The Snapchat Marketing API outlines authentication in the following steps:
1.) Open the authorize link in the browser:
https://accounts.snapchat.com/login/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope=snapchat-marketing-api&state=wmKkg0TWgppW8PTBZ20sldUmF7hwvU
2.) Authenticated user clicks the authorize button
3.) Physically copy the code out of the browser address bar
4.) Issue an API/cURL request- exchanging the authorization code for an access token
5.) When the access token expires- exchange a refresh token (from step 4) for a new one.
My main issue with these steps is that the flow is a hybrid web flow/client credentials flow. I am completely dependent upon a browser session to create an access token.
Furthermore, the code obtained from step 3 needs to be regenerated each time an access token is created with it.
There is no [obvious] way to programmatically create an access token. Is there? Even my Selenium attempts trigger a Captcha ...
Turns out - permanently caching/storing the refresh_token was the ticket. With it- I can repeat step #5 above ad infinitum.
Related
I am trying to use Github Oauth App for authorization purpose. No Authentication, no sign in with github.
I would like a user (having an account on my app) to link their GitHub account to my app's account. I understand the github web flow. Let the user authorize Oauth app for the first time. Get the authorization code. Fetch an access token using the code. And use that token to do git operations on user's behalf.
Now the thing I am unsure about is, what if the user logs out of my app and logs back in again?
Not a good practise to ask them to link accounts for each login.
Should I automatically do the Oauth flow again and generate a new access token for each login? If that is, why does Github Oauth App have an access token that won't expire? And why does Oauth app store multiple tokens for the same user, same scope? Why not remove the previous token and store the new one only? Because of this move by Github, I believe this is not the correct way to go. I don't know.
Or, should I store their initial token in the database, and use the same token forever? Is that a good practise? And if that is, how do I verify the scopes initially defined for that token is still the same? I couldn't understand this bit, reading through the Github documentation.
I hope I was clear enough. I couldn't understand this account linking thing.
I have a web-site with users "site-account".
Users also are registered in VSTS / (project1.visualstudio.com, project2.visualstudio.com, ...) "vsts-account"
I need allow user once link a "site-account" to "vsts-account" (one or multiple)
After link a account i can read / write a Work-Backlog item in any time.
Example, in background read Work-Backlog and send email notification.
I cant understand how i can link and grand access to "vsts-account" from "site-account"
I can create a Extension, that will be installed in VSTS.
Thanks for any links
The simple workflow:
Create a web app with OAuth authorize, refer to this article: ASP.NET web app (OAuth sample)
The user login your web-site with "site-account"
After login, enable the link (e.g. vsts-account), the user can click the link to authorization to the VSTS
Associate the access token and refresh token to that user (store in database)
Using refresh token to get access token if the access token expired
Using access token to get work item in VSTS
More information about OAuth with VSTS, you can refer to Authorize access to REST APIs with OAuth 2.0
I am pulling my hair out trying to understand what Facebook wants me to do to post to a FaceBook Page as a System User that has Admin and Page Privileges to and Owned by our business (We have Facebook Business Manager).
In a nut shell all I want to do is make this call:
https://graph.facebook.com/v2.5/${MyPageID}/feed
What I don't get is the access_token part.
I can generate access tokes for Apps, for Pages but all result in 403 returned from FaceBook. I have gone as far and checking every box available on the generate access token popup on the graph api and still I get 403 "Forbidden" so I am detailing the little I understand of the insanity that is FaceBook Auth in the hope that someone can explain where I am going wrong.
1) To Post as a System User to a Page I have to Create a FB App (I Would prefer just to post direct to the pages and skip the App part, My System User has Admin Access on All pages)
2) To Access the App I need an App Token.
3) To Create an App token I need a User Token.
4) To Create a user token I need to log in to Facebook and have all sorts of permissions on the App. (I can't log in as the System User! FB asks me to login as myself. I am not sure if this breaks the Auth Token generated?)
5) Then there are all sorts of swapping tokens to get a Permanent App token, Another point of potential failure!
