While implementing ZOHO CRM with our website.
We found that there is a 3 steps authentication process to use the ZOHO CRM REST API.
We are entangled with the auth token generation process.
We have the following queries related to this
How to generate 'auth token' in Zoho projects via API mode.
I am able to generate Authtoken via 'Browser Mode' but stuck in generating auth token via API mode !! We are calling below URL mentioned in the documentation :
https://accounts.zoho.com/oauth/v2/auth?scope=ZohoCRM.users.ALL&client_id={client_id}&response_type=code&access_type={"offline"or"online"}&redirect_uri={redirect_uri}
We want this to be automated to generate the "code" without hitting the "Accept" button and not have to do a self-client to generate the code every day?
This is not a good solution to go.
Do I need to generate the code every day manually? Isn't there any API to generate the auth code?
Please help me out.
Visit https://api-console.zoho.com/
and Make a self-client here
using self client code you will get secret id & client id & auth code
Add scopes and Generate
Using this auth code you can use to create a refresh token(its valid until you cannot revoke it)
using Refresh token you can create an access token(valid 1 hr).
used postman to quick creation.
Don't use Browser mode. used self Client.
using self client code you will get secret id & client id & auth code
using this auth code you can use for to create a refresh token(its valid until you cannot revoke it)
using Refresh token you can create an access token(valid 1 hr).
used postman to quick creation.
Related
I am new to laravel and making a login with the Google module in Laravel using Postman. I've successfully generated a Google access token. But how to make the whole module of login with Google in Postman? and Can we use that access token in other modules?
I think it is not possible with Postman.
there are two things will be possible
You can configure your app with Google and send information to server (Database) through API.
or you can create a webpage and there you have to create a setup to login with google and save information in database and send success or failure in form of response
I have a task which need to call an external Oauth2 API to get data.
The authentication steps of this API is:
Request an application authentication:
https://api.apiname/v1/oauth?app_id= [value] & redirect_url = [value]
& response_type = [value] & scope = [value] & state = [value]
-> It will redirect to the login page of this API
Login then get the code
Use that code then request to get an access token:
https://api.apiname/v1/token?grant_type=oauth_code&app_id=[value]&secret=[value]&code=[value]
Use received access token to call specific API to get data.
So how can I get through step 1,2,3 automatically in my system because the client should not have to log in to API to get the code? Is there a way I can go through step 1 without showing login page?
I think the main purpose of Authorization code grant type in OAuth2 is to use a 3rd party login without having to save the user credentials in our app.
"Is there a way I can go through step 1 without showing login page?" :
If you do this, this is in a way just client credential flow. I am not an expert, but I think this is technically possible using a chrome/firefox driver filling up the data for you using web scraping. But think twice before you use it since you are overriding the whole purpose of AuthCode grant type.
refer : Securing an existing API with our own solution
We would like to enable WeChat Login on our iOS client that is connected to a Parse Server backend on Heroku. From reading through the PFFacebookAuthenticationProvider, it seems that we need to write a custom authentication provider for WeChat.
WeChat Login is based on OAuth 2.0. It works as followed:
1. From our app, an authorization request is sent to the WeChat app installed on the same phone. WeChat app is called to the foreground.
2. After user approved the authorization request, a code (NOT the access token) is sent to our app.
3. With the code and our app id and app secret, our server can then call WeChat API and get the appropriate user id and access token from WeChat. This step has to happen on our server, as we cannot include the app secret within our client app.
On the WeChat documentation, it is strongly recommended that we keep the access token strictly in the control of server (anyone with the access token can make requests to WeChat API and it will be counted towards the usage limit for our API calls).
If we are to follow this practice, we cannot save the access token in the authData field of the user. Would it be acceptable to save only the code and id from WeChat into the authData and save the access token to another class that only the master key has access to? This obviously requires us to write a custom AuthAdapter for the Parse Server.
Or is there a better way to implement this custom auth? The custom auth documentation for Parse Server is pretty thin and I plan to improve it after I can get it working for myself.
You can definitely update the auth adapter to exchange the code for an access token server side. The logic would be similar to other adapters, failing to login/signup if the server is unable to process the code to access token exchange.
Here
https://github.com/parse-community/parse-server/blob/master/src/Adapters/Auth/wechat.js#L7
If the authData object has that code, you can add additional logic to exchange it.
My project has the requirement to access the yammer data using the given REST API using server side script(mainly PHP) and not involve a client side login using yammer's OAuth dialog.
I have gone through this document:
https://developer.yammer.com/docs/oauth-2
but this says, we requires user interaction.
What I wanted was can I generate a client_id and client_Secret to further generate access token to make API call out, but in all these processes I only use the authenticated users username and password in my server-side script.
Can anyone suggest a solution or is a client-side interaction required by design?
Thanks in advance!!
You have to have a user authorize the application at least once. This is just the nature of the OAuth implementation and you can't work around it. Having users go through the OAuth flow is considered a best practice.
If you have an OAuth token for a verified admin of Yammer, you can use impersonation to get tokens for end users without them interacting with the OAuth flow.
The below from Microsoft blogs might help you & added source at the end of answer.
Obtain a Verified Admin token for your application in one of the following 2 ways
a. Create the app with a Verified Admin account and then in the app’s Basic Info page, click “Generate a developer token for this application.” Note that you’ll need to use this app’s info in the JS SDK and any subsequent calls.
b. Use the process outlined at https://developer.yammer.com/docs/test-token with a Verified Admin account to get an OAuth token for that VA account. Note that you must use the app info used to generate this token in all future steps.
Obtain the current user’s email address in the server-side script.
Using the VA token obtained in step 1 to authenticate, pass the user’s email address to our Get User by Email Address endpoint documented at https://developer.yammer.com/docs/usersby_emailjsonemailuserdomaincom, and then process the response
a. If the call to the API endpoint returns a 200 OK response, first check the “state” field to make sure the user is “active” and if so, store the “id” field that’s returned and go to step 4
b. If the call returns a 404 or a state other than “active,” direct the user to finish creating and activating their account however you like.
Once you have the user’s ID, you can pass it to our Impersonation endpoint to obtain a pre-authorized OAuth token for that user. This endpoint is documented at https://developer.yammer.com/docs/impersonation and must use the VA token obtained in step 1 to authorize the call, and the consumer_key of your JS SDK app.
You now have an OAuth token for the current user. When generating the code being passed to the browser, have the client side JS SDK code first call yam.platform.getLoginStatus and if there’s no active session and you have a token from step 4, pass that token to yam.platform.setAuthToken($tokenFromStep4, optional_callback_function_if_desired(response)). If you don’t have a valid token, direct the user to finish setting up their Yammer account.
Continue making JS SDK calls as you normally would, without needing the user to authenticate.
Source: https://blogs.technet.microsoft.com/askyammer/2016/11/04/preauthorizing-the-yammer-js-sdk/
Very new to okta flow, please bear with my ignorance.
I am doing a poc to access sharepoint from my external site and sharepoint is authenticated through OKTA. I want to start getting list view data from share point and expose it on my site.
1) What is the difference of authenticating using username / password flow (vs) using token to authenticate into OKTA?
Step 1: Auth in through username / password get the session token
Step 2 : After this I tried to create a session as per docs:
http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token
You're probably missing a valid Okta API token (cf. Getting a Token ) when calling the /api/v1/sessions endpoint. In any event, you should use the /api/v1/authn endpoint for authentication purposes and that one usually doesn't need an api token (unless you want to authenticate it from a trusted application).
The /api/v1/sessions API with the username/password payload is deprecated so you should shy away from using it in favor of the /api/v1/authn API.
I hope this helps!