I'm making use of the Yammer APIs and embed feed. I was wondering if it was possible to force a sign into Yammer using the user's access token (saved in some local storage). Is it possible to make the yam.getloginstatus() function return true with just the access token, instead of having the user login every time?
There is a setAuthToken() method available which can be used to inject a token. You can continue to authorize a user to your Yammer app and store the token, or use the more advanced approach with impersonation as laid out in the article that is linked. Make sure to create threat models for your application so you have a plan to protect user tokens.
Related
I have a web app which sends emails (gmail) in name of my users
When a user registers, she supplies gmail account and password. Also she has to enable access for Less Secure Apps (I recommend to create a new account for this)
Then I can open a gmail session
session = Session.getInstance(props, new javax.mail.Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(user.getEmail(), user.getPassword());
}
});
and send emails on her behalf.
Unfortunately this is going to stop working next 30th May, when Google will allow only OAUTH2 access
I have followed Java Quickstart for Gmail API and I have code up and running for sending emails with OAUTH2: enable gmail api, create an application on google cloud platform, grant send permission, oauth2 client id credential created...
The problem I have is I can't see a way to automatize this task because when creating an authorized credential, a consent screen displays on browser and you have to select the account to be granted manually (maybe because my app in google cloud platform is still pending to be reviewed)
Is there a way to infer the gmail account you want to access from the credentials file (client_secret.json)? Is there a way to automatize this?
No, or yes. It depends.
The whole point of OAuth2 is to improve security by working with authorization tokens rather than asking for user credentials. To do this the user has to consent to the app's access request, and thus the OAuth consent screen cannot be bypassed. This is
explained in Google's documentation. It's not related to your app's review status but rather it's the way OAuth works.
You can still work in a similar way, though . Instead of asking for username and password upon the user's registration you can redirect them to the OAuth consent screen so they can authorize your app. Make sure that your app is requesting offline access type and then you can retrieve an access_token and a refresh_token. These will essentially work as your credentials and you can use the refresh token to generate new access tokens when needed without having the user go through the consent screen each time.
The refresh token doesn't have a "natural" expiration so you can keep using it indefinitely, but there are a few scenarios where it will become invalid, such as it not being used for six months, the user changing passwords (if using Gmail scopes), the user manually revoking access, etc. In these cases you will need to direct them to the consent screen again to reauthorize your app.
In this sense, your app can still work automatically without user input except the initial setup, which you already had to deal with when they supplied you with their credentials. The refresh token expiration can even be compared to what you had to do when the users changed their passwords in your current workflow.
One exception to this are service accounts. If you and your users are part of a Google Workspace domain you can delegate domain-wide access to it, then the service account will be able to access user data without any manual input. Of course, this is because as the domain administrator you pretty much own all the accounts under it. But if you're working with a publicly available application you will have to deal with the limitations I mentioned above.
Sources:
Google's auth overview
Using OAuth 2.0 to access Google APIs
OAuth 2.0 for web applications
The OAuth consent screen
I'm trying to access Reports API. And created source code for this on Java (GitHub project).
I can get Access Token, but if I use it for Reports API Google always return me "Access denied. You are not authorized to read activity records" error.
I tried this Access Token to receive information from Drive API and it works. So Access Token is valid for Drive API and not valid for Reports API.
On this page I found this information - Using OAuth 2.0 to Access Google APIs
Access tokens are valid only for the set of operations and resources
described in the scope of the token request. For example, if an access
token is issued for the Google+ API, it does not grant access to the
Google Contacts API. You can, however, send that access token to the
Google+ API multiple times for similar operations.
So I can't use one Access token for all APIs? If so how can I get Access Token for Reports API?
I'm using Service Account JSON for access token generation.
Thank you for help!
Aleks.
So I can't use one Access token for all APIs?
When you authncate a user you request some scopes this tells the user what apis and data you need access to. There are a lot of Scopes each scopes gives you acccess to diffrent data.
If so how can I get Access Token for Reports API?
You include the scope for that api in your authentication code. Its hard to know which reports api you are talking about
adminreports_v1
There is also the Google analytics reporting api, and the Youtube analytics reports. The easiest way to know what scope you need to include is to check the doucmentation page for the method you are using they will always include an auth section telling you which scope you need in order to use it.
I'm developing a mobile app which will allow users to browse without signing up. I would like to have all my endpoints secured via token.
How would we go about allowing anonymous browsing? i.e. provide a token to anonymous users.
Not sure to understand your case, why do you need a token if your users aren't registered and your API opens to everyone?
The authentication system of Strapi has been built to only send token to registered users. However, the easiest way to make it work for you is to register every visitor coming in your app based on their IP or something unique as a username and set the same password for each one of them. Then, every time the user comes back, you can call the /auth/local URL to sign-in the user and get the token or use the token stored in the local storage.
I'm working on a solution (not a 3rd party app) that will force active Yammer user to re-authenticate via my Proxy. I have access only to Yammer API.
I would like to know if i can revoke active Yammer user using Yammer API in order to force him to authenticate again and to receive a new token from server?
Can i remove from admin the Auth token for specific user using API and that will force him to re-authenticate and then receive new auth token ?
No, there isn't any API endpoint to force users to re-authenticate to your app. The options that I can think of are: 1. The user will have to manually revoke the app's access from his/her profile page. 2. Create a new app and update the app_id and secret_key in your code. 3. Although I have not tested it, disabling an app may cascade revoke all tokens that are associated with app; for this, you'd need to file a Support case and ask them to disable and re-enable your app.
I would like to access my own facebook news feeds using spring social facebook. I have registered my app and i could able to get app key and secret key. How to generate facebook access token for given app key and secret key using spring social facebook(programmatically)?
Now i'm using the link https://developers.facebook.com/tools/explorer generate the temporary access token which is valid only for 60 minutes.
How to generate the access token in my java application itself without having any login page redirecting to facebook redirecting back, etc.
If you're wanting to use the token to access user-owned resources at Facebook (e.g., the user's timeline, friends, etc) there's no way to get a token without involving the user. That's on purpose so that you aren't allowed to fetch data or write data to Facebook without getting the user's permission to do so.
But if that's what you want, then you must redirect the user to Facebook and back. This is OAuth 2's authorization code grant. Spring Social's ConnectController can help you with this.
You might be able to do it via the JS API, but it's been awhile since I've done it that way and I know a few things have changed at Facebook in that regard. And it probably relies on OAuth 2 Implicit Grant (which involves a redirect).
There is another way to obtain an access token without redirecting: Via OAuth 2's client credentials grant. But I don't think that's what you want. Such a token can only be used to work with non-user resources (such as Facebook's Insights API). But if that's what you want, then you can use OAuth2Template's authenticateClient() method.
Again, to be perfectly clear, it is very much by design that you can't obtain a user access token without involving the user. And with Facebook, that will require redirects.