6) IF the stars and moon align and you stand on your head the permanent App key can be passed to the above call as the access_token
I don't understand how to link the Pages I want to post to with the App created. Do I have to have 1 App for Each Page?
I have got one page to work, We initially used that App to Auth against the Instant Article Graph API:
https://graph.facebook.com/v2.5/${MyPageID}/instant_articles
I could not use the above token for the /feed url, I had to generate a new token with extra publish permissions and the page published with no problems, however when I change the ${MyPageID} to another page using the same access_token I get the 403.
I tried Creating a new App, I have no clue how they link to a specific page So the App to me seems sort of redundant.
Any help with what I am doing wrong or how I can go about simply posting to various FB Pages with a System User using the /feed api ?
The calls are made form a Spring Boot Java APP using HTTP Posts.
How to get a System User Auth and Page Auth:
1) Generate a User Token for an App (Button above the System User):
https://business.facebook.com/settings/system-users/${System User ID}?business_id=${your_business_manager_id}
System user has Page Admin on each page you need to post to.
App is just an FB app, not sure what it does other that it is a grouping I generate a token against.
I chose: (manage_pages, publish_pages, publish_actions, pages_manage_instant_articles, pages_show_list)
2) Check your access token:
https://developers.facebook.com/tools/debug/accesstoken/?access_token=${The access token you got from the step above}&version=v2.12
This will provide you with the App ID the Token is for and how long it lasts (we need a Permanent token)
3) Using Graph API Explorer gets the Accounts this token has access to:
https://developers.facebook.com/tools/explorer/${Your FB APP ID}/?method=GET&path=me%2Faccounts&version=v2.12
4) Using the output above find Page Auth for each page you wan to publish to
5) Post to each page in turn:
https://graph.facebook.com/v2.5/${MyPageID}/feed
The docs for account linking for actions on google say you must provide a refresh token for implicit flow - it doesn't mention if this is required for Authorization code flows. https://developers.google.com/actions/identity/oauth2-implicit-flow
So if I had an end point that produces access tokens but doesn't issue refresh tokens (the access tokens do expire but I require a user to authenticate again in this instance - this is a security requirement outside of my control) can we still use the Authorization Code flow in this instance?
Finally how would this work with 3rd party login providers? So if I offer Facebook Login on my web app then I also won't receive a refresh token. I know I can get an extended Facebook token, but again there's no guarantee a user will use my action whilst that token is valid.
In both cases do we just return a 401 unauthorized error and will this prompt the user to sign in again from a google action side?
Take a look at the Google Assistant Smart Home sample, which uses Authorization codes. When the HomeGraph makes an HTTP request to your cloud, it does so for a particular user. It tries to include a token, but if the token expired, it sends a new request to get the latest access token.
Could someone please clarify whether it's possible to refresh a LinkedIn access token programatically WITHOUT requiring any user interaction?
https://developer.linkedin.com/support/faq
...Refreshing an access token can be done silently behind-the-scenes and should have no impact on user experience.
...If your application requires you to make API calls in an automated way - without user interaction, you need to bootstrap the first access token request by manually signing in, and then ensure that your application refreshes the token automatically prior to expiry to avoid the need for additional human authentication.
Their documentation points to 'Step 5 — Refresh your Access Tokens' https://developer.linkedin.com/docs/oauth2#refresh
During the refresh workflow, provided the following conditions are met, the authorization dialog portion of the flow is automatically skipped and the user is redirected back to your callback URL, making acquiring a refreshed access token a seamless behind-the-scenes user experience:
The user is still logged into www.linkedin.com
The user's current access token has not expired
As clear as mud...but from the above it sounds like their "silent" refresh still requires the user to have an active session/logged in to LinkedIn.
Thank you!
Looks like you need to ask them to enable Credentials Flow so you can pass the client ID and client secret directly. I'm in the same boat, really frustrating.
"Commonly referred to as "OAuth two-legged", this flow allows your application to authorize with LinkedIn's API directly - outside the context of any specific user."
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow