Do we get token on creating seller account on eBay or we have to generate it manually through developer login.I'm really stuck with this problem.Please help if anyone knows!!
The relevant documentation is here but I'll sum it up:
You need an eBay user account. (The term "seller account" means "user account that happens to sell things", which is useful for people who have two accounts and only sell with one of them.)
You also need a developer account.
Using your developer account, you write a program that prompts a user to sign in and request an access token with permissions you specify.
This prompts eBay to send a token to your program, which expires in 2 hours. Just enough time for your program to do all the eBay tasks it needs to do.
If 2 hours isn't long enough, there is a way of using the first token to create more tokens, but you still need the user to sign in once every 18 months to keep your program running.
There is no way to gain indefinite access. Sorry.
Related
We are building a web app that lets Office365 customers create a realistic plan for their week, by showing them how much time they actually have to work each day (it's called Weekly if you're interested).
The problem we are running into however is that some companies, primarily large ones, block apps entirely from making Microsoft Graph calls to their users. What's tricky is that we send them to Office365 to grant us permissions, their company blocks the access request, and we never see those users again, so currently don't have any way of knowing what happened.
We'd like to be able to display our own message that says something like "Your company has blocked access to our application, please contact your IT department for help".
Is there any way of knowing before sending the user over to grant access that their company (the domain) even allows apps? If not is there some way to send the user back to the requesting app with some details about why the grant failed (did the user not grant permissions, did the company block access, etc.)?
Thanks for your help!
If the administrator disables the ability for users in the organization to consent then the error message will be something like:
AADSTS90093: An administrator of {tenantDisplayName} has set a policy that prevents you from granting {name of app} the permissions
it is requesting. Contact an administrator of {tenantDisplayName}, who
can grant permissions to this app on your behalf.
https://apps.dev.microsoft.com/portal/tools/errors?errorName=graph_user_unauthorized
We are using webhook to get AD user changes within our system through subscription. For this we have a App registered within Azure AD which has read access to user changes through Graph API .
As webhook subscription expires in 2.5 days we require to renew the subscription through our application. Can anyone help to let me know what will be the minimum privilege App requires on Graph to renew the webhook as we cannot give lot of access to this app .
App having the consent to ‘User.Read.All’ should be sufficient for creating & updating subscriptions on ‘users’ resource type.
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/subscription_update
Is that not working ?
According to the Microsoft Graph Doc here (Permissions Section): Creating a subscription requires read permission to the resource for which the app will receive notifications - so, if creating requires it, you can bet that renewing it will too. For instance, if the subscription you want to renew monitors a mailbox, the service needs to have Mail.Read permission IN ADDITION TO the Users.Read.All permission which is required to read the user accounts (for which subscription is an attribute).
Also, some other helpful hints from hours of banging my head against the wall:
1) You also need to be aware that there are two types of permission: Delegated and Application. When I first started using the MS Graph, I always got tripped up on this - so you can read up here to make sure you understand it and have applied the appropriate permissions.
2) In addition, make sure that your admin has consented AND if you change any permissions at anytime, your admin has to re-consent in order to have the new permissions take effect - i.e. when you update them to have the Mail.Read or whatever else. Also remember that when you do this, you are going to want to make sure to flush your previous auth token caches to force a refresh so your new token will have the appropriate permissions there as well.
I'm writing a mini script (web page) similar to buffer.com or sproutsocial.com to schedule posts to social networks such as facebook. The issue is that these services require the use of tokens that have expiration dates (for facebook the max is 2 months I believe). If my users schedule the posts say 3 months later, then the tokens will expire before the posts can be published.
I can automatically renew these tokens if and only if the users visit the web page within the expiration period. I see this post here Posting to Facebook on behalf of the user: how to handle token expiration? and I wonder if this is the only solution?
I have never been asked by Buffer and Sprout to do anything even if I dont' visit their sites after a long time so I wonder if there is a way for them to keep these tokens fresh?
