I'm trying to develop an open source solution which will be deployed on Raspberry Pi's or similar SBCs. The RPi part is only relevant insofar as it means all the code and app resources need to be publicly available.
The solution needs to read Twitter statuses, as close to real time as possible, and with as little interference from third parties as possible. I found Twitter's Streaming API, which is blazingly fast, and would be perfect for my application – except it requires OAuth. And as far as I can tell, the OAuth mechanism isn't well suited for deployment on users' machines, since it relies on a secret key which belongs to the application owner (the consumer secret).
I couldn't find any easy way around this – the only solutions I could think of are either handling request signing on a central server, or asking each user to create their own Twitter app account. And I find both solutions terribly distasteful.
Do you see any elegant way out?
It turns out this is indeed not currently feasible cleanly with any of Twitter's public APIs; not now, and not in the foreseeable future. Refreshingly, for once we do have proof for a negative: I also asked this on Twitter's own forum, and I was lucky enough to have my question kindly answered by Andy Piper, Global Lead Developer Advocate at Twitter. There you go.
Your app can open a web browser with Twitter's application authentication webpage loaded. When the user enters their credentials Twitter will return a code which they can copy/paste into your app. It's not particularly elegant. Here is a Python example of the workflow: https://github.com/geduldig/TwitterAPI/blob/master/examples/oauth_test.py
Related
https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/
Our organization is finding this announcement somewhat problematic! We use an IMAP library extensively to read various service based email accounts in o365. Any guidance on how to address this would be greatly appreciated.
Note, we have many console apps written in .NET (4.8) that run on a server based fired by many scheduled tasks. I understand we'd need to somehow register our "application" (I'm assuming that can be a generic one for our company), but we cannot involve any "user" interaction. These are utility apps. Glancing at the existing sample code for OAuth, they all seem to involve popping up a browser window to get someone to interact with "asking permission" which is exactly what we need to avoid.
We've used IMAP all this time to simply read and parse service based email accounts. I'm not sure I understand why IMAP over a secure connection is "less secure" than a more complex solution. Why take the option away?
On the other hand, the Microsoft Graph API looks significantly more complicated and appears to be OAuth based which, again, seems to involve quite a bit of authentication complexity.
Most REST APIs we've interacted w/ in other .NET console apps use a simple set of API "keys." Why not offer that at least?
As I say, we're looking for a way to write some process that run programmatically to automate a number of operations related to certain mailboxes. IMAP has worked like a charm so far, so we're looking for direct guidance on what to migrate to.
We understand your concerns. While a secure IMAP connection protects the data that's being transported, Basic Authentication exposes your Exchange Online accounts to attack techniques like phishing or brute forcing.
The primary objective of this change is to protect our customers from these threats. In addition, Modern Auth enables admin visibility into app access and enables fine-grained control of these apps.
To answer your question on implementation guidance, there is an existing approach in Graph to achieve exactly what you're looking to do. It's called "OAuth 2.0 client credentials flow". You can read more at https://learn.microsoft.com/en-us/graph/auth-v2-service
(Disclosure - I'm a Senior PM at Microsoft)
I'm working on a fairly basic Alexa skill that, in essence, searches through a specific Twitter feed looking for a hashtag, parses that tweet, and reads it back. The simplest way to do this seems to be using the Twitter API, since scraping appears to be against the TOS.
... crawling the Services is permissible if done in accordance with the provisions of the robots.txt file, however, scraping the Services without the prior consent of Twitter is expressly prohibited.
I've been having some trouble understanding how account linking works, as I've never dealt with OAuth before. I've been trying to follow the one tutorial around, but neither the text or video version were clear me.
Why the need for an external webapp?
...we need an OAuth implementation of our own to make the integration work correctly
What's wrong with the one provided by Twitter? Why can't any issues be fixed within the Lambda method, since the account integration isn't being touched otherwise AFAIK? Isn't having the tokens passed around via the URL a bad idea too? Their example code seems to require that the Consumer Secret be hard coded too.
Enter: “https://alexa-twitter-airport-info.herokuapp.com/oauth/request_token?vendor_id=XXXXXX&consumer_key=YYYYYY&consumer_secret=ZZZZZZ”.
At the very least, their webapp seems to be down for the time being, and it'd be nice to have an option that doesn't require paying money to host another copy.
I've seen this post discussing a Node.js OAuth implementation, but the necessity for such an implementation still escapes me.
I am new to QuickBooks and all my searching has been leading to conflicting answers. I really need to know this to move forward.
We have an on-premise application (legacy MFC app if that matters). Some of our customers use QuickBooks Online and we can send information up to it. In the past we have used QBXML which I believe is not supported for online anymore.
Everything I read at intuit.com talks about web applications. I think I have to have OAuth security and I do not see how intuit is supporting that from a non-browser based application.
I cannot believe that intuit would not have an answer for this situation so I must be confused.
So, can I send data to QuickBooks Online from a desktop application?
If yes, which API/SDK should I be using?
If I need OAuth how exactly do I implement this?
Does any of this require an independent security review?
