I'm using ASP.net Web API 2 via VS2013 to create a private API for a project. This is all working well, including the automatic Help functionality, with the exception of one thing:
The API is secured using OAuth 2.0 Resource Owner Flow and I want to include the "/Token" endpoint in the Help as without it there is a very important part of the API that is completely undocumented.
I can't see any way of doing this as it stands because the OAuth functionality is handled via the OAuthAuthorizationServerProvider class rather than a ApiController derived one, and hence it will never be included in the standard documentation.
Does anyone know anyway that I can add my own documentation to the standard Help functionality?
I've actually managed to find a workaround, albeit a nasty one: Because the OAuth functionality is handled further up the stack you can basically make a normal Action within a Controller which takes a "custom" object that conforms to the input expected by the actual OAuth endpoint. It will never be called because the OAuth endpoint handles the URI first, but it still shows up in the API Help.
Related
I can't figure out what public data means in Google Docs API guides.
Reading the Google Docs API guide authorizing section, we find that for public data the OAuth 2.0 is not necessary, then I tried using patchupdate to update a document which is shared to edit for anyone with the link, and I could not get it to work because the API returns an authentication error.
So the questions are, what is API key for and what does Google mean with public data?
I understand that you refer to the «If the request doesn't require authorization (such as a request for public data), then the application must provide either the API key or an OAuth 2.0 token, or both» part. It says that you should use either an API key or an OAuth 2.0 token (or both), whatever is more convenient for your project. In this guide you can learn more about how to communicate with Google APIs using OAuth 2.0. Meanwhile in this documentation you can see the approach used with API keys. Please don't hesitate to ask me to clarify myself.
We are using BotFramework Composer to create bots. These bots are supposed to get information from a backend REST service, where we need to know, which user is submitting the request for data. We are currently using {turn.activity.from.id} to get the Teams user's id, and sending it in a special http header in the "Send an HTTP request" action. We then perform a mapping of this id to our internal users.
We are, of course, aware, that this is not secure at all, since anyone who knows this, could get the user's id and send it to our service. We are currently thinking along the lines of generating a short-lived jwt token in the Bot to send to our application. However, we see no direct way of implementing this token generation in the Bot Framework Composer itself.
Also, we don't want to use OAuth, because we don't want the user to have to log in via the bot.
Is there a way to implement custom token generation using C# or js and assigning it to a dialog variable to be used in a "Send an HTTP request" action?
This document discusses how to implement an HTTP request in Composer. The first half is focused on creating a login for OAuth, which I know is not your focus, so look at the second half. If you set up a simple server that can generate a token for you, then you can make a request to it from Composer using the method described.
As links can break and docs can change (and Composer is still in Preview), I would recommend saving the doc somewhere and checking back every so often for any updates.
I've used HTTP requests from within Composer, myself, so I know this will work for you.
Hope of help!
You can create a custom Action or a package component and create any c# methods there for JWT generation. This will keep it all local to the bot.
https://learn.microsoft.com/en-us/composer/how-to-create-custom-actions
I am not able to find google documentation where all valid possible operation url per scope are mentioned?
I am consuming google API, using oauth 2.0 by Httpclient ie without using google api client jar or dependency.
To fetch Users profile I set emailId profile in scope and made a get request to https://www.googleapis.com/oauth2/v1/userinfo?access_token=XXX using HttpClient,this is working.
There is a page where all scopes are mentioned but unable to find list of possible operations for particular scope.Please help me into this.Thanks!
On the page describing scopes, if you click on the title of a scope section, say the Calendar API, you are brought to that API's home page. From here you can got to the guides tab and follow the quick start for the language of your choice (which Google encourages since their client libraries tend to do a lot of the work for you), or go to the reference tab and view the available endpoints. From here you can send your access token as described here
As far as which scope applies to which endpoint, I assume view and read only scopes will probably only work for GET requests, while other manage scopes will probably encapsulate the other endpoints. Apart from that assumption, I don't know if Google has the scope exactly lined up with the endpoints they are valid for.
I'm looking for suggestions regarding methods of hosting a 'custom STS' within a self-hosted OWIN pipeline.
It seems that the current documentation on custom claims providers has changed very little in the few years since I created a custom-STS with WIF 3.5, and I'd like to bring the implementation up-to-date for use with ADFS 3.1 (Windows Server 2012 R2).
I'm aware that the SecurityTokenService has moved to the System.IdentityModel namespace in 4.5, and ideally I'd like to encapsulate an STS within an OWIN-self hosted WebAPI, but I would be happy to use something like Nancy instead if necessary (since MVC does not appear to run in OWIN owing to it's reliance on System.Web), but I am struggling to find a way to utilise my implementation of SecurityTokenService from my WebAPI's DelegatingHandler since the wrapper functions in System.IdentityModel.Service.FederatedPassiveSecurityTokenServiceOperations also appear to be reliant on System.web, and hence IIS.
I plan on presenting the required input form elements to the user by manually crafting the response stream and parsing the POST - I realise this is a terrible idea compared to using ASP.Net or MVC, but at this stage this is really just a proof of concept for me, I'll be letting ADFS handle the cookies, since this will just be registered as a custom claims provider.
Should I drop the SecurityTokenService class in favour of a better token-generation implementation, or should I drop the wrapper class and manage requests to the STS manually using the IOwinContext's Request and Response objects, but if so, how?
Many thanks
I am developing an API for a social network website. This API will basically get all the requests from the users (get friend list, post a status update etc) and reply back if necessary.
We will implement OAuth 2.0 protocol for authentication. Consumer (our php project) has API id and secret.
Basic scenario:
Client wants to log in
API Consumer (php web project) takes this request, directs user to API
User send his/her user credentials to the api, gets the token.
User comes back to our website, pass token to the consumer.
Consumer goes to the api server, gets the access token.
Now consumer (php project) has access to user's private information.
Since this is a social network website, we want app developers to be able to use our API in the future.
I am not experienced in API-design. Does that flow make sense? I guess the simplest authentication would be accessing user information through php project. But we don't want to access database in php code. We will use ajax in client side and send a request to the API. And I believe there should be a better solution, what would you suggest?
Sure, API design is basically point where you need to choose technology.
Either it can be PHP or .net or Java.
I would prefer either PHP or .Net as we get lot of flexibility in it.
API will return XML or Json depending upon the request.
There are lot of CMS in php which can be helped.
.net we have Service Stack to help you.
API's had to be fully independent from other world as well as within API method as well.
If you are able to achieve this, then you will surely create a good architecture.