How oAuth is related to user account - smartsheet-api

I went through the documentation of smartsheet api third party authentication.
Steps are :
1. Register into developer tool.
2. Create an app.
3. note down client id.
4. From the application code call "authorize" api with client id.
5. smart sheet will redirect to consent page.
Now here I am confused. as to the API we will be called using Application's client id, how it is related to user who is access my web application. Because the app which I created in developer tool has access, api will works. Doesn't matter who is logged into my web application and has access to work sheet or not.
How smartsheet will know which user is trying to access the sheets because in the API we are just passing Developer App client id.
Or How Developer App can access logged in user's sheet.
Am I missing something?

The consent page will urge the user to login the system if the user has not logged in the system yet. Then, the system will ask the user whether he grants permissions to the client application or not. If permissions are granted, the system will issue a token which denotes "The user has granted the permissions to the client application". This is a basic concept of OAuth. Please read "The Simplest Guide to OAuth 2.0".

I recommend reading this section of the documentation: https://smartsheet-platform.github.io/api-docs/#third-party-app-development
Essentially, your application grants user access-scopes on a per-user basis. Your app needs a developer account. Your users need some kind of Smartsheet plan. Does that help?

Related

Error when using Facebook to log in to AWS Cognito

My partner and I are having an issue when we use Facebook to log in to Cognito.
When we use a Facebook account that is NOT a developer, the login flow works without issue.
However, when he or I log in, we see the error message below.
Invalid Scopes: openid. This message is only shown to developers. Users of your app will ignore these permissions if present. Please read the documentation for valid permissions at: https://developers.facebook.com/docs/facebook-login/permissions
We have the following scopes set up in Cognito:
OAuth 2.0
Allowed OAuth Flows
Authorization code grant
Implicit grant
Allowed OAuth Scopes
phone
email
openid
aws.cognito.signin.user.admin
profile
NOTE: This only happens for developers specified in the Facebook Developer portal. It does not affect end users.
Any ideas what might be causing this issue?
Did openid get deprecated and replaced by something? If I remove openid from the scope, I no longer can get the IdToken from Cognito.
According to AWS documentation The Facebook scopes and attributes may vary with each API version, so we recommend testing your integration. (found in https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-federation-with-social-idp.html). So maybe you can check according to the api version of Facebook that you are using. In the case that you want openId (that is not the default scope for Facebook ) then, according to https://developers.facebook.com/docs/permissions/reference/ you should ask specifically for it as per this sentence If you ask for permissions other than the default profile fields, email, or pages_show_list, you must submit your app for app review so Facebook can confirm that the app uses the data in intended ways and safeguards user privacy.

Google Smarthome Action account linking missing user information

my code is based on this example
https://codelabs.developers.google.com/codelabs/smarthome-washer
The OAuth process is working. But now I want to know who is the user.
Here
https://developers.google.com/assistant/identity/google-sign-in-oauth?oauth=code
is described that:
After the user gives your Action consent to access their Google profile, Google sends a request that contains a signed assertion of the Google user's identity.
But if I test the authentication I never will be ask to give access to my Google profile.
I think that I have to configure which information my app wants to have from the user. But I didn't know where to do that.
I searched a lot but I couldn't find an example which really explains how to get the user information.
Thank you for your help.
Regards Simon
The OAuth process is working. But now I want to know who is the user.
Just a note here that the samples and codelabs use a fake OAuth implementation does not implement a user sign-in flow and returns a hard-coded fake access token during account linking.
Here
https://developers.google.com/assistant/identity/google-sign-in-oauth?oauth=code
is described that:
After the user gives your Action consent to access their Google profile, Google sends a request that contains a signed assertion of the Google user's identity.
Smart home actions do not support the Google Sign-In account linking flows. You need to implement the OAuth authorization code flow in your account linking integration.
I think that I have to configure which information my app wants to have from the user. But I didn't know where to do that.
I searched a lot but I couldn't find an example which really explains how to get the user information.
This is essentially the opposite of what account linking accomplishes. The goal is not to provide user information from Google to your Action. Instead, account linking is used to authorize Google to access your user's devices by providing Google with an access token that your service considers valid for a particular user within your cloud service.
So in this case, you are the one that owns the user data. You are simply providing Google scoped access to that data for sending queries and commands to devices.