I think I just need a little help getting pointed in the right direction.
Thanks
Unfortunately I think you have the most difficult scenario in the QB ecosystem.
I've used the DevDefined OAuth library with some success:
https://github.com/bittercoder/DevDefined.OAuth
You can get this to work on the desktop if you have a localhost server that the browser can redirect to on the OAuth callback.
Anything that talks to QBO needs to use the QBO API v3 now.
For a custom app that talks to QBO, you would need to set up your app # Intuit to run in development mode, so it wouldn't have to go through their security review, etc. But that limits the number of connections you can have (I think it's 10). So it might not work in your case. Also, if you're distributing your app to "normal" customers it may not be the best user experience, and probably isn't practical, to set it up so OAuth will work on the desktop.
You might just have to bite the bullet and create an intermediate web service on something like Azure or Heroku, then go through the whole process of getting Intuit to bless your app for production.
So I'm creating an iOS framework that will be a static library that developers will add to their project, when they create an account on our site I'd like to give them a unique token that they put in their app to use my static library.
For iOS dev's, think TestFlight, you sign up, get an App ID and then run [TestFlight takeOff:<#some-key#>];
I'd like to authenticate the requests that the framework makes to my REST webservice (using https).
Is there anything I can do to prevent people from "breaking into the app code" and stealing the developers api token and using it to make requests? My api endpoints will not be public information, at least for now. and I can't authenticate the user because it's a framework and that would be an awful UX.
The question is, is there anything I can do to prevent this sort of behavior? Should I even care? I will charge the developer per X requests eventually so I was hoping to authenticate this so we don't have spammers racking up a bill for the developer.
How do other iOS frameworks handle this?
Any design ideas and criticism welcome.
I'm not sure what you're trying to do is ever possible. If the text is in the client code, it can be pulled out. SSL-pinning won't really help you here either because the cert is in the client binary as well.
One way you might be able to get close is to use the developer's authentication system. Say a user logs in into the developer's auth system, then server side you generate a short-lived key for that user. Then the client code can be passed (over SSL-pinning) that short-lived key and use that to make your API calls. However, this requires the developer to actually have a secure auth system, and without SSL-pinning, they're vulnerable to a simple man-in-the-middle attack which will reveal the short-lived key.
You can try to minimize the damage by throttling API calls on your end, or trying using per-app heuristics to approximate what normal API usage would look like. Anything out of the norm will get flagged as potentially hacker based. That might be enough to flush out most of the wanna-be-hackers. The true hackers will learn of the throttling and be clever about circumventing it...
Your safest bet is to make it a server-side library instead of a client-side library. However, that's certainly not a super-sexy solution either. Not all apps have a server side component... and even if they do, once the developer's server is compromised (ie. gets spammed or hacked, etc) it's game over once again. But, in the end, the nice thing about a server-side solution is that you're at least less vulnerable to an attack and you put the responsibility of securing the system on the developer.
What's really lacking here is some form of Apple-based verification for network calls originating from Apple devices.... but that probably won't ever happen. :)
I want to put the Twitter service on my server and customize it for my purpose. I have no idea how it works.
My goal is to communicate to your own Twitter server rather than the original twitter server and serve my purpose.
You should check out: StatusNet. It is an open source micro blogging platform. From their site, you can download the source and deploy it on your own server. Once you have it installed you can customize it to your liking.
Twitter isn't an Open Source project - they don't provide their server code.
From my experience at another company deploying very widely distributed systems, the chances are there's a bucket-load of infrastructure you'd need to get running first - complete overkill for a single-server solution, but vital for a global service with many millions of users. In other words, even if Twitter did provide their code, it probably wouldn't be an appropriate solution for your situation.
The actual Twitter (twitter.com) service is proprietary, you can't run it yourself.
There are plenty of open source twitter clones out there. The more general name is "microblogging". Pinax for example has basic microblogging. Try searching google for 'open source microblogging' for other projects.
I don't believe the Twitter platform is freely available to the general public. If you want to make your own "Twitter server", you're going to have to clone the service yourself.
You can't run Twitter on your own server, but you can write your own application that talks to Twitter through Twitter's API.
It all depends on what you mean by "customizing" Twitter. There are many applications like Twitpic and TweetDeck that are built "on top of" Twitter. They add their own functionality while leaving Twitter to do the "heavy lifting".
For example, I have written a personal project for moderating a stream of tweets. This application runs on my local server, but it gets its data by querying Twitter's API.
There are two main advantages to extending rather than rebuilding Twitter:
It takes a lot less effort because you can reuse all the basic functions of Twitter
You can take advantage of Twitter's huge user base. Even if you succeeded in cloning Twitter, it would be far less interesting than the original because Twitter works by strength of numbers.
You could use Wordpress and get the twitter developer add in then get a api code from them and there users can use your site and vice versa also apps for twitter will work for your site.
Wow. That's a highly ambitious request that you have there. Twitter isn't like Wordpress, there's no .org version that can be downloaded and run locally. Twitter is a highly scalable service that is designed to run on large scale servers.
Sorry to be the bearer of bad news to you on this.