so, I just need to retrieve user basic info(/verify_credentials(twitter), /me(facebook) so Im trying to roll my own code for now
got it on facebook on second try since all I need is a request to graph.facebook.com/me + access_token
but now trying to do it with twitter has been incredibly painful, I just can't figure it out by the docs, so, please, what does a request to twitter api /verify_credentials look like?
what are the params?
twitter api, y u suck?
Facebook uses oAuth 2.0, which is much easier to implement than oAuth 1.0 (which twitter uses).
An example request to verify_credentials API could look like this:
https://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=XXX&oauth_nonce=XXX&oauth_signature_method=HMAC-SHA1&oauth_token=XXX&oauth_timestamp=123456789&oauth_version=1.0&oauth_signature=YYY
oauth_consumer_key is self explanatory
oauth_nonce can be pretty much a random string of characters
oauth_signature_method is always HMAC-SHA1
oauth_token is your access token
oauth_timestamp is current UNIX timestamp (in UTC)
oauth_version is always 1.0
oauth_signature is your generated signature (which twitter will verify by reproducing)
You generate the value of the oauth_signature parameter by constructing a signature base string which consists of the following parts.
HTTP method in upper case (in this case GET)
an ampersand &
URL-encoded base URI (everything from https up to and including verify_credentials.json)
an ampersand &
all request parameters in alphabetical order, url encoded. (oauth_signature should NOT be included in this though)
The pseudo code in the section Signing requests in Twitters documentation describes the signing process elegantly:
httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
url_encode ( k ) + "%3D" +
url_encode ( v )
}.join("%26")
And then you sign the resulting base string using the consumer secret, and the access token secret. That's all there is too it :)
But before issuing any requests to the API you will of course need to actually get an access token. Once you grasp the oAuth 1.0 flow, and the signing process. You'll be home. Twitter's documentation does a great job at explaining the process, but it is a quite a bit to wrap your head around. Worth it though.
Related
I handled a lot of API from many exchanges.
I want the API to work without user intervention.
Usually, I wrote codes like this
Dim timestamp = getEstimatedServerTimeStamp().ToString
Dim domain = "https://api.kucoin.com"
Dim endpoint = "/api/v1/" + method
Dim stringtosign = timestamp + "GET" + endpoint '1553106384182GET/api/v1/accounts
'Dim secretandpassphrase = _secret1.Split("|"c)
'Dim secret = secretandpassphrase(0) 'a7c38ae4-b6e3-4254-b78c-*******
'Dim passphrase = secretandpassphrase(1) '7Q5eVqOw*******
Dim hasher = New System.Security.Cryptography.HMACSHA256(System.Text.Encoding.UTF8.GetBytes(_secret1))
Dim sighashbyte = hasher.ComputeHash(System.Text.Encoding.UTF8.GetBytes(stringtosign))
Dim sighash = System.Convert.ToBase64String(sighashbyte)
Dim url = domain + endpoint 'url https://api.kucoin.com/api/v1/accounts
Dim response = CookieAwareWebClient.downloadString1(url, "", {Tuple.Create("KC-API-SIGN", sighash), Tuple.Create("KC-API-TIMESTAMP", timestamp), Tuple.Create("KC-API-KEY", _apiKey1), Tuple.Create("KC-API-PASSPHRASE", _passphrase1)})
Return response
So I am using the secret and the API key.
However, at Sstex, something is different.
First, they told me to register a client and a redirect URL. What does redirect URL mean?
I tried
going to https://apidocs.stex.com/#/Profile/get_profile_wallets
to try some demo.
It turns out I can see my wallet content without using my API key and secret at all. Instead of API key and secret I authorize here
https://apidocs.stex.com/#/Profile/get_profile_wallets
Then I can see my balances.
So I tried some similar code after looking on the web
I did
If token = "" Then
Dim token1 = CookieAwareWebClient.downloadString1("https://app.stex.com/oauth/authorize?client_id=1**&client_secret=3vmEisPCGekF1JGePkwdSKdf4Q00lJTKmwxh****")
End If
Instead of json I am getting an html.
So I wonder.
What exactly I should do with OAuth? Is it designed for something different than regular API access?
