I have a question regarding UberRUSH three-legged-oauth and webhooks.
We are developing multi-tenant application that will act on behalf of UberRUSH users.
We are implementing three-legged-oauth flow, and we want to use webhooks to update delivery statuses.
In webhooks documentation (https://developer.uber.com/docs/deliveries/guides/webhooks) I read that UberRUSH event will contain information about delivery id (meta.resource_id) and user id (meta.user_id).
As we internally store our entities in separate tenants (separate tenant per UberRUSH user) we need to map event's user_id to our tenant name.
The only way I can think about for building such map, is based on user's access token that we keep. We can decode it (JWT) and read it's sub property (Subject), as I assume it contains user's id.
My question is, is it valid and safe (can we rely on it and it will not change in predictable future) to obtain user's id that way, or maybe there is simpler way to do it?
Since you're using the 3-legged-oauth, one simpler way to do this is to use the /me endpoint from the Riders API. That would provide you with the following user data:
{
"picture": "https://d1w2poirtb3as9.cloudfront.net/f3be498cb0bbf570aa3d.jpeg",
"first_name": "Uber",
"last_name": "Developer",
"uuid": "f4a416e3-6016-4623-8ec9-d5ee105a6e27",
"rider_id": "8OlTlUG1TyeAQf1JiBZZdkKxuSSOUwu2IkO0Hf9d2HV52Pm25A0NvsbmbnZr85tLVi-s8CckpBK8Eq0Nke4X-no3AcSHfeVh6J5O6LiQt5LsBZDSi4qyVUdSLeYDnTtirw==",
"email": "uberdevelopers#gmail.com",
"mobile_verified": true,
"promo_code": "uberd340ue"
}
With the uuid, rider_id, and email you'd get identifying props for the user. Keep in mind, you need to request the profile scope during auth to being able to make the call to /me.
Related
I am writing a public rest api, that uses api tokens that are one per application that uses it. I want to give the ability for the client to create users of the application, but not restrict them with what a user should be.
So I have API_USERS that need a token to authenticate to do any requests to the api. Lets say its an api for messages. So the messages from one application will be identified by that token, but how can I let the application that is using the api to be able to create their own users so that the messages in the database, are first uniquely identified for the application and then uniquely identified for the different users of the application if the application has such needs.
My idea is that I can just add another field like MESSAGE_OWNER and let the user handle how to create unique token for his users and maybe use his own database for storing users. Would that be a good solution? Is there another way I am not seeing?
I generated an API key for my Rally account. Is there a REST API to retrieve my basic user information, such as name, ObjectID, and ObjectUUID?
Sure, you can just read the /user endpoint and fetch whatever fields you need. This endpoint can both be used to query for multiple users, or if just read without any parameters it will return yourself.
So, to get yourself:
GET https://rally1.rallydev.com/slm/webservice/v2.0/user?fetch=ObjectID
Or to query for users (which you're probably familiar with):
GET https://rally1.rallydev.com/slm/webservice/v2.0/user?fetch=ObjectID&query=(UserName contains "Bob")
i need to map the same person's fbID between the old app(fb1.0) and new app(fb2.0)
Can i get the fbid list via a http request without accessToken??
That means i want to pull the fbid list with both my appkey & a user's fbid.
In order to match User IDs between different Apps, you need to use the Business Mapping API: https://developers.facebook.com/docs/apps/for-business
Consider reading the v2.2 changes of the changelog too:
A new token_for_business field makes it easier to identify the same person across multiple apps owned by the same business
Source: https://developers.facebook.com/docs/apps/changelog
For getting details (or just the ID) of a User, you always need an Access Token.
We have Rest calls like http://api.ourdomain.com/dashboard/resource-id Method: GET; where resource-id is the id of a resource which is tied to a logged-in user. We don't want any user be able to access other user's resources.
Thus, to determine if the resource is tied to the current logged-in user, we have to execute some queries(Joins) to know that this resource with resource-id is of logged-in user. Well, this is one of many cases we have. We certainly can't make a generalized AOP kind of method which will decide if requested resource is authorized to see by logged-in user, because the logic to decide that, is different for different resources. Other solution could be: to have "createdBy" column in every "resource" DB table so that the logic for deciding would be pretty simple i.e. just check if current logged-in user == resource record's createdBy column. But the latter seems a bit quirky one. Any suggestion, how we can design solution for this?
I'm doing a GET for customers with a given email address (there will only be one). Before displaying the returned information, I need to authenticate the user, but I can't see a way in the docs that allows providing a password as a parameter to a GET. In fact It only seems to be possible to provide a password when creating (POSTing) or updating (PUTting) a customer. Is it possible to authenticate customers via the API this way?
from what I understand - _authentication is only supported for POST and PUT on customer objects. I believe it is intended to create a customer who can login and stuff like that.
Can you explain your use case and maybe there is a workaround..