We are using Go server side code to interact with Google Ads REST API.
Namely, we authenticate it with help of "golang.org/x/oauth2" and
"golang.org/x/oauth2"packages.
In May (and recently again) we've got a email from Google regarding deprecation
Out-of-band flow, essentially rewording of this
one.
But additionally to common information, Google email listed account, which we
are using to authenticate, as being used in OOB flow and going to be blocked.
We checked our sources and available sources of mentioned packages but was not
able to find redirect URIs which are said to be used for OOB flow as one of
those:
redirect_uri=urn:ietf:wg:oauth:2.0:oob
urn:ietf:wg:oauth:2.0:oob:auto
oob
We explicitly use http://localhost in our code and long-live refresh token
(which seems never expires).
We also tried to use tcpdump to monitor our API calls, but was not able to
learn much from it, because calls are made via https and, therefore, encrypted.
We considered to use man-in-the-middle kind of proxy like
https://www.charlesproxy.com/, but haven't tried it yet, because it become
non-free and because of complexity of setup.
We tried to log our requests to API endpoint with custom RoundTripper, but
have not spotted anything suspicious. It seems that we're using refresh token
only and exchange of code to refresh token just never happen in the code.
Because of this, we don't think that further logging or monitoring with
decrypting https packages may help (but we open to suggestions how to do it better).
Finally, we decided to create a new OAuth 2 Client in the Google console with
fresh set of client id, client secret and refresh token. We obtained a new
refresh token with oauth2l and replaced
credentials in our configuration. But still, we are not sure that new account
will not be blocked by Google due OOB deprication, because seemingly it looks
the same as old one.
Questions:
Why may Google mark our account as OOB?
How can we ensure that newly created account will not be blocked?
Same here.
I find out an answer, that says "Desktop" type of Credentials uses OOB by default. Probably you need to create new Credentials with type "Web"
I'm setting up a new Near account, and I want to use its keys to sign a message in an app I'm building. How can I do this?
I used the wallet.nearprotocol.com page to create an account. Then, I used nearlib to connect to the testnet, and verify the account's balance and public keys.
But I couldn't find a way to add the account into the localStorage key store or otherwise access a method to sign a message. Nor could I find a wallet plugin or extension that would provide me access.
Generally the idea is that you never transfer given private key between 2 devices / security contexts.
So normally instead of getting private key out of wallet you just want to generate new key pair and request wallet to add public key.
https://github.com/nearprotocol/nearlib/blob/master/src.ts/wallet-account.ts provides relatively easy way to do it for webapp.
Note that it limits access to a give contract ID, so if you need unrestricted access you basically just need to omit contractId.
See examples at https://near.dev/ for WalletAccount usage.
I have 2 code signing certificates, for both CSR is created same way, also import and export is done same way. The only difference that I see is that one of certificates Common name contains Quotes, and the other doesn't.
e.g.
some cert and
some "cert"
CSR creation
Request format PKCS #10
disabled "Strong private key encryption"
Entered Common name, Organization, Locality, State, Country
2048 bytes for private key
set private key exportable
Import
place all certificates in Personal store
Export
Include all certificates if possible
Enable certificate privacy
encryption algorithm TripleDES-SHA1
Misleading thing is that this Common name value is NOT taken from the value I entered when I created CSR request
I am using those certificates to sign Winforms applications in Visual Studio. Certificate without Quotes in common name is working correctly (i.e. when I install application user is not getting security warning about unknown publisher), but when I install application which is signed with the other Code signing certificate (with Quotes in Common name) - it does not recognize Publisher. No error when published my application. When I take a look at setup.exe properties in Windows Explorer I see a Digital signatures tab which contains row for my certificate.
I tried to sign files with signtool and then verify - it said that certificate is valid.
I tried to get help from godaddy.com where I bought my certificate, they said that it should work with quotes, too, but didn't offer help to solve the issue. Rekey also didn't help.
I see that there are some suggestions to use Pre Publish, Post Build tasks, but I am not using those for my first certificate which is working.
So, is anyone here using code signing certificate for Winforms application with common name having quotes in it? Or maybe anyone knows about this problem and how to solve it?
Had to revoke (common name which is entered when creating CSR is not taken into account, so rekeying is not enough!) my code signing certificate and create from start without quotes/brackets in company name.
So this means, you will have to wait again for few days, because verification process is made from start again. When you will be contacted by issuer, they will verify / ask you about company name - make sure that they do not include quotes/brackets.
