I am trying to use Github Oauth App for authorization purpose. No Authentication, no sign in with github.
I would like a user (having an account on my app) to link their GitHub account to my app's account. I understand the github web flow. Let the user authorize Oauth app for the first time. Get the authorization code. Fetch an access token using the code. And use that token to do git operations on user's behalf.
Now the thing I am unsure about is, what if the user logs out of my app and logs back in again?
Not a good practise to ask them to link accounts for each login.
Should I automatically do the Oauth flow again and generate a new access token for each login? If that is, why does Github Oauth App have an access token that won't expire? And why does Oauth app store multiple tokens for the same user, same scope? Why not remove the previous token and store the new one only? Because of this move by Github, I believe this is not the correct way to go. I don't know.
Or, should I store their initial token in the database, and use the same token forever? Is that a good practise? And if that is, how do I verify the scopes initially defined for that token is still the same? I couldn't understand this bit, reading through the Github documentation.
I hope I was clear enough. I couldn't understand this account linking thing.
Related
The recommended way by fb is to get a token but the simple act of getting this token ties my personal account and an app created with it to my credentials. Is there a way for OSS projects to get a temporary or permanent token for their API login access without this connection back on a specific account?
There are 3 different tokens: App Token, User Token, Page Token. Only the App Token is not bound to a user, but you cannot do much with it.
Quite old, but still: https://www.devils-heaven.com/facebook-access-tokens/
My team have developed an App, in which we are using the Facebook Authentication Tokens to retrieve the data from a Facebook and then display it on our App and it is working fine.
The problem which I am facing is that if the Password of Facebook Account is changed then the API Token also become useless, which is an obvious thing.
But is it possible that when a user updates his/her Facebook Account Credentials then the API Token also gets updated? i.e. I don't want to go through the Token Generation Process, every time the password is changed.
No, that is not possible.
When the user changes their password, all their existing tokens get invalidated on purpose.
They will have to go through the login flow again, to create a new token.
So on my mobile app, I wish to use Google login API for users registration. I'm saving the user details like first name,Lastname, email. The above data will be stored in Firestore.
My question is
will this uid and OAuth Token be useful later? if yes in what way it'll be useful?
After registration what should I do to verify the user and make the user login? Since we don't use any passwords for verification.
and what is the professional way of storing user data in a database?
The Oauth Token allows you to make calls to google API based on the authorised scopes. When working with identity attach make a call to...
https://www.googleapis.com/gmail/v1/users/me/profile
Attach the Oauth token to the Authorization Header. If you get a response then it means the user is signed up.
With the Google Login API this is pretty much all you can do with the token. :)
I'm trying to better understand Facebook Access tokens. I have a canvas web app in a sandbox. I have used the GUI to say the app seeks permissions for various user fields. The user then sees these listed and clicks the blue Go To App button. (Currently only developers and testers).
My questions are around the Access tokens. I've used the Graph API explorer and the Access Token Tool. In the Access Token Tool - there are User and App tokens listed. What are these for?
A user must have a token to use an app - this token is generated when they click to use the app... can this expire? What is the purpose of an app access token? Is this to be used to view which users are subscribed to the app?
Any explanation or step through of the process of accepting and using an app on facebook would be greatly appreciated!
Thanks :)
Access token is similar to a password in a weaker notion.
Whenever a user tries to access to a resource, your app should authenticate the user. In this context, your app requets to access some or all user data, in return you are given an access token that expires in a short period of time. Something like 1 hour, then once the token expires you need to authenticate the user again. There are ways to extend expiration duration upto 2 months.
Facebook docs are pretty clear and concise about tokens, you can read through them, and depending on the language you are using, there are API's you can benefit from.
Overall pretty easy.
I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.