The manual says I should curl things like
curl -X GET "https://api3.stex.com/profile/wallets?sort=DESC&sortBy=BALANCE" -H "accept: application/json" -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjY1NzUyODQwYmMzMmMwNGU0MTExNmRmYjQ0M2I5NWY4NzAzYmVkYWIyNTk0ZWZhMTg3ZjhhMmQxOThiNzM1NGRkNThjZmYzYWJkZWEzZjg5In0.eyJhdWQiOiIxNDIiLCJqdGkiOiI2NTc1Mjg0MGJjMzJjMDRlNDExMTZkZmI0NDNiOTVmODcwM2JlZGFiMjU5NGVmYTE4N2Y4YTJkMTk4YjczNTRkZDU4Y2ZmM2FiZGVhM2Y4OSIsImlhdCI6MTU1MzI4NTc4NiwibmJmIjoxNTUzMjg1Nzg2LCJleHAiOjE1NTMzMjg5ODYsInN1YiI6IjMxOTgwMSIsInNjb3BlcyI6WyJwcm9maWxlIiwicmVwb3J0cyIsInRyYWRlIl19.aRuu1gmUmpcck_rMh9fcQwfDeJezn0tD0v1aSJ7joIhtsIXAdaw0H-SFOXwzo_HevFrcDnWGrZ4s9sTd1_vgRS2or7HyiV54c0ItVym6bOMKnFhGuxWWLubXN9HstjiM9TSghk7FtF5J0XeIDcY4vp25ycBmWM6Dddeyu4ehu3hurG-jUyT9N1C4u5KwqkYazeE1Z6XpCUrH77tAIlecTssPUzDtM6j-dYJOirYLx-E7fTn6H_bpHq_mosiHEy7IGe2uyggx0UIg4YIIX0noATxNfFiqZlXc32u8NywS7bDkFJ8e4s2r6vbL9pZU7Qe81IFrhs2jgUrQyjxe4SKsyolA9SulwF1haqsRGYTN_fNZyNm7u_Nzs2-RWxZw7h5KHT48AI483bHqJS3qfpjNF7FdpEufnn1QuFplumvyATtlEf56RCTfZ11fWjaET_b19P_3KpJw8H3pYSh8f-7MdIJcn68X1ls_9GahKKlX059I2M_6S2XkjwvnETlhiWGIdpttg2rJ1oHsEiNUuYzj7d1MBKGhSMX4y8OpB9hhW6CjgajG-YVk3SU6JWaVBEY_1w49Q6U-KxD4nzMK5I85Cn1C1iDPExuOwuyRRH1XSxsXLQ9tURsLOytlp7LkUNvzxb5lxZ18ho-OkvkWVkS18oSxR5y__WllywD_6_NT64s"
So I should get a bearer token. How do I get it with say, curl?
I want standard web query such as using curl. I want to avoid unfamiliar library like some specialized oauth library.
I am making an app. I am not making a website. Should I even use oauth2?
I read about oauth2 here
https://aaronparecki.com/oauth-2-simplified/#roles
It says that "users" will see some website and they can "authorize".
Look. The user is me. I got the API key, secret, client id, client secret. I don't want "users" to be shown anything. I approve all this stuff.
Stex says that they will abandon their version 2 API and will use version 3API. They said that version 3 API uses Oauth.
Is oauth even suitable for an app that run unattended?
I am new to Zapi(Zephyr API).
Question 1: I am one of Jira user in my project. Jira admin has installed ZAPI(trial version).
Now as a regular user will i able to access ZAPI API's with user ID and credentials
Question 2:
I am trying to evaluate GET call
Endpoint : https://zephyr-cloud/rest/zapi/latest/systemInfo
Headers i am using in postman
Authorization": " Basic " + b64encode(username + ":" + password)
Content-Type:application/json
Please let me know, what I am missing here or else is there any other way I can get access to fetch details.
Thanks
You need to parse session random value from key "AO-7DEABF" (or similar)
from HTML page after authorization into Jira
add then add this (key: value) to each ZAPI request during the session as header
What error are you getting?
Only Authorization and content-type is required for making request via postman. You can encode the username/password from https://www.base64decode.org/ and directly put the encoded value (it will start with the word "basic").
I'm working on a small swift program to work with Yelp API over OAuth-1. I am looking to generate a HMAC-SHA1 signature.
