I am a newbie here and am trying to use the Foursquare API to build a mobile application. Most of my functionality is client side and I do not want to host my application but the OAuth process requires me to provide an application URL and a callback URL. Any ideas on whether I can get around this requirement? Can I provide dummy URLs?
You can specify a dummy URL and sniff the key off of the path (see: https://github.com/anoopr/core-data-talk/blob/master/example/Classes/FoursquareAuthViewController.m).
Alternatively, I believe you can specify an iOS custom URL scheme that you application then handles appropriately.
Related
Im trying to implement SSO in my mobile application but im having issues with the redirect uri on the iOS side. Currently right now my redirect has the scheme of https://. I realize this is an issue an want to move to a custom url (Example: com.myapp.xamarin).
The issue that im running into now is that im worried this violates the https protocol and my login token will be vulnerable to attacks.
All the documentation on how to implement a mobile redirect all use custom url schemes. I find it hard to believe that big companies such as google, Microsoft, and Facebook all allow these custom url schemes without it being secure.
Does anyone know anything or can link me anything stating that custom url schemes are still secure.
How do you make a request to Google to get a user's profile information with the returned tokens from Azure Mobile Apps? Specifically I am using the iOS Microsoft SDK in Objective-C.
I found this article but it looks to be referencing old information based on the date and the response that was returned.
I also tried calling /.auth/me as a GET request, but that returned Cannot GET /api/.auth/me
You need to make an HTTP request to /.auth/me, but without using the custom API support that's in the iOS SDK. In other words, use NSURLRequest directly, and not MSClient.invokeAPI. Your call needs to be authenticated, so put the token from client.currentUser.mobileServiceAuthenticationToken in the X-ZUMO-AUTH header.
We have an open feature request to add a method to the client SDKs to make this easier: https://github.com/Azure/azure-mobile-apps/issues/30.
And, you're right that your article was referencing information on Azure Mobile Services, which behaves completely differently when it comes to authentication.
If i am using ngCordovaOauth for authentication for Facebook,Twitter and Instagram
then what should be callback url, when developing and app for mobile .
If you read the plugin docs
Using ngCordovaOauth In Your Project
Each web service API acts independently in this library. However, when
configuring each web service, one thing must remain consistent. You
must use http://localhost/callback as your callback / redirect URI.
This is because this library will perform tasks when this URL is
found.
So, the callback url is http://localhost/callback
The documentation at https://developers.google.com/console/help/new/#generatingdevkeys states that:
Create and use an iOS key if your application runs on iOS devices. Google verifies that each request originates from an iOS application that matches one of the bundle identifiers you specify. An app's .plist file contains its bundle identifier. Example: com.example.MyApp
Does this mean that the google APIs (server-side) somehow verify/ensure that only my app can use this key? Or, does it just mean that the iOS libraries that google provides will do a sanity check before accepting the api-key? Is there anything to prevent a malicious user from decompiling my iOS app and re-using this api-key within his own app (making direct HTTP calls without using google iOS libraries)?
Extending this to the api-key used in browsers - the only protection seems to be the Referer check against a whitelist of domains. Is there anything stopping a malicious app developer from taking my api-key from the browser and using it within his native app (which sets a fraudulent Referer header)?
So basicly you are correct the api key is mendetory because only you/your app should have access. But the fact is that everyone with your api key is can have access. And the play store has a big issue with not hidden api keys
http://www.cnet.com/news/thousands-of-secret-keys-found-in-android-apps/
for the second question I have no Idea sorry
I have a website that requires any user to be logged in using the Facebook auth system.
On the other hand I am making an iOS App that needs to consume functionalities of the website. I implemented the SSO system on the iOS system but I don't get how I'm supposed to call my webservices in a way that tells the backend that "it's ok, I'm authenticated on the iOS app".
Is there anything to do with the signed_request parameters on the iOS side? If yes, I didn't find anyway yet to get that parameter.
Do you have any clue to help me deal with my issue?
Thanks
https://developers.facebook.com/docs/authentication/signed_request/
The signed_request parameter is utilized to share information between Facebook and app in a number of different scenarios:
A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
Does iOS use any of these?
** EDIT **
Ok thanks, can you edit your answer and add the fact that I can't
access the signed_request parameter? – MartinMoizard
From Martin: iOS cannot access the signed request parameter probably because iOS is not a webserver that is able to accept HTTP Post paramteres.
I am struggling with this same problem, and it seems that OAuth is actually an authorization protocol, not an authentication protocol. See:
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
Seems like the signed request would solve this problem nicely. Not sure why we cannot get them on iOS. Best I can figure out is I need to pass my access_token from the iOS client to my server, and then it can ask graph.facebook.com what user it represents.