How to get client secret from Google Developers Console in iOS? - ios

Currently i am working on one of old project within that there is a client id and client secret. Now i want to update those with new client id and client secret using another Developer account. I followed each and every step from
https://developers.google.com/+/mobile/ios/getting-started
Google APIs Console - missing client secret
But i can see only client id. Where is the client secret ?
Here i can see only client id

Hey this is step by step process ,hope this helps you...
Step 1:
Goto Google Developer console and create new app
Step 2:Enable the google plus api
You can see the enable api in the Enable API's tab which is next to API Library ,which is visible in second image.
Step 3: Goto to credential in API & auth tab then select credentials option
select the type of authentication you require
then you will can see the configure consent screen configure the page with the information you wish to provide .
Step 4: Select the web Application option on top
and enter required url's
and finally click create button
once you do that ..you can see ...client id and client secret key...

When in iOS, the application type of the OAuth credential should be 'iOS'.
And then you should pass an empty string as the client secret in your code.

Keeping a secret (that is global to the entire application, not unique per user) in an app is NEVER EVER secure. See https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps This is an amazing article, please spend as much time as needed to understand it.
Because it can't be kept secure, using client secret in iOS is the old, outdated approach. Nowadays you want to use proof-key-code-exchange (PKCE). It's also explained in above link, but in short:
Generate a secret key in iOS, it is one time use for that one specific login
Only send the hash of the key to the login authority (Google). The original has not left the app yet
To get the tokens, you send: <AuthorizationCode,ORIGINAL secret> AuthorizationCode is also a one time use
Google can compare the "original secret" to the previously sent hash. It therefore knows you are not an attacker that has stolen the AuthorizationCode
Back to the question. Google let's you create different types of "Apps":
Web application: Has a client secret (It's on a backend server, not on a publicly accessible iOS app)
iOS app: Has "iOS URL scheme" instead. There are frameworks that use this URL scheme and do the steps I described above for you (including PKCE). Disclaimer: I'm not an iOS developer, but I'm 99% certain

Related

what's the property in the body of Getbearer Token web activity mean?

Currently, I'm following this doc to use Oauth to copy data from Rest connector. I applied the suggested temple ,when I configure this web activity, as for the body content, it show I should provide below parameters. I wonder where to get this parameters?
screenshot2:
These are app registration ID and password.
You need to register an app in Azure AD.
Below MSFT docs provides details about the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Here, you have to create a service principle in the Azure Active directory :
First you have to register the App under the blade of AAD > App registrations > New Registrations.
Once you register the App you have to then Assign a role under the Subscription Blade> selecting the subscription proceeding with Access Control(IAM)
Then you have copy the tenant ID and app ID under the AAD> App registrations> Your App
As there are two options for authentication one for uploading certificate and other for New Application Secret: Go with the 2nd one
Then you have to set the client secret for the New client. here is the Microsoft Document: Option 2: Create a new application secret

Custom scheme URIs are not allowed for 'Web' client type - Google with Firebase

I am trying to implement google sign in using firebase in to my iOS app. I follow this tutorial.
https://firebase.google.com/docs/auth/ios/google-signin
I have setup the iOS app in firebase and use the google clientID and reversedClientID from the dowloaded GoogleService-Info.plist.
FYI: I have a custom sign-in button instead of the google sign in button. Anyway when i click the sign in button, google following error display in a webview.
I know my problem is the same as which described in this question.
Google 400 Error: invalid request Custom scheme URIs are not allowed for 'Web' client type
But, in my case, I have created the app in Firebase still I get the error. Any idea please...
The first step is to check if you have already the OAuth 2.0 ID for iOS. To do this please open the Credentials page in the API Console. I hope you will find iOS client for your application under OAuth 2.0 client IDs section. If not, please follow this Guide
The second step is to replace the Web Client ID with in iOS Client ID from OAuth 2.0 client IDs section. To do this, you should open the GoogleService-Info.plist and modify following keys: CLIENT_ID with [value].apps.googleusercontent.com and REVERSED_CLIENT_ID with com.googleusercontent.apps.[value].
if you're using flutterfire ui package you need to change the client id parameter in your GoogleProviderConfiguration class with the iOS client id,
you can copy it from here Credential page
example:
providerConfigs: [
GoogleProviderConfiguration(
clientId: "your copied key here"),
]
re-build you're app and you should be good to go
I've just faced this same issue using flutterfire_ui on Flutter.
The error appears to be from a couple of things. As Valeriy points out you need the ios client ID. But I still got the error if I used the scopes
openid
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
Instead change these to
openid
email
profile
Strangely the opposite is true for Android, where the WebID and the first of the scopes should be used.
It also pays to be aware of the OAuth Content Screen..
In google cloud go to APIs & Services > OAuth consent screen > Edit.
You can add scopes here and fix any missing required fields that Firebase might not be filling out (I had 1). I believe this takes a while to propagate after a change, so give it an hour.

