I have a pair of keys: consumer key & consumer key secret. I want to validate it. How to do?
Just like Facebook validate appID using http://graph.facebook.com/< appID >
https://dev.twitter.com/docs/auth/oauth/single-user-with-examples
This page in Twitter dev centre should hopefully explain all, i am not sure what you mean by Validate (as in whether you mean test or implement) but either way this will help :)
Related
I am trying to invite my Discord.js bot to a server but whenever I use the URL, it says CLIENT_ID "(my client ID is in here)" is not snowflake.
What does this mean, I've looked about but haven't seen any fixes to this problem. My redirect URI is https://discordapp.com/oauth2/authorize?&client_id=[CLIENTID]&scope=bot with CLIENTID as my client ID. I'm not fully sure on how to use a redirect URI properly, as for my other bot(in python) I didn't need it.
This appears to be an issue with the ID you substituted into the URL, double check the ID you provided is right and corresponds to the bot; if this turns up okay, I would recommend generating an invite URL through the Discord developer portal.
If you navigate to the Discord Developer Portal and click on the application you want to invite (your discord.js bot) it will open the application's page. From there click OAuth2 on the side panel then URL Generator and select the scopes and permissions you want for the bot and Discord will generate the URL for you.
On a side note, the programming library or language you use will have not affect on the invite link.
I had this same issue, for me it turns out my client id ended up having a semicolon at the end because Prettier auto-appended it to my .env file.
Try printing out your client ID and make sure it's just a string of numbers like this
CLIENT_ID = "123456789876543210"
with no other characters in it
GET
https://mybusiness.googleapis.com/v4/accounts/{**accountId**}/locations/{locationId}/reviews/{reviewId}
Where is the accountID located in the API documentation?
I will explain how to find out the account ID.
GET
If you run https://mybusiness.googleapis.com/v4/accounts
you will be required to authenticate with OAuth2.0.
if the authentication passes,
for example something like "name":"accounts/1234555" will appear.
Now, "123455" is your mybusiness's accountID.
In order to understand you should study well [https://developers.google.com/my-business/content/overview] and then [https://developers.google.com/my-business/ref_overview]
it seems that you are just interested in working in playground [https://developers.google.com/oauthplayground]
step by step go forward:
from [https://console.cloud.google.com/apis/credentials] copy your clientId and use it as the OAuth Client ID while selecting OAuth flow
=client-side , look at the photo:
then enter https://developers.google.com/oauthplayground as the photo below
then press Authorize Apis, next you need to sign in using the username and the password of the client you are going to do all these stuff for.
after that you can work in playground for an hour. If the time expires, you should follow the aforementioned steps again.
as it is highlighted in the photo below you should enter the values:
the request uri you see in the photo is going to be deprecated soon, the new one is
https://mybusinessaccountmanagement.googleapis.com/v1/accounts
or
https://mybusinessbusinessinformation.googleapis.com/v1/accounts
finally, at the right side window you are provided by a json response that you can see accountId
I have an interesting problem. Let's say we have a user, Bob, who logs in to some service. How can that service prove Bob's identity, assuming Bob actively wants others to try and impersonate him? i.e. How can we be sure that the user logging in is indeed Bob?
Using the MAC/IP address of Bob wouldn't work as these can be easily spoofed.
A username/password as means of authentication wouldn't work since Bob could just give these credentials to anyone.
A public-key system (e.g. using RSA for signing) wouldn't work as Bob could just share his private key with anyone.
What I essentially need is Bob to have some proof of ID that he cannot share (or is at least hard for someone else to replicate, given all information that Bob has).
Edit (in case this is useful): I'm working with an iOS app (Bob) and a Python web server (the service).
