I have gone through the Instagram Authentication documentation and I could see that there is no direct way to authenticate other than taking the user to a URL specified by the Instagram.
This is what Instagram documentation says.
In order to receive an access_token, you must do the following:
Direct the user to our authorization url. If the user is not logged
in, they will be asked to log in.
The user will be asked if they would like to grant your application access to her Instagram data.
The server will redirect the user in one of two ways that you choose:
Server-side flow (recommended): Redirect the user to a URI of your
choice. Take the provided code parameter and exchange it for an
access_token by POSTing the code to our access_token url.
Implicit flow: Instead of handling a code, we include the
access_token as a fragment (#) in the URL. This method is less
secure, but allows applications without any server component to
receive an access_token.
See we should take user to a particular URL. Instagram uses OAuth 2.0.
But the thing is that there is a Mac App named Flume, which does not take user to a URL. It simple lets the user enter their username and password, and Flume connects to Instagram API,and the user successfully gets logged in and able to see his media content.
I wonder how Flume doing this? Am I understanding the documentation incorrectly?
Please help. Thanks in advance.
You're reading the documentation correctly.
Flume doesn't use the Instagram API, so it is not affected by its limitations. Instead, it will likely use web scraping by opening the Instagram website in an invisible browser instance, there entering the user data and commands on the behalf of the user, then scraping the results from the next invisible browser page etc.
There are different approaches on how to achieve this in OS X, a starting point could be Web scraping in Objective C. For a conceptual overview, you could have a look at RoboBrowser, which is a Python library but gives you an idea of how this works.
Instead, it will likely use web scraping by opening the Instagram website in an invisible browser instance, there entering the user data and commands on the behalf of the user, then scraping the results from the next invisible browser page etc.
This is actually false. Flume has found a way to use Instagram's internal API to display content. Using a man-in-the middle proxy client such as Charles will show that the network requests that the Flume app makes are very similar to the network requests made by Instagram's different native Apps. Flume mimics Instagram's network requests in order to set HTTP headers/cookies/auth data to retrieve/post information.
I'm happy to post pictures/files to verify this for anyone that may wish for further proof of this.
Related
Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I have an app that has user generated images, but to access these images, you need to log into the server, otherwise, if you try to access an image URL, you're redirected to the login page.
Is it possible to show these images in chromecast? The documentation only show examples using public URLs.
One approach is to login the user on your sender app and have your server create a (short lived) token or so and pass that back to your sender. Then pass along that token to chromecast and have chromecast use the token. For example, send a URL like "https://some.url.com/my-image.png?token=1234assadasfcrafctvawr32w34v" to your server, from chromecast, and have your server interpret that appropriately.
I am sure you can think of more sophisticated approaches but that is the basic idea.
I am building a WP7 Twitter client. The normal OAuth 1.0 flow involves obtaining a request token by navigating a web browser to https://api.twitter.com/1/oauth/authenticate with my app's consumer key; this page will show a login prompt and ask the user to authorize my app to perform actions on their behalf. Upon completion, this page will redirect to a callback URL supplied by my app, with the request token supplied as a parameter.
For web apps this makes sense. I don't understand how this is supposed to work for a standalone mobile/desktop app, though. The Twitter API documentation seems to imply that this should be a feasible option. They do offer an alternative xAuth mechanism that allows an app to gather username/password itself and then supply that directly to obtain an access token. The API documentation points out that this is an inferior option (as it requires the user to trust the app, not just Twitter, with their password), but I don't see how I have any reasonable alternative?
(there is also a PIN-based option, but that's a pretty burdensome solution for the user)
I just want to make sure I'm not missing anything obvious.
"For web apps this makes sense. I don't understand how this is
supposed to work for a standalone mobile/desktop app, though."
Just embed a web browser control in your app, and navigate to the twitter authentication page. Then detect the redirection to the callback url (using the Navigating event) and retrieve the parameter. Many twitter apps do that, it's basically the same as asking the user for the login and password, except that instead of your own controls you're displaying twitter's page.
Nope, you're correct. The option for a mobile/desktop application is either a pin-based option or to use xAuth. Once you have an xAuth application has an access token it is indistinguishable from OAuth (it only changes the authorisation workflow). One thing it does change, and this is very specific to Twitter, is that if you do use xAuth then your application will not be allowed to read or write Direct Messages. See Twitter's The Application Permission Model page for more information.
All,
Is there a way to log all clicks(like hyperlinks,buttons,.....) performed by the user on the client on any webpage and send it to server for logging purpose.If so please direct me to a sample code for it.
Thanks......
You can include the Google Analytics script in your file and reap its benefits.
Unless you are going to build a extension (or some greasemonkey script) for some browser you won't be able to do that for any web page the user visits.
Assuming that all clicks result in a server request, then why not just scan the access logs of the web server?
You can add a uniquely identifying id in each url in order to distinguish between users.