I am not getting user photo using url $getUserphoto = 'https://graph.microsoft.com/v1.0/me/photo/$value';
I am using REST API using cURL.
private static $scopes = array("openid",
"offline_access",
"mail.read",
"User.Read",
"User.Read.All",
"calendars.readwrite",
"contacts.readwrite");
It could be that you aren't encoding the result appropriately:
$imageData = RequestManager::sendGetRequest(
Constants::RESOURCE_ID . '/v1.0/users/' . $user . '/photo/$value',
array(
'Authorization: Bearer ' . $_SESSION['access_token'],
)
);
return base64_encode($imageData);
Then, in your HTML:
<img class="ms-Persona-image" src="data:image/*;base64,{{ avatar }}">
If neither of these work, please use a tool such as Fiddler or Postman to see what response code you get back with the response.
Related
It feels like amazon are encouraging people to just use their client SDK, but it would be nice to see what a sequence of valid REST calls looks like for the authorization and implicit grant flows.
The AWS documentation for the authorization and token endpoints is a nice start:
http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
Does anybody know if some examples exist showing the sequence of REST calls for the Implicit and Authorization flows (against Cognito)?
The documentation is a bit shoddy, but here's an example PHP cURL call to get the ID/Access Tokens using your authorization code for the Authorization flow:-
$url = 'https://<YOURDOMAIN>.auth.us-east-1.amazoncognito.com/oauth2/token';
$client_key = '<YOUR_CLIENT_ID>';
$client_secret = '<YOUR_CLIENT_SECRET>';
$data = [ 'grant_type' => 'authorization_code',
'client_id'=>$client_key, 'code'=>$_GET["code"],
'redirect_uri'=>'<YOUR_REDIRECT_URI>'];
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_VERBOSE, true);
curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($handle, CURLOPT_USERPWD, $client_key . ":" . $client_secret);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$field_string = http_build_query($data);
curl_setopt($handle, CURLOPT_POSTFIELDS, $field_string);
$resp = json_decode(curl_exec($handle),true);
Once you've got the ID token you need to parse the JWK JSON file from
https://cognito-idp.us-east-1.amazonaws.com/<USER_POOL_ID/.well-known/jwks.json
and then lookup the kid field in the token header, and use that as the secret to decode the token. I used this library:-
https://github.com/firebase/php-jwt
So the token validation code looks something like:-
$jwks_json = file_get_contents("https://cognito-idp.us-east-1.amazonaws.com/<USER_POOL_ID>/.well-known/jwks.json");
$jwk = JWK::parseKeySet($jwks_json);
$tks = explode('.', <YOUR_TOKEN>);
list($headb64, $bodyb64, $cryptob64) = $tks;
$jwt_header = json_decode(base64_decode($headb64),true);
$jwt_body = json_decode(base64_decode($bodyb64),true);
$key=$jwk[$jwt_header["kid"]];
try
{
$decoded = JWT::decode(<YOUR_TOKEN>, $key, array($jwt_header["alg"]));
$decoded_array = (array) $decoded;
// GREAT SUCCESS!
}
catch (\Exception $e)
{
// TOKEN COULDN'T BE VALIDATED
}
I am not aware of anything with it nicely documented. I think your best option would be to spin up a test app using one of the SDKs and monitor the network traffic. It seems the API is not well documented.
My inexperience has left me short of understanding how to hide an API Key. Sorry, but I've been away from web development for 15 years as I specialized in relational databases, and a lot has changed.
I've read a ton of articles, but don't understand how to take advantage of them. I want to put my YouTube API key(s) on the server, but have the client able to use them w/o exposure. I don't understand how setting an API Key on my server (ISP provided) enables the client to access the YouTube channel associated with the project. Can someone explain this to me?
I am not sure what you want to do but for a project I worked on I needed to get a specific playlist from YouTube and make the contents public to the visitors of the website.
What I did is a sort of proxy. I set up a php file contains the api key, and then have the end user get the YT content through this php file.
The php file gets the content form YT using curl.
I hope it helps.
EDIT 1
The way to hide the key is to put it in a PHP file on the server.
This PHP file will the one connecting to youtube and retrieving the data you want on your client page.
This example of code, with the correct api key and correct playlist id will get a json file with the 10 first tracks of the play list.
The $resp will have the json data. To extract it, it has to be decoded for example into an associative array. Once in the array it can be easily mixed in to the html that will be rendered on the client browser.
<?php
$apiKey = "AIza...";
$results = "10";
$playList = "PL0WeB6UKDIHRyXXXXXXXXXX...";
$request = "https://www.googleapis.com/youtube/v3/playlistItems?part=id,contentDetails,snippet&maxResults=" . $results .
"&fields=items(contentDetails%2FvideoId%2Cid%2Csnippet(position%2CpublishedAt%2Cthumbnails%2Fdefault%2Ctitle))" .