Non-interactive login (cached credentials) against Azure Graph API on iOS

I am creating an app on iOS that will run in a "kiosk" mode. Part of the application requires users to be able to search an organisation's directory. I would like to support Azure AD via the Azure Graph API to provide this function.
I don't want to require an interactive login when the app starts and I don't want to have to use an additional web service; I would like for the iOS app to simply access the Azure Graph API via REST.
I am aware of the risks associated with cached credentials, however the use of "service accounts" for non-interactive logins is fairly well established, the access is read-only and the credentials can be secured in the iOS keychain.
I have looked through numerous Azure samples and read the documentation and it seems that the method that provides what I need acquireToken(resource, credential) isn't available in the iOS ADAL library (and either is the ClientCredential class).
To clarify, this is how I would like my app to work:
User installs the app from the app store and runs it the first time
As part of the setup they authenticate to Azure AD by providing their tenant, application client ID and an application key. If they can't authenticate with an application key, a user id/password is acceptable as long as:
They never get prompted to authenticate again
Is there a solution here or do I just give up on Azure AD?
This can be done, but not with the ADALiOS framework as it doesn't expose the client_credentials grant that is required to make it work.
I was able to build a working demonstration using p2/OAuth. The sample app is here
The steps to build a working solution are:
Login to the legacy Azure Management portal and select your Azure AD Instance
Create a new application in that AD instance
Select "Add an application my organisation is developing"
Give it a name and select "Web application and/or Web API" not "Native Client Application"
Enter values for sign on url and app id url. These need to be well-formed URLs but do not need to be reachable
Once the application has been created select "Configure". Note the Client ID - you will need this
In the "Keys" selection, select 1 or 2 years from the drop down, then click "Save"
Once the key is displayed, copy this and save it somewhere; it can't be displayed again.
Set the required "Permissions to other applications" to allow your app the access it needs
Finally, at the bottom of the screen click "view endpoints" - You need to copy the OAuth 2.0 Token Endpoint and the OAuth 2.0 Authorization Endpoint
Download the demo code from GitHub
Run pod install
Plug the values into the Settings.plist file
Run the app
The meat of the authentication process is to set up an instance of OAuth2ClientCredentials -
let settings = [
"client_id": appData.clientId!,
"client_secret": appData.secret!,
"authorize_uri": appData.authString!,
"token_uri": appData.tokenString!,
"keychain": true,
"secret_in_body": true
] as OAuth2JSON
self.oauth2 = OAuth2ClientCredentials(settings: settings)
Then you can call doAuthorize() to get a token
self.oauth2.doAuthorize()

