I am currently developing an app that's going to show a Facebook page's events in one tab. Now I'm struggling with facebook's graph API and I think I just need some more explanation about how the whole thing is meant to be.
I registered an app and got my app id, app secret and an access token. Generally it works by using my app id and the access token. But from what I've read there are two drawbacks with that.
The token expires.
There seems to be only one token at a time.
If the token expires I need to re-authenticate my app whenever the session is not valid any more. But - what's the correct way to do that? Is it by sending the request method by adding my data to the params dictionary?
And if there can only be one app access token at a time, will it result in conflicts when multiple clients are going to connect?
I want my app to just read public data, so authenticating a user is a no-go, as its simply not needed (I hope). But the more I think about it the more I think that using an app's token is not the correct way either.
How is this generally achieved? Do I need a wrapper web app to implement reading public event data?
Thanks for your help
Arne
I've never had a problem using one app token with multiple users.
As for expiring tokens, you can request a generic token, which should be sufficient for retrieving public data, by sending a GET request to:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
Related
I need to send emails from my server, through simple REST calls, from my backend-server email address, to the email addresses registered in the system.
But there is a problem, bear with me.
The thing is a lot of the documentation I've seen so far seems to assume I want to access the clients gmail data, which I don't, I only use the client's address as a destinatary.
A lot of the examples I've seen, involve a visual promt to authorize the access to the api.
BUT WHY?
They assume I'm gonna be making apicalls from a mobile device, acting on behalf of the client, which needs a visual prompt for consent. But none of that applies to my use case.
The thing is, there is ever only gonna be one sender, "ME" (the company email designated for the backend server).
I should be able to create a secret api_key on the google console, and send that in my request headers (like freaking FIREBASE does), or use that key to generate a token which I then send to the api endpoint (like Paypal does).
I want to be able to do something like:
POST https://gmail.googleapis.com/upload/gmail/v1/users/{userId}/messages/send
Authorization: key=<key_created_on_google_console_or_token_obtained_using_said_key>
{
message stuff...
}
The api reference on google says that I need to create an authorization using OAuth credentials, which I'm then supposed to use to create a short lived token that is inserted as
"Authorization: Bearer <TOKEN>"
in my next apicalls, until it expires. But...
In the console, creating a new OAuth2.0 client ID, says I need to create an app. But I already have a proyect and an api_key (with permissions to gmail api). And that said app is gonna have to be sent for review!. What's going on?.
So..
How do I send emails, from my own-controlled email address, using REST calls.
It's all server side, no need to access any user data (not even my own), I already control the sender address, I already have created a project on google console, I already created an api_key.
OAuth seems to think I'm doing something I'm not, so what am I missing?.
Thanks.
The Bearer token is an OAuth2 access token that you get after authorizing your app to access your Gmail account. It's designed for 3rd party authorizations really (like your users allowing your app to access their Gmail) that is why it seems complex when you're accessing your own account.
Check this out https://developers.google.com/identity/protocols/oauth2
Turns out I was trying to use the wrong tool for the problem.
After looking for alternatives I found out about MailGun and SendGrid.
Tried SendGrid and it fit like a glove. Love it.
I was using Gmail+PHPMailer for this problem and thought the new api was meant to replace that, but turns out it's not.
Alexey pointed out the intended use in his answer. Actually I might end up integrating the new Gmail api more in line with it's intended use on my clients mobile devices.
It was all my missunderstanding.
Thank you for your time.
I cannot find a good working sample that calls the Graph API and retrieves the user's contacts from within an Azure Function. Part of the issue is a lack of documentation and samples as this seems new-ish. Is this even possible? I am trying to create a function that can take a phone number and check against the user's contacts to see if the contact exists. So far, the only way I can achieve authentication is to use Postman to retrieve a token manually. That token didn't even work to retrieve the contacts. I know I am doing something wrong but I think what I really need is the big picture. I'm missing something. Thank you for your help.
The auth token binding may help at least with the act of getting the token. In this case, if it's on behalf of the user invoking the function, you'll want to use the identity: userFromRequest setup. Keep in mind that for debugging, you'd still have to acquire a user token for the app and attach that to calls to your function, but you can use the function app's /.auth/login/aad and /.auth/me endpoints for that.
Make sure that your application registration has the Contacts.Read permission. This is required for the contacts API.Today, the UX for App Service Authentication / Authorization today links to the existing permissions UX, which unfortunately uses different names for things. I'd recommend navigating directly to the AAD section of the portal and selecting App registrations (Preview). Find your app registration there (defaults to same as your app name), and browse through the API permissions there. That way the right names show up and will match the Graph docs.
I am developing one application which uses the youtube-data-api. I know it must be use with UI but I want to use it with predefined my own user credentials with back functionality in Curl or any php programming.
So I want like on one click my app should automatically get the auth access code without UI which is based on just a web server link calling from application back-end.
Can you please help to sort out my issue?
The problem you are going to have with this is that YouTube API doesn't not support service accounts.
You are going to have to use Oauth2 and authenticate your application once. Save the refresh token then use the refresh token to access the account later from your back end application.
You will have to keep an eye on it refresh tokens don't expire often but on rare cases they can expire you will need to authenticate it again if it does.
I was just wondering if there was a simple function to create a customer in the Stripe API from my app in Swift? Instead of having to create a manual HTTP post request to my server, "createCustomer.php", and then retrieve the results (This is what I do right now).
I tried to search this up on Google, but I can't seem to find anything. I simply want the user to save their card details for later user, that's why I am in need of creating a customer.
Thanks in advance!
Except for payment information tokenization (which is done via Stripe's iOS or Android SDKs in mobile apps, and Checkout or Stripe.js in web apps), all API requests must be sent from a backend server.
The reason is that aside from token creation, all other API requests must be sent using your secret API key. You cannot embed or share the secret API key with your mobile app in any way, as it would then be possible for an attacker to retrieve it and use it to issue API requests on your behalf.
This is why there is no Swift function to create a customer -- the customer creation must be done from your backend, using the server-side language of your choice.
I have a mobile app (React native) that I am using with ParseReact with and have it so the user can immediately send data to parse inside the app. How can I lock this down so that parse.com will only take data from users with the APP installed?
Mitigations I have thought about:
Using ip address, geolocation, deviceUUID (per app)
Possible encrypting traffic to parse to hide something secret?
I know 98% of users will likely be nice and not fake this but I'm worried about the hackers
The short answer is you can't. If you give public access to any of your classes, anyone can write to it and you will have no control on who is reading the data. You can make it difficult for someone to send write requests outside of your app by embedding a signature in your app and forcing all your public writes to go through cloud functions. You use the signature to sign every write request and send the signed token as a parameter to your cloud functions where it will be verified before you accept a request. But remember a cracker can easily find your signature in your app binary so this not bulletproof.