Alternatives:
Hardware token that the user must present during authentication like a usb token or a cryptographic smartcard
Biometrics can not be shared. For example fingerprint/voice/ear/iris recognition. In some cases you will need a reader (note fingerprint biometric data is not available in mobile devices), and you have to work with confidence ranges and huge databases for comparison. An ID is never 100% reliable.
public key cryptographic systems that manage non-extractable keys. The cryptographic provider in user side allow to generate or import keys that can be marked as non extractable, and can not be exported outside. e.g WebCryptographyApi, AndroidKeyStore, iOS KeyChain or Window Keystore. During user registration, is generated a cryptographic key pair, public and private. The public is sent to server associated with user account, and private is stored securely. Authentication is done with a digital signature using the private key.
See FIDO UAF (Universal authentication Framework) and FIDO U2F(Universal second factor)
https://fidoalliance.org/about/what-is-fido/
About iOS KeyChain, it allows to mark a key as non extractable. See Apple Documentation
Important
If you do not set the CSSM_KEYATTR_EXTRACTABLE bit, you cannot extract the imported key from the keychain in any form, including in wrapped form.
Take a look also to Store and retrieve private key from Mac keychain programatically
Right now, stripe is integrated with my rails app but I've never used the secret key given to me, I've only used the publishable key. What does the secret key actually do?
Also, I have this bit of code in my views:
<script type="text/javascript">
Stripe.setPublishableKey("my-publishable-key-here");
</script>
Is putting the publishable key right there safe? The stripe docs actually do the same thing, but I'm just not sure.
The publishable key is used in your client-side code to tokenize payment information, using Checkout or Stripe.js. It can only be used to create tokens, and tokens by themselves do nothing (they're only a representation of a payment source which hides the sensitive information).
The secret key is used in your backend code to send any other request to Stripe's API. You need to be careful never to leak your secret key, as it could be used to access your account and cause all sorts of troubles (refunding past charges, canceling subscriptions, deleting saved customers, etc.).
You can find all your API keys in your Stripe dashboard: https://dashboard.stripe.com/account/apikeys. If you ever need to, you can replace a key with a new one ("roll out" a key) by clicking the small "recycle" icon next to each key.
Currently i am working on one of old project within that there is a client id and client secret. Now i want to update those with new client id and client secret using another Developer account. I followed each and every step from
https://developers.google.com/+/mobile/ios/getting-started
Google APIs Console - missing client secret
But i can see only client id. Where is the client secret ?
Here i can see only client id
Hey this is step by step process ,hope this helps you...
Step 1:
Goto Google Developer console and create new app
Step 2:Enable the google plus api
You can see the enable api in the Enable API's tab which is next to API Library ,which is visible in second image.
Step 3: Goto to credential in API & auth tab then select credentials option
select the type of authentication you require
then you will can see the configure consent screen configure the page with the information you wish to provide .
Step 4: Select the web Application option on top
and enter required url's
and finally click create button
once you do that ..you can see ...client id and client secret key...
When in iOS, the application type of the OAuth credential should be 'iOS'.
And then you should pass an empty string as the client secret in your code.
Keeping a secret (that is global to the entire application, not unique per user) in an app is NEVER EVER secure. See https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps This is an amazing article, please spend as much time as needed to understand it.
Because it can't be kept secure, using client secret in iOS is the old, outdated approach. Nowadays you want to use proof-key-code-exchange (PKCE). It's also explained in above link, but in short:
Generate a secret key in iOS, it is one time use for that one specific login
Only send the hash of the key to the login authority (Google). The original has not left the app yet
To get the tokens, you send: <AuthorizationCode,ORIGINAL secret> AuthorizationCode is also a one time use
Google can compare the "original secret" to the previously sent hash. It therefore knows you are not an attacker that has stolen the AuthorizationCode
Back to the question. Google let's you create different types of "Apps":
Web application: Has a client secret (It's on a backend server, not on a publicly accessible iOS app)
iOS app: Has "iOS URL scheme" instead. There are frameworks that use this URL scheme and do the steps I described above for you (including PKCE). Disclaimer: I'm not an iOS developer, but I'm 99% certain