I am trying to develop a Flutter app, with which users can login with their Square account credentials, and I can use OAuth2.0 to get their access token, and use it to make calls to the Square API.
I am confused with the whole flow: after the users sign in with their Square credentials, how do I get their client secret/ app id (which are required for the obtaintoken API call). To get the access token I need those, but there doesn't seem to be any functionality for that. Right now I am testing by hardcoding both in a .env file, but how to do it for an end user? I'm currently using FlutterAppAuth.
You would use your client secret and application id. The idea behind OAuth API in Square is that the Square merchant(s) you onboard do not need to worry about creating an application, so they actually wouldn't have these credentials at all.
Using the OAuth API, you will be able to generate an access token using ObtainToken with the code that you receive. The rest of the parameters are specific to your application.
You can see the full flow on the doc site here: https://developer.squareup.com/docs/oauth-api/how-oauth-works.
Related
I saw PayPal REST request documentation for java SDK at https://developer.paypal.com/docs/integration/direct/make-your-first-call/.
It requires a developer to register an application.
Now, using the calls mentioned by using the clientId and secret, i can receive an access token. This access token will belong to me and not any other user, so i will only be able to access my resources.
Now, If i make an application, and want to obtain access token of the user using my application, how can the SDK be used to achieve this workflow?
We recently created the instructions to use PayPal Java SDK. You can read them about it here: https://github.com/paypal/PayPal-Java-SDK/wiki/Making-First-Call
Using Java-SDK, you do not need to create access token separately. Instead you create an APIContext object, and pass your clientId, secret, and mode(sandbox/live). You pass this instance to all the API operations, and SDK will automatically call the oauth, and get the access token. This also improves performance by caching the access token and re-using it for later use. This only should reduce number of network calls to half.
I implement some facebook related stuff and accessing graph api for that pourposes. But for implement Integration testing I need a simple strategy to get access_token. So I create test user for that. How could I get access_token only with server side involved, without including browser in the chain. Ideally I just need to exchange login/password to the token.
Correct workflow loooks like this:
According the correct answer, there is special tests users provided by facebook.
To to be able to tests system properly you need to do the following flow
Get application access token
Request application's tests user's via "GET /{app_id}/accounts/test-users"
Parse response and extract access_tokens for each user from that response.
You can't exchange the login/password for an Access Token, but you can create test users programmatically. Have a look here:
https://developers.facebook.com/docs/graph-api/reference/v2.0/test-user
https://developers.facebook.com/docs/graph-api/reference/v2.0/app/accounts/test-users
How to get an access token with the right permissions for a test User
https://developers.facebook.com/docs/graph-api/reference/v2.0/user/permissions/
Short answer: You canĀ“t.
Server side you can only get an App Access Token, Page Access Token or extend an existing Access Token.
So it depends on what you need to achieve, if you just want to get public stuff from a Facebook Page, even an App Access Token may be good enough. But you cannot create User Access Tokens server side.
It may be possible with real test users created via the Graph API itself though, see Tobis answer for links about that. But it is definitely not possible with username/password.
Using app access token had previously been asked in this question (How to use Facebook appAccessToken with Spring Social) and Craig Walls gave a good explanation why the spring-social API should be user-based for most cases.
I have a scenario, however where I would like our server-side application to make a couple of queries that should not require user-specific permissions. I picked a random public page for examples below
I would like to:
View details about a public page by alias/id
https://graph.facebook.com/v2.0/121727254549188
https://graph.facebook.com/v2.0/peterstevensmotorcycles
View posts for a public page by alias/id
https://graph.facebook.com/v2.0/121727254549188/posts
https://graph.facebook.com/v2.0/peterstevensmotorcycles/posts
Search for pages
https://graph.facebook.com/v2.0/search?q=Peter%20Stevens%20Motorcycles&type=page
When I test these in the Graph API explorer (https://developers.facebook.com/tools/explorer) using an App Access Token they work fine. App Access Token is obtained by hitting https://graph.facebook.com/v2.0/oauth/access_token?client_id={app-id}&client_secret={app-secret}&grant_type=client_credentials and replacing client_id and client_secret with my Facebook client credentials.
