Somebody at my company generated a Consumer Key and Consumer Secret with Twitter some years ago, but I no longer know who. I don't have the application's ID or the Twitter ID of the owner of the application, just the Consumer Key and Consumer Secret. (They work fine for authentication purposes.)
Can I use my consumer key and secret to figure out who the application/owner of the keys are?
Check the Settings/Application page of a Twitter account which has authorized the app. It is possible that the author has linked to his home page from the app description.
Failing that, the information you are looking for is not accessible to anyone other than the creator of the app.
Related
I am trying to create a web app for my server which can connect my website forms to Google Sheet. While generating the OAuth client ID and Secret I chose "webserver" and I needed to enter a call-back URI to handle the authorization code returned back from Google as a response.
Well, now I created another client id, but this time I chose Application type as "Desktop" and I didn't need to enter any redirect URI. In my PHP app, I used redirect URI as urn:ietf:wg:oauth:2.0:oob.
However, in both cases, I was able to get Access Token and Refresh Token and my Google Sheet API working smoothly.
So my question why I should choose Application Type as "Webserver" and do an extra step by entering "Redirect URI"? What is the benefit of doing so?
You may check a Quickstart Oauthflow here https://developers.google.com/sheets/api/quickstart/php#step_1_turn_on_the
So my question why I should choose Application Type as "Webserver" and do an extra step by entering "Redirect URI"? What is the benefit of doing so?
Security. Web server client will return the auth to your server. Installed will return it to where ever the request came from. If someone got your client id and secret for a web app they couldn't use it. However if someone got your client id and secret for an installed app they could easily use it to impersonate your developer account.
What is client id and client secret.
Think of the Client id as a login and the secret as its password. This login and password identify your project to Google and they identify the developer of that project as you.
You the developer are responsible for this login and password. If it is stolen then as far as google can see it is your application using it google has no way of knowing other wise. If the login and password for a desktop app is stolen someone could put up an app and as far as anyone would know it would appear to be your app.
You create super awesome email app which gives access to a users gmail account. It becomes very popular and a lot of people know the name. Someone steals your client id and secret creates an app that looks exactly like your super awesome email app. There is no way for anyone to know its not. Because its set up as a desktop app this person could then put it up and start harvesting authorization from your potentiate users without them having any idea. It looks exactly like your app only the responses are going to urn:ietf:wg:oauth:2.0:oob which is the host server of the person who put up this app to mimic yours.
Unless your application is running on a users machine its really not a good idea to use installed credentials. That being said theirs nothing to stop you from doing so it will work.
Is it possible to use my twitter API registered account on account X to tweet from another account Y, which is also mine?
Yes, you'd simply have to authenticate as account Y using OAuth 1.0a.
See https://developer.twitter.com/en/docs/basics/authentication/overview and https://developer.twitter.com/en/docs/basics/authentication/oauth-1-0a for more information.
If you're using Tweepy, see https://tweepy.readthedocs.io/en/latest/auth_tutorial.html.
It seems like Twitter made it intentionally hard to do this. Let me explain how I to do it, based on how I did it,
Create a developer account from your main account and get it approved
Create a separate Twitter account for your bot
In the developer portal Create a project and add an app
copy all the keys and secret keys while you are doing it
Go to user authentication settings in the app details and turn on oAuth 1.0a and OAuth (copy all the keys and keep it in a notepad)
go to tw-oob-oauth-cli and download the relevant binary with respect to your OS.
remove the part after tw-oob-oauth from the file name.
run ./tw-oob-oauth --key ${your_consumer_key} --secret ${your_consumer_secret}
your_consumer_key means your API key, and your_consumer_secret means your API secret (those are basically at the top of your copied keys or you can find them in the keys and tokens section of your app in the developer portal).
Follow the instructions shown in your command prompt after running the command
Finally You will get an Access Token and Token Secret
Use those two along with API key and secret to run your bot.
Hope it saves some hours of your valuable time, Cheers!
We have some old configurations which make use of an OAuth Client ID, and we're trying to determine which Google Developer account created it.
