Where and for how long are the tokens held when using the iOS Box SDK? Are they placed into a keychain or elsewhere?
I found the following line in the "OneCloud on iOS" web page under the "Web API Library" section.
"Second, the web API Library uses Keychain to store sensitive
information such as the Auth Token."
That seems to conflict with following on the "Authentication in your iOS app" web page.
"The user is now fully logged in and you can use this auth token with
every API call that requires it. You may store the authentication
token for future use, so that the user does not need to
re-authenticate with your application every time they use it. Please
use the Keychain (of the Security framework) for this."
The first page you're referring to refers to when you're using our iOS SDK.
The second page you're referring to refers to when you're building your own API integration from scratch.
Related
I'm writing an open-source stand-alone desktop app in Java that handles photos, and I'm adding a feature to let users upload pictures to their Google Photos account, but I'm faced with an authentication/security question.
I've registered my project to use the Google Photo API and have downloaded my credentials JSON file. I've been able to use it successfully with the samples from the java-photoslibrary Github project, so all is good.
However, the credentials file contains a "client_secret" key which, if I'm not mistaken, should not be disclosed (am I correct here ?). But those credentials have to somehow be distributed with the app and, as it is open-source, will be basically public. So my question is: How can I authenticate my app's user to his/her Google Photo account without disclosing my app's secret key ?
Note: I've integrated Dropbox upload, and their procedure for desktop apps clearly explains how to authenticate without embedding the secret key in the Desktop app using OAuth's token flow. Is there an equivalent for Google Photos ?
Thanks.
Edit: made some progress (see my own answer below), but after I finally got time to implement it, I realized that after user has authorized the app and a valid code has been returned (Yay!), step 5 (Exchanging the code for a token) again requires the client_secret ! :-(
I tried the call without it but I'm receiving a "client_secret is missing" error, so that's not a typo.
After more search (with the [google-oauth] keyword instead of [oauth-2.0], which says it all), it seems "secret" does not mean it is actually "secret" in Google world. In other terms, it's OK to embed it in your apps because, well, it's secret but it cannot be used in a malicious way (hopefully)...
See answers to these related questions:
Safely distribute OAuth 2.0 client_secret in desktop applications in Python
Why does Google provide a client secret for a Native application?
Integrate oauth2 with native (iOS/Android) mobile application
One Google page even mentions that "In this context, the client secret is obviously not treated as a secret."
Come on Google, explain me how security works :-)
OK I think I found the answer.
Similar to Dropbox, Google can use OAuth 2 with PKCE, they just use the full spelling "Proof Key for Code Exchange", that's probably why I didn't find it at first :-). The details are here:
https://developers.google.com/identity/protocols/oauth2/native-app#obtainingaccesstokens
I didn't find the equivalent process in the Google APIs, but those API are megabytes of classes so I may have missed it. Basically, all it takes is just sending a few requests and listening to the response, so I think I'll implement it from scratch (and will probably also get rid of Dropbox's client libs as the process is so similar).
Hope it helps...
Edit: that doesn't address the point because after the clean PKCE procedure, the app still has to send its private key to exchange the authorization code for a token. See edit in my question
I am using the Gmail API in iOS with the code that is given on the link
https://developers.google.com/gmail/api/quickstart/ios?ver=swift
and I tried running the application on an iPhone but every time, when I start the application it is asking for a Google login for authorization.
The page at Google Developers says that:
Authorization information is stored in your Keychain, so subsequent executions will not prompt for authorization.
So my question is that for my application is the Keychain value not being stored, if so how can I correct it and if not what can be the possible error in the code that is in the link provided above?
I have been struggled with Youtube API and now I am stuck.
What I did is:
create a project at google developers console(https://console.developers.google.com)
enabled "YouTube Data API v3"
generate api key of iOS.
access to https://www.googleapis.com/youtube/v3/search?key={API KEY}&part=id&q=soccer by web browser and got the error message
Am I missing something?
I have read many questions but I cannot solved yet.
In step 3 "generate API key for IOS", the comment on the Google Developer Console web page says
Use of this key does not require any user action or consent, does not grant access
to any account information, and is not used for authorization.