I have the customer key, secret key , token and token secret.
From what I know, to make an API request with OAuth1, we need the following attributes :
1.oauth_consumer_key
oauth_token
oauth_signature_method = (HMAC-SHA1)
oauth_signature
oauth_timestamp
oauth_nonce
I have the first 1,2,3 parts but I don't know how do I generate #4,5,6
I am kind of new to ios/swift3 so please point me into right direction
try to look at that implementation: https://github.com/SwiftP2P/SwiftSSL/blob/master/SwiftSSL/HMAC.swift
How to work with Dwolla API which required Client_id & Client_Secret
https://www.dwolla.com/oauth/rest/users/{account_identifier}?client_id={client_id}&client_secret={client_secret}
I already register Application. And Got Key and Secret
But when I call above described API Endpoint via Fiddler. Got bellow response.
{"Success":false,"Message":"Invalid application credentials.","Response":null}
Note: I tested Client_id = API Key / Client_id = Application Key. But the response remain same. What is the problem ?
The client_id is just another name for the API/Application Key, which identifies your application. The client/application secret is a string that functions as a password for your application. Just like a password, you should never give out your application secret; and if it's ever compromised, let us know immediately and we'll generate a new key/secret pair for you.
About your failed request: Try encoding your application key and secret. If special characters aren't escaped from the URL, the request will be interpreted differently from what you intend.
You can quickly encode the two strings from your Javascript console:
var key = "EUFH378&36%394749D\DWIHD";
encodeURIComponent(key);
Result: "EUFH378%2636%25394749DDWIHD"
var secret = "WOIDJ38&IDI\DK389DDDDD";
encodeURIComponent(secret);
Result: "WOIDJ38%26IDIDK389DDDDD"
And place their encoded equivalents back into your request URL:
https://www.dwolla.com/oauth/rest/users/gordon#dwolla.com?client_id=EUFH378%2636%25394749DDWIHD&client_secret=WOIDJ38%26IDIDK389DDDDD
I've a problem when trying to do a webrequest to UGC and authenticate using oAuth. I'm making a webrequest such as:-
WebRequest wr = WebRequest.Create("http://ugc.service/odata.svc/Ratings(Id=200)");
wr.Headers["authorization"] = "OAuth " + auth;
Where auth is my token returned from the access_token.svc. According to the documentation the token returned from the service should be something like:-
HufXeuUt%2FYYElA8SYjJOkUkrXxV9dyXRirmKhjW%2Fb%2FU%3D
However, what I'm being returned from access_token.svc is more like:-
{"access_token":"client_id%3dtestuser%26expiresOn%3d1361898714646%26digest%3d%2fW%2fvyhQneZHrm1aGhwOlgLtA9xGWd77hkxWbjmindtM%3d","expires_in":300}
I've parsed the JSON to extract various strings and attempted to pass these through to the authorization but whatever I try I get an error in the logs - "ERROR OAuth2AccessToken - Digest is wrong." Exactly what part of the token and in what format should I be passing through to authorization?
Many thanks
John
Like you mentioned, the protocol is this:
You make a post request to the access token end-point to get a token (you need to provide here your client_id and your client_secret as headers or as query parameters);
You get an answer similar to this: {"access_token":"sometoken","expires_in":300};
2.1 Worth knowing is that the token is url encoded and in UTF-8 format so, on Java side you need to do URLDecoder.decode("sometoken", "UTF-8"); while on .NET side you need to do HttpUtility.UrlDecode("sometoken", System.Text.Encoding.UTF8);;
Your next request needs to include the authorization header. On Java side you do builder.header("authorization", "OAuth " + decodedTokenString); while on .NET side you can use Client.Headers["authorization"] = "OAuth " + DecodedTokenString;
Worth mentioning is that the SharedSecret defined in the cd_webservice_conf.xml (/Configuration/AuthenticationServer/SharedSecret/) of the TokenAccessPoint needs to be the same as the SharedSecret defined in the cd_ambient_conf.xml (/Configuration/Security/SharedSecret/) of the (WebService)EndPoint.
Are you sure you decoded properly the token gotten from the server? Are you sure that you configured the proper SharedSecret in the two configuration files?
Hope this helps.