Everything I have read (e.g. https://api.slack.com/docs/oauth) makes it seem as though I can only build an app that integrates with a Slack team I manage. E.g. I have to create my Slack Client ID .. etc ... and then I can oAuth users for my team.
What I want to do is allow my app's users to login to my app using their Slack login (for their Slack team I do not control or have access to.) I don't want to force my users to generate a Client ID to use my app. I want them to login the same way Google Login or Facebook Login works.
The closest thing I have found is a "login with slack" HTML button, but I'd like to do it in iOS using Swift.
Is that possible?
Sadly, that's not possible. For google or facebook, the way authentication works is that they provide you a mobile API which handles the communication between your app and their web service. So you task is simply adopt that API, make simple function call and retrieve information for user from the API. For example, the facebook button is provided by the API.
However from a look at slack site, they only have RESTful API documented. So in this case, you have to handle the passing and storing of parameters by yourself, and send HTTP request manually. You can have a look at Alamofire framework, which is the best choice for making HTTP request. Basically, you have to send needed parameter with the specific url though HTTP request to perform a log in action, and you have to parse the respond data and then see if the login is successful or not, etc
Thanks to some help from friends it looks like the answer is yes.
You must first make sure you "Distribute App"
Then set up the permissions you require and "install app" (which is a bit not "smart" since you can accidentally add conflicting permissions and get an error when trying to install).
Once that is done you will get an Auth Token and can make requests for any user to login using oAuth.
You can also trigger a sign in request like so:
https://slack.com/oauth/authorize?client_id=[client id]&scope=identity.basic
Edit: For future Googlers, Slack now also provides a specific documentation page for this type of OAuth grant/login: Sign in with Slack
Related
I am working on API Integration Tests. In particular, I am trying to test the user's ability to login to our application with Facebook. Prior to signing in with our API, the user must sign in with Facebook on the front end of the application via the steps listed here. Since the tests going to be backend integration tests, I would like to handle the entire login in flow solely by leveraging Facebook's API. I can't seem to find any docs that illustrate a methodology to do what the these docs allow the front end to do. Does anyone have en experience with Facebook's API, and know how to simulate the login flow without actually using the login dialogue window?
Sign In Steps
Log in to Facebook
Log in to our API with Facebook returned authentication credentials and redirect uri
Their test user capability should help: https://developers.facebook.com/docs/apps/test-users
It'll allow you to create & sign into a test account, then destroy it afterwards. It won't be limited to normal login & visibility restrictions either.
I wonder if anyone can offer any advice - If a user likes my page on Facebook, can I somehow trigger a notification to them to prompt them to download my app on iOS/Android? The information I'm finding doesn't seem conclusive.
Thanks!
Just to update people - this can be done under the right conditions. AirBnB do it for example.
If your iOS/Android app uses Facebook Authentication you can harness the Notification API but only if your app has Facebook Canvas enabled.
Also, to send the Notification to a particular user (authed to your app) you must use an 'app token' rather than a 'user token' as you are performing an action on behalf of the app, not one particular user (like when you publish to their feed).
Because of this and the fact to obtain this token you must expose your app ID and secret it is advisable to carry out the notification push using server-side code - not client side or in an app that can be decompiled.
The docs aren't 100% up to date as they contradict themselves a little but you can find more info here: https://developers.facebook.com/docs/games/notifications
I'm writing an API for our product and I'm trying to understand how some basic OAuth works with regards to mobile apps that might leverage our (to be created) api.
Lets imagine that our website currently allows a person to LogIn to our site via Twitter OAuth.
On the callback from Twitter, our server retrieves the twitter OAuth result and if all good, then checks to see
if this user already exists in our DB (eg. lets assume the Email is the unique key). If they don't exist, we
create a new user.
Of course, we then log the user 'in', which means we create a cookie for them, for their browser.
So far - nothing new here. All normal stuff.
Now .. if we want to do this via an iPhone or Windows phone using their native language and the app's use our API, i'm not sure of the point where OAuth ends and our API takes over?
For example, lets pretend it's an iPhone app that takes advantage of our API.
The iPhone app will try to authenticate the user against their Twitter cred's. Ok, fine. But when it callsback, it's back in the phone, right? Not our servers. So then the app needs to try and create a new user? So then the iPhone might try and call /api/CreateAccount. But this means -anyone- can call this api? And how does the website really know they have authenticated? Only because the app says so? What's to stop the person from creating a malicious app and calling our API by flooding it with new account creations? And what about authentication to api resources? Forms Authentication isn't available here. So do people use querystring authentication over SSL for api calls? How does the iphone authenticate with -our- server?
I'm so confused.
Can anyone please explain the differences and common practices people are doing these days when they have a website and an api .. and use OAuth as the authentication mechanism, please?
The naive app would call not CreateAccount, but VerifyAccount with twitter's oauth set of data so you site and API could verify it. The site would respond with a unique userID and your iOS app would use that as it's internal user id. More info.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
When using simple request to post to Twitter the messages are signed with "sent from API". Is there a way to change that to the actual name of your application? Is it another post parameter or something else?
This is covered in the Twitter API FAQ
If you would like tweets from your application to recieve a source parameter, please register an application and implement OAuth authentication. We will automatically include your application as the source for any tweets sent from your application.
If you are writing a desktop Twitter client and you want your application's name to show up instead of "From API", you have to use OAUth.
If you want to use OAuth in your desktop Twitter application, you have to go through Twitter's PIN workflow (i.e., sending the user to the Twitter website to authenticate).
The confirmation step is part of the reason Twitter is using OAuth. There's no getting around it.
There are several libraries out there that implement OAuth for Twitter so you're not reinventing the wheel.
If you want example on how to use OAuth and Twitter I have it in my blog
"If you are writing a desktop Twitter client and you want your application's name to show up instead of "From API", you have to use OAUth.
If you want to use OAuth in your desktop Twitter application, you have to go through Twitter's PIN workflow (i.e., sending the user to the Twitter website to authenticate)."
Hold on a moment, how do Twitter clients manage to put their client name in the "via" without you logging in somewhere and copying a PIN back to the application.
I just want a command line client that updates my status and prints "via MyApp". Am I missing something here?
(I might be, I've only started trying to figure this out yesterday)
In fact if the user isn't authenticated, I don't want to get them to login elsewhere and copy/paste a PIN, I want them to type their user/pass into my application. Like what happens with all the twitter clients I've seen...