Our application would like to have the ability to make these for any given name so we can make queries about a company's presence.
We will have similar requirements for Twitter, LinkedIn and others so I just wanted to check if there are any means to do this in the current API or whether it will not suit our requirements.
You do not need to fetch an app access token - you can actually use the app id and secret separated by "|" as the access token. - You can see it at the bottom of the app access token section in the documentation: https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens
Spring Social's Facebook API binding does not (yet) support v2.0, but that's something I'm working on right now...so hopefully soon. Once that's complete, there'll certainly be some operations that work only with user access tokens and some that only work with app access tokens, and some that will work with either (FWIW, Twitter's API has a similar set of circumstances).
Keep an eye on the project in GitHub or follow #SpringSocial on Twitter to know when the v2.0 stuff is available. (I'd appreciate any help I can get in testing it.)
Although it makes no sense at all to obtain your FacebookTemplate via the connection framework for app token requests (connections are, by nature, a user-oriented concept), you can always construct a FacebookTemplate wherever you need it, giving it an app access token obtained via OAuth2Template's authenticateClient(). You can certainly do that now with the v1.0 API binding, but I'm uncertain what ops an app token would work with.
FWIW, as I'm working on the v2.0 API binding, I'm starting to sense an opportunity for FacebookTemplate to carry two tokens: A user token and an app token. This way you can perform app-centric requests even from a FacebookTemplate obtained from the connection framework. Then the only time you'd ever want to construct a FacebookTemplate manually is if there are some operations for which either kind of token will work, but the results would be different depending on what type of token is used.
I'm trying to build a Facebook-authenticated native mobile app (Windows Phone) that connects to a web service I am creating in Node.
I'd like for a user to:
Log in to Facebook on the mobile app via a native UI or web window
If logged in successfully, create or access server-side user account data tied to that identity
Use the authenticated session to make subsequent authenticated requestsvto that user's data via the native mobile app
My question is: What's the best approach here?
Should I...
Log in the client to facebook locally in the mobile app and pass the Access Token to the node service, and then somehow map the user to my service data based on their facebook account id? That seems grossly insecure if I just pass that token in the URL.
Log the user in via a mobile browser window inside my app, and then redirect back to my Node service in the same window? How do I then make subsequent authenticated requests natively in my app?
Do something else entirely?
Sorry this is so open ended but this is the first time I have tied these things together and although there's a lot of info on each part I've yet to find something that describes the overall pattern / best practice for this design.
Your question is quite opinion based...but still I will try to help.
First of all, you can pass access token in url, its not insecure if you use https. Even if logged into facebook from your mobile app, than also its going to pass a access token in url only. If you mean having the token in http://something.com/access_token, than its not how its should be done.
If you look into the Oauth 2.0 draft you will understand that its done through setting a header Authorization with the value being the token and token_type. Take a good look at the draft.
As your solution I think its fine if you just use the first method mentioned in the question by sending the access token in header as I mentioned in your app and in turn authenticating that token from facebook on each request.
If you think this is just too long a flow for authenticating every request from facebook, than you can get access token by sending request from your mobile app to server and let the server handle the access token and store it in database which you can authenticate each request.
In any case take a look at Passport module, it has facebook and other auth built-in and should be sufficient for your needs.
For this task I have already created my own facebook application to get the API key and secret key. Can anyone explain the next steps that should be done to
1) Read from facebook API
2) Write my own database
by using web services
Thanks in advance!
A high level answer:
I'm assuming you want to use the authorization code OAuth flow (this means you want Facebook users to give you access to their profiles so you can grab data from there). If so, you need to bring up a web server and an application that will run your users through the Facebook OAuth flow. In case you just want to access Facebook with your own credentials you don't have to have a web server, simply use the client credentials OAuth flow.
So, Once you have a valid access token, you simply make calls to Facebook API using this token. using Facebook Graph API is simply a matter of calling URLs and getting the data as JSON.
You can test-drive the API here.
BTW, according to Facebook's platform policy, you're only allowed to store Facebook data for caching purposes.
Let me know if this helps.