Clicking on the *Learn More" button, it says:
Use an API key when your application is running on a server and accessing one of the following kinds of data:
•Data that the data owner has identified as public, such as a public calendar or blog.
•Data that is owned by a Google service such as Google Maps or Google Translate. (Access limitations may apply.)
I think you need to use the OAuth process rather than the API Key. Click on Learn More in the OAuth section of the Developer Console web page to learn about using OAuth with Apple iOS.
To create oAuth credentials for iOS:
Create new Client ID / Installed Application / iOS
I know it sounds a bit elementary, but I solved this same problem by going back into Google developer, creating a whole new project, new API key, and then it worked. Google quirk??
I am developing application which is required to upload file into Google Drive.
I started learning API from following link.
https://developers.google.com/drive/ios/quickstart
Currently,I have to login first time for upload file. But in my application, every time there is same account will be used for uploading file.
So, is there any way by which I can bypass GTMOAuth2ViewControllerTouch (login screen).
Please help me.
I will be very thankful for your replay.
Most Google APIs currently require an OAuth 2 token, and so far that is available only via the user-directed sign-in flow, which is what gtm-oauth2 provides.Some older Google APIs do support the ClientLogin protocol, in which the username and password are supplied directly by the application, but the newer APIs do not.
Remember that hardcoding any account authorization(especially an account password) into an application's binary is a security risk and
is poor practice.
I tried to create a testing client id for an android app which uses OAUTH 2.0 as login for retrieving user profile. I followed the steps to complete the creation of the client id on google console, but I do not see anywhere the client secret. I'm trying to help my employer with getting google credentials for it's app. I know how to implement OAUTH 2.0 in android, but I need client secret to exchange the code with access token.
First, I selected "Google+ API" from Services tab.
Then followed the on screen steps from API Access tab.
It seems that Google finally ditched the unnecessary client_secret for installable applications and is not yet up-to-date with their documentation.
You should check if you already get an access_token in the initial OAuth request like it's handled on Facebook.
Another possibility would be to fall back to using a Simple API Access key.
Update:
First method seems to not work with Google.
The recommended way for Android is to use AccountManager instead of baking your own requests. Follow this example to see how this is implemented and how you get an AuthToken using a Simple API Access key. Instead of using the Tasks API you can then include the OAuth2 API library to retrieve the userinfo.
Click on "Download JSON "
Is it what you're looking for ?
Since almost everything from the accepted answer has been deprecated, I thought I'd share what I've found.
I needed the People API which requires a client secret. What Google recommends for using People API with Android is,
Select the application type Other, enter the
name "People API Quickstart", and click the Create button.
Found here: https://developers.google.com/people/quickstart/java
(Step 1 part e)
So if you need a client secret, you might consider using the Other type. Of course, follow the documentation for your specific API first.
Just today I found out that on the new Cloud Console we can see the client secret for android apps - while in the old google console we just can't.
To use the new Cloud console, just click on the message "We are improving the experience. Try the new Cloud Console." Google will ask for a SMS confirmation. Now you'll be redirected to the new cloud console
Now, just select your project, click on "Registered Apps" on the left menu, selected your android app, and voilá, on oAuth 2.0 Client Id you'll see your client secret. No idea why on the old google console it's not displayed, but if you really need a client secret key, it's there.
Now that the type Other is unavailable, I used type Desktop since I wish to upload using Visual Studio which is a Desktop app. That worked, I got the client id and client secret.
When you update any changes in the credential, make sure you could see the client ID and secret in the dashboard before downloading.
Google cloud takes at the least 10 seconds to regenerate the client id and add it in the json.
Once json is downloaded you can check for client_secret to be present.
source said that :
Visit the Google Developers Console to obtain OAuth 2.0 credentials such as a client ID and client secret that are known to both Google and your application. The set of values varies based on what type of application you are building. For example, a JavaScript application does not require a secret, but a web server application does.
Another solution is that you have to create a client ID with the type of "Installed Application" then you will have the Client secret