There is no way to auto-refresh tokens for the Facebook API, you can only do that with user interaction. You are talking about an extended user token though, which is valid for 2 months. Extended page tokens are valid forever.
More information:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
I have an application, that process payment to application owner.
When user clicks "buy" on an item, the checkout operation should authorize certain amount on the user's account until some date. And when that date comes authorized money will be captured from user's account to application owner's account.
There is also a possibility, that user may cancel this authorization through the application.
We are free to user Paypal API or Stripe. Which is better and how it could be implemented?
Yes , it is possible through paypal adaptive payment api.
I am not sure what does 'freeze certain amount on the user account' mean, but you can surely transfer the amount to a holding account(admin account) and then on the particular date you can transfer it to the owner's account, meanwhile if the user cancels the payment the amount can be transferred from holding account back to user's account. This option is there in paypal.
What you're looking for is a functionality called auth/capture. What you're essentially doing is authorizing the funds (holding them on the user's payment source) and then capturing them at a later time. This is the same premise as a hotel putting a hold on your credit card for incidentals, and later canceling the hold.
You can do all of this with the PayPal REST API. Here are the features you're looking for:
Authorizing funds: https://developer.paypal.com/docs/api/#authorizations
Capturing funds (at a later time): https://developer.paypal.com/docs/api/#captures
Voiding (canceling) an authorized hold of funds: https://developer.paypal.com/docs/api/#void-an-authorization
Here's the Ruby SDK that you'll probably want to take a look at using, to make the authorization process easier: https://github.com/paypal/PayPal-Ruby-SDK
A few notes here. With authorization, I believe the funds are guaranteed to be there for 3 days. You can continue trying to capture the funds for up to, I believe, 29 days, but the funds are not guaranteed to be there.
Hope that helps
Let's say I am making a sign up form in which I asked user's twitter ID. How do I verify if the ID entered by user belongs to him/her? In case of verifying email we simply send a verification link which user has to click so how do I verify twitter ID? I have never used twitter before.
The only reliable and practical way to verify that twitter account X belongs to user Y this to do full on “3 legged” OAuth authentication. That being said, you may want to consider if you might be OK with just taking the user at their word on it.
Getting OAuth to work and securely storing the resulting tokens is much easier nowadays than it once was, but is still non-trivial.
Reasons to verify the twitter account, in increasing reasonableness:
You will be making enough server side requests, on behalf of multiple users, that you run up against Twitter’s API Rate Limiting. (Having multiple auth-tokens will allow for a higher API rate)
You need to automagically send tweets and/or follow accounts on the user’s behalf
N.B. do this as opt-in and be ultra clear about when/why you will be doing this, or you will face the justified fury of scorned users
Don’t verify the account if you’re looking to do these things:
You need to send tweets and/or follow accounts on the user’s behalf, and the user will be able to perform a browser based confirmation workflow for each of those actions; use Twitter’s Web Intents for this.
If you just want to pull in real time data for user’s avatar, bio, or recent Tweets Twitter supplies some prefab widgets for you.
All of the authenticated Twitter API Calls can be done client side with JavaScript. Twitter has a js framework, which does not require you to handle and store tokens on your server, to help you with that.
An alternate contact method for password resets, notifications, etc.
Private communication between users on twitter requires mutual following, many users probably never check their Direct Messages (or even know what a DM is), and any messages would be limited to 140 characters. Just use email for all that kind of nonsense.
If you’re just gathering this info to display it on a user’s profile page, in an “other places on the web” kind of way, integrating and maintaining all the server side OAuth pieces is likely too much bother. Just make sure you have a reasonable and clear TOS and an obvious way for 3rd parties to report any of your users who may be claiming a twitter account that is not their own.
If you’re still interested in OAuth, Twitter's Dev page has plenty of resources, including a nice overview of a generic “Sign In with Twitter” “3 legged” OAuth work flow.