I'm developing an app where automation is the main component. It setups by showing the QR code in front of the camera and then everything is set up automatically. I wonder if it's possible to get a "code" by passing the credentials with a POST request or something similar without the user needing to interact. Let's assume the user gave consent already on a computer.
There is a method to Get access on behalf of a user:
Please refer this document for further information: https://learn.microsoft.com/en-us/graph/auth-v2-user
Related
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
I'm faced with a difficult scenario regarding OAuth 2 authentication and Google's Calendar API.
I am attempting to write a PHP script which processes my personal calendar data after being triggered by a POST call from an external source. However, I am having trouble granting the script access to my account. Since the script runs entirely in the background, there is never an opportunity for me to enter the authorization code which is required for PHP command line tools making Google API requests.
I have looked into Service Accounts, which grant access to personal data without individual approval, but unfortunately this is only available to G Suite users, which I am not.
I have also attempted to run my script manually, enter the code to authenticate, then run it from my external source. This doesn't work either, because the authorization codes are apparently only good for the same mode of access where it was entered, and the response to the external source still shows as asking for the code.
Lastly, please note that responding with the authorization code from the external source is not an option. Which I can activate the trigger, I cannot change how it works or the data it passes.
TL;DR: How do I grant a PHP script (which runs only in the background) access to my personal Google Calendar data?
Thanks in advance!
Articulating this question actually helped me better formulate my Google searches, and I found the answer!
I'll leave this question/answer here so somebody can hopefully benefit from it -
Turns out that the Service Account is the way to go, but instead of trying to access your account's data via the service account, you need to share the calendars in question with the generated service account email address. Essentially, this makes the service account a "co-owner" of the calendar. Then, you simply make the request to the service account's own information.
Hope this helps!
I have gone through the Instagram Authentication documentation and I could see that there is no direct way to authenticate other than taking the user to a URL specified by the Instagram.
This is what Instagram documentation says.
In order to receive an access_token, you must do the following:
Direct the user to our authorization url. If the user is not logged
in, they will be asked to log in.
The user will be asked if they would like to grant your application access to her Instagram data.
The server will redirect the user in one of two ways that you choose:
Server-side flow (recommended): Redirect the user to a URI of your
choice. Take the provided code parameter and exchange it for an
access_token by POSTing the code to our access_token url.
Implicit flow: Instead of handling a code, we include the
access_token as a fragment (#) in the URL. This method is less
secure, but allows applications without any server component to
receive an access_token.
See we should take user to a particular URL. Instagram uses OAuth 2.0.
But the thing is that there is a Mac App named Flume, which does not take user to a URL. It simple lets the user enter their username and password, and Flume connects to Instagram API,and the user successfully gets logged in and able to see his media content.
I wonder how Flume doing this? Am I understanding the documentation incorrectly?
Please help. Thanks in advance.
You're reading the documentation correctly.
Flume doesn't use the Instagram API, so it is not affected by its limitations. Instead, it will likely use web scraping by opening the Instagram website in an invisible browser instance, there entering the user data and commands on the behalf of the user, then scraping the results from the next invisible browser page etc.
There are different approaches on how to achieve this in OS X, a starting point could be Web scraping in Objective C. For a conceptual overview, you could have a look at RoboBrowser, which is a Python library but gives you an idea of how this works.
Instead, it will likely use web scraping by opening the Instagram website in an invisible browser instance, there entering the user data and commands on the behalf of the user, then scraping the results from the next invisible browser page etc.
This is actually false. Flume has found a way to use Instagram's internal API to display content. Using a man-in-the middle proxy client such as Charles will show that the network requests that the Flume app makes are very similar to the network requests made by Instagram's different native Apps. Flume mimics Instagram's network requests in order to set HTTP headers/cookies/auth data to retrieve/post information.
I'm happy to post pictures/files to verify this for anyone that may wish for further proof of this.
I am currently researching Google+ REST API to post to a user's stream.
The basic requirements are:
The post should be created without user's review using server side request (user should give his permission to post on his behalf in the future).
The post must be visible to all user's friends.
As i understand from reading the documentation, posting to the stream without actually getting permission in creation time from the user is impossible, however, creating 'moments' doesn't require permission upon-posting, so the user should give his permission when authorizing the app.
Since i didn't find anything that explains how can a moment be created to be visible to all user's friends - can someone who is familiar with this API explain how visibility of a moment is being determined and on which step? reference to an API documentation would be good as well, but i didn't find any.
Thanks
The moment methods do not write directly to a user's Google+ stream. They instead write to a user's profile, and are not necessarily viewable by others depending on the user's preferred sharing settings.
Manage app activities in Google
During authorization the user chooses who their activity is visible to.
Once authorized a user should be able to see their own activities on Google+ and you can view other people's activities by clicking on an app from their profile about page.
I am using google oauth 2 for authentication. (Installed application)
Right now when the user allows access in user consent screen, how can i retrieve auth code from the redirect uri without user involving in cut and copy paste auth code. How to read the auth code from the title bar?
In any Operating system a program can read titles from the windows of any other application ( including your browser ).
In order to help you I would need to know what OS you are using and what language you are using to develop your Google declared "Installed Application".
The following thread shows you how to get a list of windows titles in Java
How to get a list of current open windows/process with Java?
For installed application, you can use the special redirect_uri urn:ietf:wg:oauth:2.0:oob, and the authorization code will be returned in the title bar of the browser, your app can read the title of the HTML page to obtain the authorization code.
The tile of page will be like this:Success code=AuthorizationCode
So you can check the webpage, if the title contains this string, you'll get code.
yes .. this can be done by using google service account. they will provide us a p12key and we can make use of it without any consent screen.