MVC 5 App with Google OAuth2 Sign-on (C#) is not working

I have followed some articles, but all are not clear as google oauth interface is changed.
Verified some articles, and understood something. With this understanding in mind, followed below steps:
Opned URL: console.developers.google.com
Created new project with name: My Super App
Clicked on Google+ API under Overview section, and Enabled the same.
Here is my doubt whether I am doing correct or not
Selected OAuth ClientID option under Credentials section.
Configured Consent screen With email address, and Product name.
Under Create Client ID section, provided below details:
Application type: Web Application
Name: My Super Client App
Authorized Javascript origins: http://localhost:44300/ - sometimes, I have used this option. Later on, now, I am not using this option. Please suggest me if it is mandatory.
Authorized redirect URIs: http://localhost:44300/signin-google
ClientID, ClientSecret have been generated. Used in My MVC app.
But, I am unable to use Google OAuth.
Please suggest me where I'm doing wrong.
Go to your Project properties and under the Web tab you'll see the Project URL. In place of the https://localhost:44300/ given in the article replace it with the one specified in Project URL or, if you've overridden that one, use the one specified in the Override application root URL.
In other words, you shall change the URL here:
Just a suggestion but perhaps you need to enable the api on your google developer console. I did a quick google and this covers it - http://www.c-sharpcorner.com/article/how-to-configure-google-sign-in-for-Asp-Net-mvc-5-part-sixt/
please follow Asp.net/mvc :MVC5 :Google OpenAuth from where the below steps are taken:
Creating a Google app for OAuth 2 and connecting the app to the project
Navigate to the Google Developers Console.
Click the Create Project
button and enter a project name and ID (you can use the default
values). In a few seconds the new project will be created and your
browser will display the new projects page.
In the left tab, click
APIs & auth, and then > Credentials.
Click the Create New Client ID
under OAuth. In the Create Client ID dialog, keep the default Web
application for the application type.
Set the Authorized JavaScript
origins to the SSL URL you used above (https://localhost:44300/
unless you've created other SSL projects) Set the Authorized
redirect URI to:
https://localhost:44300/signin-google
Click the Consent screen menu item, then set your email address and product name. When you
have completed the form click Save.
Click the APIs menu item, scroll
down and switch on Google+ API.
Copy and paste the AppId and App Secret into the UseGoogleAuthentication method. The AppId and App Secret values shown below are samples and will not work.