Revoking means that you will basically have to buy your certificate once more, because after you revoke it (at least in godaddy case) in your account you don't have options to create it again. So, you have to contact support (use call center and not chat ;)
I am using https://maps.googleapis.com/maps/api/geocode/json? link with server key and user IP to find the latitude and longitude of any address, when I'm trying I find the error as
I have a server access key from google and I have put my server's IP address in the their white list.
The URL that I am trying to access via PHP CURL is:
https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=true&key=XXXXXXXXXXXX
The result that I am getting:
Array ([error_message] => This IP, site or mobile application is not authorized to use this API key. [results] => Array ( ) [status] => REQUEST_DENIED)
Is there anything that I need to configure.The geocoding API is also switched on.
I had the same issue and I found this.
On the url, it requires the server key in the end and not the api key for the app.
So Basically, you just add the server key in the end of the URL like this:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=yourlatitude,yourlongitude&radius=5000&sensor=true&key=SERVERKEY
Now, to obtain the server key, just follow these steps:
1) Go to Developer Console https://code.google.com/apis/console/
2) In the Credentials, under Public API Access, Create New key
3) Select the server key from the option.
4) Enter your IP Address on the field and if you have more ip addresses, you can just add on every single line.NOTE: Enter the IP Address only when you want to use it for your testing purpose. Else leave the IP Address section blank.
5) Once you are done, click create and your new Server Key will be generated and you can then add that server key to your URL.
Last thing is that, instead of putting the sensor=true in the middle of the URL, you can add it in the end like this:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=yourlatitude,yourlongitude&radius=5000&key=SERVERKEY&sensor=true
This will definitely solve the issue and just remember to use the server key for Places API.
EDIT
I believe the web URL has changed in the past years. You can access developers console from here now - https://console.developers.google.com/apis/dashboard
Navigate to developers console - https://console.developers.google.com/ or use the link from details to navigate directly to API dashboard.
Under developer console, find Label from the left navigation panel
Select project
Choose Credentials from the left Navigation panel
You could create credentials type from the Top nav bar as required.
Hope this answer will help you and other viewers. Good Luck .. :)
Choose key
API Restriction tab
Choose API key
Save
Choose Application Restriction -> None
Save
In addition to the API key that is assigned to you, Google also verifies the source of the incoming request by looking at either the REFERRER or the IP address. To run an example in curl, create a new Server Key in Google APIs console. While creating it, you must provide the IP address of the server. In this case, it will be your local IP address. Once you have created a Server Key and whitelisted your IP address, you should be able to use the new API key in curl.
My guess is you probably created your API key as a Browser Key which does not require you to whitelist your IP address, but instead uses the REFERRER HTTP header tag for validation. curl doesn't send this tag by default, so Google was failing to validate your request.
The Google Places API does not currently support Android or iOS keys generated from the Google APIs Console. Only Server and Browser keys are currently supported.
You're trying to use an API KEY which you restricted in a way that won't allow this action.
According to Google:
Note: If you need to call web, web service, and/or mobile APIs from the same (client-side) app, create and restrict multiple keys.
So the right thing to do is to create another API KEY, and choose the correct restrictions for this matter. In your case, choose "IP addresses" (under "Application restrictions"), and use "ADD AN ITEM" to add your server ip.
Notice that leaving a blank list won't work, and will result in google changing your restrictions to "None".
Also, don't forget to add the relevant APIs under "API restrictions" (in your case "Geocoding API").
One last thing - Google is blocking the use of this API until you link your app to Google Cloud Billing Account. So if you didn't do it yet, once you successfully get a response, it will say you have to do it first (it has a free starting package).
Google Place API requires the referer HTTP header to be included when making the API call.
Include HTTP header "Referer:yourdomain.com" and this should fix the response issues.
You create an key with out referer
dont enter the referer address
For the latest version of the API the exact opposite seems to be true for me.
When calling the url https://maps.googleapis.com/maps/api/geocode/json?address=<address>&key=<key> I was getting the following error
You must use an API key to authenticate each request to Google Maps Platform APIs. For additional information, please refer to http://g.co/dev/maps-no-account
Once I switched the order to https://maps.googleapis.com/maps/api/geocode/json?key=<key>&address=<address> it worked fine.
Note that the error message received above was the message I got when going directly to the URL in the browser. When I called the API from a software program I received an HTML response with basically the following message:
We're sorry... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
Also, the corresponding API should be enabled for the given project
https://console.developers.google.com/apis/library?project=projectnamehere
For iOS or Android apps, the key needs an extra privilege granted.