"&playlistId=" . $playList .
"&key=" . $apiKey;
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => $request,
CURLOPT_SSL_VERIFYPEER => false
));
$resp = curl_exec($curl);
if (curl_errno($curl)) {
$status = "CURL_ERROR";
}else{
// check the HTTP status code of the request
$resultStatus = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($resultStatus == 200) {
$status = "OK";
//Do something with the $resp which is in JSON format.
//Like decoding it into an associative array
} else {
$status = "YT_ERROR";
}
}
curl_close($curl);
?>
<html>
<!-- your html here -->
</html>
Note: CURLOPT_SSL_VERIFYPEER is set to false. This is in development. For prod it should be true.
Also note that using the api this way, you can restrict the calls to your api key bounding them to your domain. You do that in the googla api console. (Tip for production)
Right now I generate authentication headers using a website - OAuth tool. Then I create the following code:
$opts = array(
'http'=>array(
'method'=>"GET",
'header'=>"Accept-language: en\r\n" .
"Cookie: foo=bar\r\n" .
'Authorization: OAuth oauth_consumer_key="343432dsddsf", ' .
'oauth_nonce="3432fsdfsdf", ' .
'oauth_signature="423fsdfsdfsdf%3D", ' .
'oauth_signature_method="HMAC-SHA1", ' .
'oauth_timestamp="1431435892", ' .
'oauth_version="1.0"'
)
);
//191683771
$context = stream_context_create($opts);
$source = #file_get_contents('https://api.twitter.com/1.1/statuses/user_timeline.json?count=200&user_id=112344123', false, $context);
To get the JSON data.
It works, but I want the user_id parameter to be changed. I have the whole array of users for which I want to retrieve this data.
But then, I can't do that as I would have to generate authentication headers for all users myself.
Is there a way to solve this?
I'm using the google-api-php-client to get the URL for a document on my Google Drive. The URL works correctly when I paste it into my browser and I can download the file.
However, in my PHP app I always get a 401. Here's my code:
private function _get_document_contents($url)
{
// prepare opts
$opts = array(
'http' => array(
'method' => 'GET',
'header' => "Gdata-version: 3.0\r\nAuthorization: Bearer " . $this->_token . "\r\n"
)
);
// get the doc
return file_get_contents($url . '&exportFormat=html&format=html', false, stream_context_create($opts));
}
I've tried changing Bearer to OAuth (that's what OAuth 2.0 playground uses) but both fail.
Any ideas?
Ah the problem seems to be that I'm using the old Google Docs API and should migrate over to the Google Drive SDK. D'oh!
I'm trying to promote my app using app center but from the Web preview I can't visit the web site.
The link that is called is http://www.myappsite.it/?fb_source=appcenter&fb_appcenter=1&code=a_long_string
From the index.php of myappsite I use this peace of php code to get the user coming from facebook
$code = $_REQUEST["code"];
if($_REQUEST['state'] == $_SESSION['state'] && !$user && strlen($code) > 0)
{
$token_url = "https://graph.facebook.com/oauth/access_token?" .
"client_id=" . $appId . "&redirect_uri=" . urlencode("http://www.myappsite.it/") .
"&client_secret=" . $secret . "&code=" . $code;
$response = #file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token=" . $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
but $params['access_token'] is empty because the $token_url returns
{
"error": {
"message": "Error validating verification code.",
"type": "OAuthException",
"code": 100
}
}
how can I get the user logged in from tha app center preview web page?
From the Authenticated Referrals part of the docs (the App centre counts as an authenticated referral)
See A special consideration when using the Query String setting:
If you would like to use the server-side authentication flow it is
important to make sure you are passing the redirect_uri parameter
correctly when exchanging your code for an access token. You should
set your redirect_uri parameter to the click-through URL to your site
without the code parameter. In most cases the URL will look something
like:
http://www.example.com/?fb_source=search&code=CODE_HERE Once you
strip the code parameter it will become:
http://www.example.com/?fb_source=search which is the value that
should be set in redirect_uri. Please make sure that this logic is
dynamic as the query parameters appended to your click-through URL may
be subject to change.
Using your example from above, this means your redirect_uri parameter should be http://www.myappsite.it/?fb_source=appcenter&fb_appcenter=1
As Igy said:
http://www.example.com/?fb_source=search&code=CODE_HERE Once you strip the code parameter it will become:
http://www.example.com/?fb_source=search
However if you are redirecting with this url it will need to be url encoded otherwise the ? will stop the redirect parameter and add the fb_source to your request.
It should look like this when sent out:
http%3a%2f%2fwww.example.com%2f%3ffb_source%3dappcenter%26fb_appcenter%3d1
(Which is what Marco had already done which is why he is now happy that it works)
urlencode("http://www.myappsite.it/")