Can BigCommerce Private Apps use OAuth

I am very confused by the BC documentation on their API, because they let you create "Draft Apps" (private apps) and now I see that in their documentation they say "We do not currently provide a means of keeping OAuth apps private.".
My concern here is that they made some changes recently that might have affected a few of my Private Apps that I had running just fine a month ago. If anyone can provide some insight, I would appreciate it greatly!
https://developer.bigcommerce.com/api/guides/oauth-transition
There is nothing wrong with creating oAuth credentials with a "Draft App" for the sole purpose of accessing the API of your store. You do not ever have to publish your app and your app will never be made "public" in that case. You also don't have to bother with the 'Load Callback URL' and filling out the details on your draft app, unless you want to provide yourself an interface in the store.
The "Draft App" function was specifically meant to allow Developers building apps for the BC App Marketplace to test their apps in a store before submission. However, you can use it to make a private application that is only intended for your store - I'm including the process here for others!
Making a Private App with oAuth (or How to Generate oAuth Credentials for a Store)
What you will need
Access to the account listed as the "store owner" of the store where you want to install your app or the ability to get a person with access to complete a couple steps
Ability to setup a local or public URL to receive the 'Auth Callback Request'
Getting started
The first thing you should do is sort out making available a local or public URL that can receive an "Auth Callback" request. This resource must be able to work over an HTTPS connection but the SSL can be self-signed. The 'Auth Callback' request from Bigcommerce is a GET request that will have 3 query parameters on the URL: code, scope, and context.
It is described in greater detail here:
https://developer.bigcommerce.com/api/callback#get-req
Additional info
When building a public app it is important that the service receiving the Auth Callback request be configured to catch the 3 query values and combine them with information you already have. You would then send all of this information in a POST to the BC oAuth Token service to generate your API token for the store. In addition to that you would want to respond to the Auth Callback request with a 200 status and an interface, or instructions, for the user.
In the context of building a private application you don't need to worry about any of that. All you need to do is capture the query values. If you have this already then go ahead and jump down to the section on generating an API token below.
Before Moving On
You should have a URL path that can receive a GET request and captures query parameters. Test it out and make sure it works. Here are a couple example URLs:
https://example.com/auth-callback
https://localhost:8000/auth-service
Registering an App
The key point here is that the registration of the app must be completed by the store owner account of the store where you want to install the app. If you have access to the store owner account credentials then follow the steps at the bottom of this page:
https://developer.bigcommerce.com/api/registration
If you are working with the store owner then you can direct them to complete the steps above. You will need to provide them the Auth Callback URL you created for completing Step 9. The Load Callback URL does have to be filled in but the default example provided can be left in place.
SCOPES
When registering an app you are able to choose the scopes for the app. It is simple to just leave them all open but it is best practice to only enable the scopes you need. Here is a list of the scopes:
https://developer.bigcommerce.com/api/scopes
If you are not sure whether or not you will need a certain scope then leave it enabled because you will have to re-generate your API Token (perform a re-install of the app) if you have to change the scopes on your app.
Before Moving On
You need to have the client_id and client_secret. If someone else registered the app then you will need to ask them for this. There is a View Client ID button that will provide it after registering an app.
Generate the Auth Callback Request
You will need the person with store owner access again for this step. They will need to login to their store and go to the Apps section on the left side column. After that click on Marketplace -> then My Apps (in the top-right) -> then My Draft Apps
You should now see a list containing any "apps" that the store owner has registered. Choose the one relating to the client_id you plan to use. Click to install the app.
The Auth Callback request has now been sent and you are done here. You should expect to see just a blank or grey page as a result unless you are responding to the Auth Callback request with content. Your app is now awaiting authentication.
If using a self-signed certificate
When your Auth Callback URL has a self-signed certificate then you will see a "untrusted cert" error in your browser when you attempt installation of the app. You should choose to trust the certificate and continue.
Before Moving On
You should now have received the code, scope, and context at your Auth Callback URL. If you did not it was likely due to not having SSL/TLS at your server. You can replay the Auth Callback request as many times as needed by Cancelling Installation of the app in the same place where you started it. You can even open up a Dev tool and watch the request happen to see what errors show up in the console. If this is continuing to fail then you should reach out to Bigcommerce support or ask a new question on here!
Generating an API Token to Complete Installation
Follow the steps here:
https://developer.bigcommerce.com/api/callback#post-req
You should have all of the details needed to send a POST request to the BC Auth Token Service at https://login.bigcommerce.com/oauth2/token
Make sure to URL encode your content and you should be good! Here is a site that can URL encode and decode for you: http://meyerweb.com/eric/tools/dencoder/
Just be careful of it encoding & and = signs when those are actually being used as separators between fields or between field/value (respectively).
Before Moving On
You should have received a successful response from the Auth service which will include your API Token. Once you have this you are all set to access the API of the store. You no longer need to have your Auth Callback URL up and available and can take that down.
Also take note of the context to use to create your API path.
Accessing the API
Now that you have your API Token and context you are all set to access the API of a store. Start off with a simple request to the /time endpoint.
Make a GET request and include the following headers (minus the curly braces):
X-Auth-Client: {CLIENT_ID}
X-Auth-Token: {API_TOKEN}
Accept: application/json
Content-Type: application/json
Send your request to a URL path of (minus curly braces):
https://api.bigcommerce.com/{context}/v2/time
If you get back a 200 response then you are all set!
Additional Notes - Ways to Break Credentials
Once you have successfully generated an API Token for a certain app, that app will display in the Control Panel as an icon in the Apps section. The fact the app is there shows it is installed and allowing access. If you uninstall that app then the previously generated API token will stop working.
Changing the scopes on an already installed app will require it to be re-installed to correct the token.
Changing the store owner email on the store will cause the token to stop working. The API Token is specifically tied to the store owner that registered the app.
if you have apps in "My draft apps" and you used basic oauth, you will have to change to Oauth Authentication, but if only have private apps using "legacy api account", you will not need to change.

Resources