What is needed to access another user's facebook posts ("App Not Setup")

I have a desktop app which uses a user access token to read the me/feed endpoint and I can see all the posts for the logged in user. If I wanted to simplify deployment to different users I would need to minimise the amount of setup/configuration they did.
Is there a way to access me/feed for a given userid rather than have to setup every user as a developer account and create an app for it?
I have looked at https://developers.facebook.com/docs/graph-api/using-graph-api/v2.0 and it is not obvious to me how to do this.
What configuration / permissions does the user in question need to do to activate this. Which access token should I be using, and will it give access to all the posts in the same way the user access token does.
[EDIT] I have looked at this again and the problem I am having is that when a user (who has a facebook account but is NOT a developer) tries to login to my App (which is in development mode) I get the following error
"App Not Setup: The developers of this app have not set up this app properly for Facebook Login."
Thanks in advance

OAuth2, Facebook authentication and a mobile API

I'm developing a mobile API and I would like to allow mobile users to log in to my mobile application using their Facebook account.
I've been struggling to find some detailed information regarding this request. Could someone point me in the right direction? I'm using the following Laravel package for OAuth2:
https://github.com/lucadegasperi/oauth2-server-laravel
As I understand, the user clicks the "Login with Facebook" button and then proceeds to authentication. Facebook provides the access token as a result. But how does a user account appear on our server? And to my knowledge, it is our server that should provide an access token which is tied to the user account on our database. Could someone clear this up?
Have you looked at the Facebook mobile sdk guides?
iOS: https://developers.facebook.com/docs/ios
Andriod: https://developers.facebook.com/docs/android/
The package you mention looks like it performs oAuth authentication, and I don't think you need that. If I understand correctly, you should be able to use the Facebook sdk to perform the authentication and tell your app that the user is authenticated. You will have to create a user account for them (for example, add a record to the users table in your database) and store their Facebook ID.

How does "Facebook Connect", "Sign in with Twitter", etc. work technologically?

I'm curious how these systems work technologically. As I understand it you do the following as a user:
Go to your favorite 3rd party site.
Click the "Facebook Connect" button.
Log into Facebook (if not already).
Authorize Application
You are routed back to the 3rd party site logged in.
But, how does the 3rd party site talk to FB about who you are? I can understand how it could get the information it needs when you initially authorize the application, but how would it know afterwards? Here's a scenario:
You go to Facebook and log in.
You then go to your favorite 3rd party site (which you already authorized).
It already knows you are logged in!
A background ping using an IFrame is performed, and if the currently signed in account has already authorized the application, then the access token and user id are returned to the application. With this the application can decide what to do (usually, set a cookie and refresh the page so that the server can re-render the page knowing who you are based on the cookie that was just set). If you're curious, you can look at the Facebook implementation of the client side JS method called FB.getLoginStatus() here: http://github.com/facebook/connect-js/blob/master/src/core/auth.js#L117
It's using a 3-legged authentication system called OAuth.
After you start the process, the 3rd party site connects to Facebook, and if you were already logged into Facebook (live session with cookies) then it will just use that, and ask permission to authorize the 3rd party app.
Once it is authorized, it will get an auth_token, which it can use to access information from your account, unless you revoke it's access.
Check out OpenID. Also this presentation is very interresting: Facebook Connect vs FriendConnect
It all happens through OAuth2 mechanism ,where the third party application already registers with the facebook(or any other website which has oAuth2 implementation) and gets the Id(usually termed as clientId) and secretCode(i.e., clientSecret).
So, when you want to login into the third part app through fb, the service provides (clientId+clientSecret+callbackUrl )---> to facebook.while , the first two were to authorize the third part service and callback URl is URL where facebook responds back with a "accessToken" for that account.
Using this accessToken , the third part service will invoke facebook's graph api's to get the user related info and use them to login the user into their service.