresh token will no longer work. What if random dev X is using it as well and he starts spamming everything and the client id gets shut down (Think this happened last year) your going to have to wait for google to upload a new client id for the one that has now been banned.
Google OAuth 2.0 Playground might seam nice but its not for daily use IMO its good for testing nothing more. Create your own project and get your own access its not hard just requires a programing language that can handle a http Post.
My tutorial Google 3 legged oauth2 flow
More of a theoretical question here - how can you get around using OAuth when you don't want to use it, but are using an API that requires it.
For example recently I was looking through the Bing Ads API and noticed they now require you to do OAuth as part of the process. Which makes sense if you're making an application that allows a user to control their Bing Ads account via your app. However, let's say you wanted all of your users to interact with one Bing Ads account.
Is it possible to hardcode all of the OAuth pieces in the background and just use the same authentication for every user to essentially send their stuff to the same Bing Ads account.
- If so, what sort of negative impacts would there be on that?
While it is simply not possible to get around using OAuth if the API requires it, OAuth can be used for more than just the "access delegated to client by current user" use case. As you suggest, if you want all users of your app to interact with your Bing account ("on your behalf" on OAuth speak), you can certainly do that with OAuth.
For an OAuth 2.0 implementation this would mean that you obtain an access token and preferably a refresh token in some way for your app, e.g. by you yourself going once through the Authorization Code flow (also, some services allow you to generate tokens in their web UI). Then you would "hard-configure" the token(s) in your app and use it/them to talk to the Bing API.
If a refresh token is included as well as an access token then your app can get a new access token in the backend whenever the old one expires without you (or your users) having to go through that initial flow again.
Be aware that this is not good practice for mobile apps, where you would have to distribute your app with the tokens embedded in the binary packages. Those tokens could easily be grabbed through hacking/scanning those binaries. But when the tokens are used in a backend service and never exposed in the front end, this is a perfectly valid scenario.
I am trying to get an access to AdWords API via OAuth.
I registered an app, created MCC account (to a different e-mail) and a test account.
I read through AdWords API documentation and don't see that I need a dev token to access an account by oauth. Just clientId, clientSecret and accessToken.
But when I try to connect to the API using google-api-adwords-dotnet library. I get "Parameter name: AdWords API requires a developer token"
What is the purpose of OAuth if I cant access the API without MCC and dev token?
Best regards,
Andrei
P.S. I can access my test account providing my dev token. But I need to access any client who granted an access to me, not just clients who are part of my MCC account.
This question was answered on AdWords API group: https://groups.google.com/forum/#!topic/adwords-api/mC7mB-YYH-Q
A developer token is required to make AdWords API calls. It's main purpose is to ensure that the developer has accepted AdWords API T&Cs, identify your requests in case we need to troubleshoot issues you are facing, etc. In the past, it was also used to identify the account to which API calls were charged, but that's no longer the case since AdWords API calls are now free.
OAuth2 tokens are used to authenticate the calls you make against a client account. You may also use ClientLogin as an alternative to OAuth2, but it is deprecated and it's use is strongly discouraged.
You need an MCC account to get a developer token, but it's not a requirement that the account you make calls to lives under that MCC. Using OAuth, you could make calls to a totally unrelated account (e.g. a client logs in from the UI), as long as you can generate an access token for the same. Right now, your developer token is under review, that's why your ability to make calls are restricted to test accounts. Once your token is approved, you should be able to make calls to any account that you have access to.
I am working on a web service that has a RESTful backend (written using django) and multiple frontends, one of which is iOS. I would like to have as much as possible done by the backend to minimize the frontend complexity, however, this strategy is failing now that I'm trying to integrate the Facebook open graph.
What I am currently trying to do is have the user authenticate with facebook using the iOS SDK and then submit the received access token to the backend, with which the backend can, for example, publish an action to the user's timeline. However, when trying to make requests from the backend, I receive the error message: {"error": {"message": "Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.", "code": 190, "type": "OAuthException", "error_subcode": 460}}
Presumably, this is because Facebook either recognizes that the request is not coming from iOS or that it is coming from a different host.
Is there some way to obtain the code that can be used for server-side authentication from the iOS SDK so that the backend itself can request the access token?
Perhaps I am just looking at this from the completely wrong angle and should implement graph API interactions on each individual front end?
edit: Based on Facebook's own resources and the fact that this isn't a common question, am I right to assume this is simply against best practices for the Open Graph API?
The solution ended up being really dumb. I forgot to request the publish_actions permission from iOS even though I was from the web frontend I was trying to make this work with.