Dropbox Core SDK for iOS using access token - ios

I need to upload files from my iOS application into my Dropbox account. I'm following this tutorial to do so: https://www.dropbox.com/developers/core/start/ios. But I don't understand how to use the generated access token to access my own account without going through the authentication flow.

The generated access token available on the Dropbox App Console is an OAuth 2 access token, just meant as a shortcut to let your app to your own account. The Dropbox iOS Core SDK uses OAuth 1 though, so you can't use the generated access token with it. That being the case, you'll need to implement the app authorization flow so that you, and additionally your end-users, can link your iOS app to their Dropbox accounts, as shown in the tutorial.
If you only ever need to link to your own account, you'll still need to process the app authorization flow for your own account once to get an OAuth 1 access token.

Related

Google Sign In iOS and Web

I'm building a system with a web and a iOS app. The web part require authentication that can be used on the mobile part and vice versa.
I want to add support for google sign in on the web and on the mobile part. For test i've used the code from
https://developers.google.com/identity/sign-in/ios/start-integrating
for iOS and
https://developers.google.com/identity/sign-in/web/
for the web part.
scope are the same on Application and web (email, profile)
Expected flow
User sign in with google and grant access from mobile (or web)
user go to web site (or application)
user sign in with google
no need to grant permission again
What i got
User sign in with google and grant access from mobile
user go to web site
user sign in with google
same permission are asked again
How can i avoid asking permission again? from the documentation (https://developers.google.com/identity/sign-in/web/cross-platform-sign-in)
seems to be possible to obtain the expected flow but in practice i am unable to obtain it. iOS and Web are in the same google developer project.
I've made this work as expected following this guides: https://developers.google.com/identity/protocols/CrossClientAuth
https://developers.google.com/identity/sign-in/ios/offline-access
what you have to do is the following:
first add
[GIDSignIn sharedInstance].serverClientID = #"SERVER_CLIENT_ID";
in your iOS appDelegate. When the user authenticate through the app you can now retrive a token valid for your server_client_id via serverAuthCode attribute of your GIDGoogleUser object.
Send the token to the server and validate it on the token endpoint (/oauth2/v3/token) redirect_uri must be empty while grant_type must be authorization_codeotherwise you will have a 400 response.
Your server is now authenthicate and when the user will log on the website permission will not be asked again.

Use of dropbox with core APIs, but avoiding login page

I want to use Dropbox for my file share application, using Core Dropbox APIs. I am using OAuth 2.0 APIs for authentication (Implicit Grant Method).
The issue is, In order to obtain the access token, I need to be logged-in to dropbox account or it redirects me to Dropbox login page. I don't want my users to enter the login crediantials.
Is there any way to avoid login process, and directly get access token??
Or Alternatively can I do login using some login api in backend, without user iteraction??
here I am considering a single Dropbox account, whose all necessary crediantials are with me.
Thanks.
Yes you can do this.
Do the following:
Go to https://www.dropbox.com/developers
Click on "App Console"
Click on "Create App"
Select "Dropbox API app"
Select "Files and Datastores" for the type of data.
Answer the rest of the questions with your own preference for access
Here's the bit that you need. Once the app is setup, in the App Console, click on the app. On the main page for the app, in the OAUTH2 section, there's a button that says "Generate Access Token".
Click on this button, and it will generate a non-expiring access token that you can copy/paste and use in your app to give you access without having to do the Oauth2 authentication dance.
Here's an example of using the access token with curl to list files in a folder (and get other meta data).
curl https://api.dropbox.com/1/metadata/dropbox/YourFolder -H "Authorization:Bearer XYZ123"
Where XYZ123 is your access token you generated from the app console of the app.
As long as you include the Authorization: Bearer in the header of your request, you can use all the API calls in the Core API withouth having to supply an app ID, secret, or do the oauth2 authentication dance.
Since you want to use your Dropbox account to store the files, there's no reason to bother other/your users with a login: just obtain an access_token for your client in the regular way (which requires you to login to Dropbox) store it in your application and use that access_token in your calls to the Dropbox APIs. Dropbox' access token never expires according to Dropbox Access Token Expiry so that should be all you need.
As you have probably seen in the core api documentation, Dropbox does not offer this feature.
You can automate the process by simulating the user interaction with the website, though. This can be done with the requests module. I developed a solution for my project:
https://github.com/joe42/CloudFusion/blob/master/cloudfusion/store/dropbox/dropbox_store.py#L214
Maybe this can be done more easily using a solution like PhantomJS, though I did not know about it at that time.
Putting probable solution to my own question here:
The main issue here was about re-generation of the Access Token at some intervals, that too without any user interaction, a backend stuff.
After going through Dropbox APIs, I concluded there is no API exposed for re-generation of Access Token automatedly.
But Google Drive do offer Service Account, which do not require user interaction.

OAuth2 Authorization Code with Facebook iOS SDK

I'm developing an iOS app which uses Facebook Login. I have the Facebook iOS SDK set up and working, but the back-end developer of my client has concerns about the safety of Facebook's access tokens.
Using using the Facebook SDK, We want to get an authorization code from Facebook, not the access token, and get the access token on the server with App Key and App Secret. Is there any way of doing this?
Note: I am using this method to login (on FBSession):
openActiveSessionWithReadPermissions:allowLoginUI:completionHandler:
Answering my own question :
This can't be done with the current Facebook iOS SDK, but you can make a graph API call to
https://graph.facebook.com/oauth/client_code?access_token=...&client_id=...&client_secret=...&redirect_uri= ...
to exchange the access token with the code.
But this isn't secure at all, because you would have to ship the app with the App Secret.

Is it possible to use facebook oauth to secure my json API?

I'm developing a mobile app that will interact with a rails app that's essentialy a json api. Is it possible to use an external identity provider such as facebook or googleplus to secure the access to my API?
Users will upload a photo to a json rest service but the rails app would only allow the upload if the uses is authenticated with one of those providers.
I've checked omniauth gem but I don't know if that's the path to do it. I don't understand very well how oauth works so I'm trying to know if this would be possible to do.
Regards
Fak
The answer, in part depends on how you're going to provide Identity via the mobile app. The user's authentication, and their identity are de-coupled.
My guess is you're wanting the user to authenticate to the mobile app using the Google/Facebook sdk app side. To do so, you'll need to use that sdk to generate a token, which can then be saved to Rails. The token can then be required as part of each API request - which rails will validate.
The topic is a bit complex to fully describe the flow....but in essence: 1) Create the token on the mobile app using the mobile sdk, 2) save the user and token to Rails/database, 3) as part of every request check the access_token provided.
Since the topic of Oauth and request/identity providers takes some time to understand, I would first watch he following railscasts on securing an API. Once you're done with that one (and understand the concept), you can also watch this railscast.
Hope this helps.

Is there a way to use DropBox for authentication without re-authorization?

I'm developing a DropBox app - one that has no use if the user is not authenticated by DropBox. Therefore it would be useless to have separate account management in my app, (using the DropBox accounting should suffice).
The oauth sequence suggested by DropBox does both authentication (having the user sign in with her DropBox credentials), and authorization (having her approve my app to access her DB account). This is good for the first time the user signs-in to my app. But once my app is approved and "installed" on the user's account, I don't want her to be prompted whether to allow my app access, every time she logs in. Is there a way to skip the authorization page?
Some time passed, but now there is a way to allow permanent access to dropbox API.
You need to generate access token from the application settings and use it.
Here is what dropbox says:
By generating an access token, you will be able to make API calls for your own account without going through the authorization flow. To obtain access tokens for other users, use the standard OAuth flow.

Resources