I am following the tutorial located here: https://developer.xamarin.com/guides/xamarin-forms/cloud-services/authentication/oauth/
I got to the step titled: Presenting the Sign-In User Interface.
It says that, "When the Login method is invoked, the sign-in user interface is presented to the user in a tab from the device's web browser."
Now is this really the process when using Xamarin?
Because the other apps I've downloaded and played with don't open the browser and then open a new tab to give me a choice of which account to choose. Those apps pop up a small page on top of the app and allows me to select an account.
If this Xamarin process is different I am not going to use it when developing my app. Please clear this up for me thanks.
There is no such thing as as "Xamarin's way of oAuth".
oAuth is about authenticating users through 3rd parties like Google, Facebook, Twitter etc. There are different oAuth flows which are mostly used: the implicit grant and the authorisation code grant. For mobile apps the implicit flow is common because auth code flow involves the app keeping a secret which a mobile cannot really guarantee. For a great overview of these flows I can recommend this lecture from Xamarin.University.
These flows are the same no matter which underlying development stack you are using.
The documentation you are referring to is using a library to help using these flows: Xamarin.Auth. As a matter of fact you don't have to use this library at all. This library helps with storing tokens, sending requests that include the required tokens, detect endpoint redirects etc. Part of using this library is presenting the UI where the 3rd party vendors login form is shown.
This is what you do when calling:
var presenter = new Xamarin.Auth.Presenters.OAuthLoginPresenter();
presenter.Login(authenticator);
The actual implementation of presenting the UI is platform specific. On iOS the UI os shown modally if that's how you are coding it. If you change this code to show the UI as a small popup floating on top of existing content, you can of course do this. This is true for any given platform.
Related
I am showing a wordpress website in iframe inside Microsoft teams Tabs. is there any way to detect the loggedIn user in my website?
If you are able to wrap your website inside a Teams app (which you can do for example very easily using App Studio, then you could surface your website as a "Tab" app. Doing this means you can reference the Teams JS library in your code, which will enable you to get a context object. You can get a lot of user information from that.
Be aware though that this context is not really 'trusted' data (it's just inserted via Javascript), so it could be spoofed into your page by a malicious actor. If that's a problem, you should look to implement Tab SSO in your app, which will give you a proper JWT token that you can validate.
I am creating an e-commerce API using the Django Rest Framework. The API will handle the following areas:
Databases
User Registration
Permissions
Orders/Payments
There's still one area in which I'm not quite sure how to implement in my project. It's the cart functionality. Would it be better to implement it on the client-side (ex: React/Ember) or on the server-side (i.e. API)?
One scenario that confused me is if the user is logged in in different platforms (ex: Website and mobile app). I want the user to have the same cart on mulitple platforms.
In that particular use case, if you want cart persistence then it must be backend. The reason for this is one being able to have a single source of truth. The phone app and the web app cannot talk to each other unless they have some sort of "common ground" between them.
That's where the API comes in. It will allow both ends to speak to each other by having the API as the single source of truth. See my terrible diagram for a visual.
What I want to build:
I want to build a website where users can connect their google calendars (this will use Google Calendar API's)
and view their calendar events, as well as edit them, and create new ones.
My problem:
In order to do so, google says my app needs to be verified, which can take weeks, and I also need to set up terms of services pages, privacy policy pages
I also need to supply authorised javascript origins which MUST start with https, which of course is a problem during development, since my origin is http://localhost
I also need to set up support emails and homepage link
Question
I just want to start building my application without having to set up a whole production-ready website eco system.
Is there anyway I can use these Google Calendar APIs for editing/creating calendar events locally, without having to set up everything mentioned above first?
Unverified apps can still be used by the developer who created the project on google developer console.
Unverified app screen
The app or script might display an "unverified app" screen before it displays the consent screen. This is based on the specific scopes that your app includes in the request.
You can still work on your app while you are going though the verification process. However that being said i would start that process asap it can take a long time to get verified.
Yes, you can. As far as I am able to tell, all the verification step does is remove the "unverified app" screen. As long as you click Advanced > Go To ... (unsafe), you should be able to create and edit calendar events for that user in your application.
In order to be able to create and edit calendar events, you need to use the most sensitive scope, which is https://www.googleapis.com/auth/calendar. I couldn't figure out how to edit and create calendar events in my web app until I changed my scope from calendar.events to calendar.
Creating Events: https://developers.google.com/calendar/create-events
I am a beginner trying out api for fun.
The problem is, lets say, I want to write a simple windows program with golang to let my friends read and edit one of the sheets saved on my google drive. How can I do this without having them download a credential file?
What I want it to do is simply redirect them to the Oauth Page right away, and if their email address is one recognized by the app it will grant them access to that google sheet.
What i think you need is to integrate your go app with Oauth protocol.
More specifically, with the Google provider.
This is mainly 3 steps:
add the oauth client to your application
something like this: https://github.com/golang/oauth2
See their docs on how to do it.
go to google dev documentation and see how to integrate google auth flow into the client: https://developers.google.com/identity/protocols/OAuth2
I'm not sure if google has something more specific for google drive integration and/or go-lang client in particular. Please do some searching.
make the glue code on your go app so that the user can interact with this (the login button (or command, if it is terminal based), error messages, logout, etc)
More questions will appear when you start to do this, however it is a great example to learn Oauth as well.
General guidelines:
https all the queries or oauth is basically useless
oatuh has many auth-flows and you must choose which one(s) you support. use whatever google documentation recommends for m2m scenario (machine 2 machine)
log errors so that your friends can send you a log file for you to debug issues
maybe set some feature flag so that you can simply disable this feature to run/test localhost ? maybe useful? you decide.
I have created a web application which connects with Google APIs. In the past it only connected with the Google Analytics API. Now I am making it link with Google Webmaster Tools (GWT). Some of my existing users may want to opt in to GWT. And moving forward new users may want to link with just one or both APIs.
Is it best practice to create a separate console project for each API?
During experimentation I modified my original Google Analytics project to support GWT. But in doing this I found there is no way a user could revoke access to just one API; they would need to revoke BOTH APIs.
I then created a separate project to manage just GWT. This works fine and all. But from the user's perspective it makes another entry into their "Connected Apps" (see screen shot).
What is the best practice for a situation such as this?