Just need a very basic detail clearified.
If I'm trying to implement au OAuth authentification system for my website, it mean my website is REQUIRED to have a facebook, google and twitter account ?
For example: I have no intention for my website to have a twitter presence, but I want twitter users to be able to use OAuth to login on my website without registering manually.
I really need to open a twitter account to get my clientID and secret key code ?
Yes, it looks like you need a Twitter account in order to create a Twitter application, but it doesn't have to be an account for your website. For instance, if I want to create a "Sign in with Twitter" button on my, page, I can just log into the dev site using my personal account and create an application. Follow the steps here. In particular following the "application settings" link will prompt you to login, and then you can create an application.
Facebook likewise requires you to have an account and create an application. They then provide API keys that can be used in the OAuth login flow. They have two ways to get a token: a server side flow that provides a longer lived token, and a client side that gives a shorter one. For more details see this page.
With Google, if you use their OAuth 1.0 flow, you can do a login without creating an application (https://developers.google.com/accounts/docs/OAuth). However, it looks like their preferred way is their OAuth 2.0 flow through Google+. See this page.
Related
I am about to embark on adding a 'post to Twitter' feature on a web application.
It appears 3-legged OAuth is the only option for this. The developer documentation states however that "The user will always be prompted to authorize access to your application, even if access was previously granted."
https://dev.twitter.com/oauth/3-legged
This doesn't seem like a very good experience for the user and confusingly this is not what happens on services like Hootsuite. Have they organised an agreement with Twitter so users don't have to keep authorising the app?
Use the Sign-in With Twitter flow, and store the access token that the user receives when they grant access to your app. Then there's no need to go down the oauth/authorize route every time.
I created an app on one twitter account. I would like to authorise that same app on a different account.
FAQ on how to authorise apps says On the website of the application you want to connect, find the button/link asking you to connect your Twitter account. But I haven't built said site/page.
How can I auth this app on the second account?
You have to use the OAuth Authentication Flow process.
To do so, you first need to request an authentication link from your Consumer Key and Consumer Secret using https://api.twitter.com/oauth/request_token (doc : https://dev.twitter.com/oauth/reference/post/oauth/request_token).
When you receive a callback or a code, you can use them to execute a second query that is https://api.twitter.com/oauth/access_token as described at https://dev.twitter.com/oauth/reference/post/oauth/access_token. You will want to use the oauth_verifier parameter.
Remember that authentication in Twitter is not an easy process and you should read more about it on Twitter (https://dev.twitter.com/oauth/3-legged) or use a library that will do that for you.
We have SAML-based single sign-on (SSO) enabled between our company's Intranet Portal and Box so that the users do not use username and passwords to login to Box.com. They just click on a button on Intranet Portal which posts a SAML assertion to Box.com to authenticate.
We would like to provide the ability to our users to search their Box documents directly from the Intranet Portal and the Box.com API looks like a perfect fit. However, it requires OAuth access token.
The question is:
Is there any way to obtain the OAuth token from SAML assertion?
The Box Embed allows embedding of folders view on to other sites. Is there any way to embed just the search results. In other words, I am looking for a way to do this <iframe src="https://www.box.com/....?search=keywords"></iframe> where it would just display the search results in iframe.
1. I don't know if it is possible to get an OAuth2 token from a SAML assertion -- I'd think that it isn't -- but you can pretty easily configure a Box application to support your company's SSO. The first step of Box's OAuth2 authorization process is to redirect the user's browser to a URL similar to:
https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID
On this page the user can log into Box with whatever credentials they chose and authorize your application to touch their files. In order to take advantage of your company's SSO integration, you will instead redirect the user to:
https://sso.services.box.net/sp/startSSO.ping
?PartnerIdpId=<YOUR_IDP_URN>
&TargetResource=https%3A%2F%2Fwww.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DMY_CLIENT_ID
Where:
The PartnerIdpId is the URN of your company's IdP.
The TargetResource is the HTTP-encoded version of the default OAuth2 authorization URL that was described above.
This will tell Box to bounce the user over to your IdP for authorization instead of prompting the user to log in with Box credentials. The OAuth2 process will then carry on as normal.
2. I don't know that this is possible either, but with a valid OAuth2 token you can easily tap into the Box Search API.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.
I have a mobile app which allows a user to login with his username/password credentials via an oAuth2 API. In addition to this flow, I would like a new app user to be able to sign up for a new account.
Is that something I could/should handle via the oAuth API?
I suggest you try to use a third-part API, like facebook, is very simple to implement and provides a great level of security.