There is a problem to realize my OAyuth-2 server.
Can I store the Access-tokens of users on the server? If not, how can I make it so that each user would have had only one working Access-token? I hope my question is clear, thanks in advance.
Your question sounds strange. It is the role of an OAuth server to generate and manage access tokens. "Can I store access tokens?". Well, instead, "You must store access tokens."
Related
I'm making a Twitter application that makes one Twitter account echo another.
I used the http://dev.twitter.com tool to obtain the access token associate with one account, but since only one person can administer a Twitter application I can't get an access token for any other accounts.
It would appear I have to build an entire 3-legged-oauth strategy only to get one access token!
https://dev.twitter.com/docs/auth/obtaining-access-tokens
How can I most easily acquire an access token for the other user? I don't need a strategy to get many of them, just one.
Okay so I found the answer after a few hours of searching.
You can do it fastest using the PIN auth method and you'll never have to do it again.
Additionally, this gist contains some awesome Ruby code so I didn't have to do any coding, and I got my access token right from the command line:
https://gist.github.com/mirakui/388067
Cheers.
I am making an instagram application using rails. Is it possible
to save some kind of 'token' or 'id' in my database that can be used
to automatically authenticate the user and allow the application to
access the user's profile data, images,etc,etc without asking the user
to enter the login details/authentication again and again. If it is possible please
tell me how it can be done.
Thanks in advance! :)
Yes, it is possible to get a token. Take a look at the documentation concerning authentication, it's pretty comprehensive.
http://instagram.com/developer/authentication/
This is a bit of an odd question which I'm struggling to get my head around, so any insights from previous experiences would be great.
I'm working on an mobile application where a seamless sign in process would be great, removing the requirement of validation an e-mail address if possible, which makes a Single Sign In (SSI) process seem very attractive.
So going through the process of Twitters SSI I will end up with a username, id and two tokens for using with the API. What I can't quite get my head around, is whether this is a valid use of the SSI process when I don't want the two tokens since I simply intend to user the twitter credentials to verify against an account used for my application. Is this simply something I'm over thinking?
As for iOS5 the username and id are freely accessible through the platform's account manager. Using this I can create an account but the api to communicate to the server would simply pass the username and id, at no point would it verify the account with twitter since iOS5 takes care of that.
I'm currently looking at the Reverse Auth for this (https://dev.twitter.com/docs/ios/using-reverse-auth) but again this would mean for the server to verify the twitter account I'd need to send the tokens and username and id from the device to the server and perform an api call from the server to twitter to ensure the details are valid, does this sound a.) correct and b.) safe, passing the tokens around doesn't feel right?
Thanks in advance for any help and I hope this makes sense.
Cheers,
Matt
as I started to work with Twitterizer in order to publish on someone's wall I am in confusing time.
There is a page, my case, DefaultTwitter.aspx where is link to authenticate on twitter with token provided. Goes on Twitter and comes back to CallbackTwitter.aspx with outh_token and secret. And so the user is identified. On twitterizer example says:
Step 5 - Store the results
You should now store the access token and the user details. Keep in mind that the
only way an access token will become invalid is if the user revokes access by logging
into Twitter. Otherwise, those values will grant you access to that user's data
forever.
My questions are: - should I store any data in SQL datatable and what exactly(however I hope that is not the case to do so)
somebody said that I should save in a cookie(I thought in session); however then if another user comes then how should I create a button to logout or something like that?
-how will user revoke application access if he would like so?
A live example will be much appreciated as I could not found any on internet how exactly twitter api works.
When your application finishes getting authorization to access the user's data, the result is the access token (represented by 2 values, a key and a secret). Those values are, in effect, the username/password you can use in requests to the API on behalf of that user.* Save those values in your SQL database. You'll also be given the user id and screen name. It's probably a good idea to keep those handy, too.
The user can revoke access to an application by going to http://twitter.com/settings/applications, finding the application and clicking the revoke access button next to it. Your application cannot revoke access for the user.
You asked for an example, but you're citing the example application. Just look at the source code in that sample.
* - That's a simplification for explanation sake. Please don't crucify me, OAuth experts.
I'm currently creating a web app using Google's oAuth. I was wondering how I can uniquely identify an authenticated user so I don't accidentally add duplicates.
Doesn't Google give you other unique params like user name or user ID?
For example, Twitter and Facebook, give you user name and a unique url that identifies user's profile picture. If you save that params on server-side you can identify user next time that he comes on your site.
The best way to do this would be to use OpenID with the oAuth extension (aka hybrid).
I am currently using OAuth exclusively and I am requesting the https://www.googleapis.com/auth/userinfo#email scope as described on http://sites.google.com/site/oauthgoog/Home/emaildisplayscope to get the email address of the authenticated user. I am using the email address to uniquely identify the user. This should be good enough for now.
Edited:
According to a recent Google developer comment (https://groups.google.com/group/oauth2-dev/browse_thread/thread/cf5c137f872f9932), they are currently working on this problem, but for anything production ready, you should use OpenID authentication.
You should save somewhere the user_id you have for your users in your site, along with the corresponding access_token and access_token_secret.
Then you can query that table (or wherever you save that information) with the user_id and obtain the proper tokens
Regards