We have both the client ID and secret. Is is possible for us to determine which Google account they're associated with? We'd prefer to not have to switch to a new account. Any help is appreciated, thanks!
Is this client ID still used on some website for sign-in? If so, you could try to sign-in with an account that hasn't authenticated yet, and in the auth window click on the App name to get the developer info including the email address, which should match the Google account you are looking for.
I'm using Twitter API for my website in PHP.
I have created a developer account "me" let's say.
I have then created an app named "myapp". I've generated tokens and keys with Read&Write permissions.
My problem : when I tweet via my website (using the API) and using my app tokens and keys, my tweets appear in https://twitter.com/me as if "me" were the author of the tweet, and the app name does not appear anywhere...
How could I tweet with my app name as the author ?
To be more clear, I would like to see the tweets posted (via the API using the tokens and keys of "myapp") in https://twitter.com/myapp and with "myapp" as the author of the tweet.
Thanks a lot for your help.
By definition, your app posts on behalf of an account that has granted permissions, so what you're seeing is "working as expected" from the outside. In order to have your app be an author, create an account specifically for it to tweet to.
The app technically still won't be the author, your dedicated account is, but you would (probably) set up that dedicated account to represent your app (URL if it's public, icon/photo, etc).
Note that you'll use the auth keys you get when attaching the app to the custom account instead of the ones that you're currently using for attaching it to your developer account.
I tried to create a testing client id for an android app which uses OAUTH 2.0 as login for retrieving user profile. I followed the steps to complete the creation of the client id on google console, but I do not see anywhere the client secret. I'm trying to help my employer with getting google credentials for it's app. I know how to implement OAUTH 2.0 in android, but I need client secret to exchange the code with access token.
First, I selected "Google+ API" from Services tab.
Then followed the on screen steps from API Access tab.
It seems that Google finally ditched the unnecessary client_secret for installable applications and is not yet up-to-date with their documentation.
You should check if you already get an access_token in the initial OAuth request like it's handled on Facebook.
Another possibility would be to fall back to using a Simple API Access key.
Update:
First method seems to not work with Google.
The recommended way for Android is to use AccountManager instead of baking your own requests. Follow this example to see how this is implemented and how you get an AuthToken using a Simple API Access key. Instead of using the Tasks API you can then include the OAuth2 API library to retrieve the userinfo.
Click on "Download JSON "
Is it what you're looking for ?
Since almost everything from the accepted answer has been deprecated, I thought I'd share what I've found.
I needed the People API which requires a client secret. What Google recommends for using People API with Android is,
Select the application type Other, enter the
name "People API Quickstart", and click the Create button.
Found here: https://developers.google.com/people/quickstart/java
(Step 1 part e)
So if you need a client secret, you might consider using the Other type. Of course, follow the documentation for your specific API first.
Just today I found out that on the new Cloud Console we can see the client secret for android apps - while in the old google console we just can't.
To use the new Cloud console, just click on the message "We are improving the experience. Try the new Cloud Console." Google will ask for a SMS confirmation. Now you'll be redirected to the new cloud console
Now, just select your project, click on "Registered Apps" on the left menu, selected your android app, and voilá, on oAuth 2.0 Client Id you'll see your client secret. No idea why on the old google console it's not displayed, but if you really need a client secret key, it's there.
Now that the type Other is unavailable, I used type Desktop since I wish to upload using Visual Studio which is a Desktop app. That worked, I got the client id and client secret.
When you update any changes in the credential, make sure you could see the client ID and secret in the dashboard before downloading.
Google cloud takes at the least 10 seconds to regenerate the client id and add it in the json.
Once json is downloaded you can check for client_secret to be present.
source said that :
Visit the Google Developers Console to obtain OAuth 2.0 credentials such as a client ID and client secret that are known to both Google and your application. The set of values varies based on what type of application you are building. For example, a JavaScript application does not require a secret, but a web server application does.
Another solution is that you have to create a client ID with the type of "Installed Application" then you will have the Client secret