Go to the Google Console -> APIs and Services -> Library. Tap the Places library for your platform and then tap Enable.
See https://developers.google.com/maps/gmp-get-started#enable-api-sdk
The reason this error is occurring because of the restrictions you have added when you create add the sha1 fingerprint on google cloud console , remove the fingerprints from android or ios then save .(the ip of that mobile phone will no longer be restricted)
Authentication, quotas, pricing, and policies
Authentication
To use the Directions API, you must first enable the API and obtain the proper authentication credentials. For more information, see Get Started with Google Maps Platform.
Quotas and pricing
Review the usage and billing page for details on the quotas and pricing set for the Directions API.
Policies
Use of the Directions API must be in accordance with the API policies.
more know : visit:--- https://developers.google.com/maps/documentation/directions/start?hl=en_US
url = https://maps.googleapis.com/maps/api/directions/json?origin=19.0176147,72.8561644&destination=28.65381,77.22897&mode=driving&key=AIzaSyATaUNPUjc5rs0lVp2Z_spnJle-AvhKLHY
add only in AppDelegate like
GMSServices.provideAPIKey("AIzaSyATaUNPUjc5rs0lVp2Z_spnJle-AvhKLHY")
and remove the key in this url.
now url is
https://maps.googleapis.com/maps/api/directions/json?origin=19.0176147,72.8561644&destination=28.65381,77.22897&mode=driving
Disable both direction api and geocoding api and re-enable.
it works for only 5-10 seconds and than automatically disabled itself.
it means you have only 5-10 sec to test you assignment.
I have a server (RoR app) sending information to a client (a Ruby Sinatra app) and I need a way for the client to be certain the data has come from my server, rather than an evil third party.
The client has to login to the server before anything will be sent back the other way so the server could reply to the login with a shared key used to sign all further responses, but then the 3rd party could capture that response and be evil.
I'd like to find some way (in Ruby, with a view to cross-platform applicability) to sign the server's response so that it can be verified without inspection of the client's code leading to forgeries. Any ideas?
UPDATE: Lets see if I can explain this better!
(I've added code to github since I wrote this question, so you can (if you like!) have a poke around : The 'client' The 'server')
The process is this: Joe Bloggs uses a bookmarklet on his mobile device. This posts the currently visited URL to sitesender.heroku.com. When sitesender.heroku.com receives that request it checks its DB to see if anyone has logged into the same account using the Target application. If they have, their IP address will have been noted and sitesender.heroku.com will make a GET request of the target app (a webserver) at that IP asking the target to lanch the bookmarked URL in the default browser.
The basic idea being that you can send a site to your main computer from your iPhone for later viewing when you find the iPhone can't cope with the page (eg. flash, screen size).
Obviously the major issue is that with an open server anyone could send a request to open 'seriouslyevilwebsite.com' to a broad range of IPs and I've unleashed a plague on the digital world. Seeing as I'm using heroku.com as a server (its an incredibly good but cloud based RoR host) I can't just test the originating IP.
As far as I understand HTTPS, for this setting I'd have to sort out certificates for every target application? I agree that I need some form of asymmetric crypto, sign the outgoing requests from sitesender.heroku.com with a private key (never distributed) and get the target to perform the same operation using the public key and test for similarity - but you've guessed correctly, I'm still slightly clueless as to how HMAC works! How is it asymmetric? Is it formulated so that performing the same HMAC operation with the private key and public key will generate the same signature? In which case - HMAC is a winner!
Thanks for your patience!
I'm not sure exactly what you mean by "freely examined, but not replicated".
In general, if you need a secure communications channel, https is your friend.
Failing that (or if it's insufficient due to some architectural issue), HMAC and asymmetric crypto is the way to go.
UPDATE: I'm not sure I understand the problem, so I will try to describe the problem I think you're trying to solve: You have clients that need to be confident that the response they are seeing is actually coming from your server.
Assuming that I'm correct and this is really the problem you're trying to solve, HTTPS solves it nicely. You install a cert on your server—you can sign it yourself, but clients won't trust it by default; for that, you need to buy one from one of the standard certificate authorities (CAs)—and then the client makes an HTTPS request to your server. HTTPS handles verifying that the provided certificate was issued for the server it's talking to. You're done.
Finally, I think there's a misunderstanding with how an HMAC works. The key principle of asymmetric crypto is to NEVER distribute your private key. With asymmetric crypto, you encrypt messages with the recipient's public key and he/she decrypts it with his/her private key. You sign messages with your private key, and he/she verifies it using your public key.