I'm looking for a unique identifier for authorized users with oauth2, with scope https://www.googleapis.com/auth/analytics.readonly.
Without google plus scope https://www.googleapis.com/auth/plus.login.
At google document reference i found username field. Description says.
Email ID of the authenticated user
I'm wondering if this field is unique identifier or not.
Any knows anything about this?
This is kind of a round about way of doing it but the Management API has a method called accountSummeries.list it returns a list of google analytics accounts the current authenticated user has access to.
It also returns Username which is their email address.
username string Email ID of the authenticated user
{
"kind": "analytics#accountSummaries",
"username": string,
"totalResults": integer,
"startIndex": integer,
"itemsPerPage": integer,
"previousLink": string,
"nextLink": string,
"items": [
management.accountSummaries Resource
]
}
This is the only method I have found that just uses the google analytics API to get info about the user. Alternative is to request profile or email scopes as well and then go though the people API.
Note: You can also decrypt the token id returned by the authentication which will give you Googles internal unique user id. This is a bit harder way of doing it though.
Related
I am trying to get the impersonated userguid from the docusign api. Per the documentation I need to call /restapi/v2/accounts/account_id/users?email=email, which is not working for me. I assume the full url would be https://admin.docusign.com/restapi/v2/accounts/account_id/users?email="sampleemail#gmail.com" .
I am getting a 404 when entering my email in the above format.
Looks like you have the incorrect domain. API Calls generally don't get made against admin.docusign.com. You'll want to make that call against the Application Server your account is on.
In the Sandbox environment that will be demo.docusign.net. In prod you'd need to make a UserInfo call to determine which server your account is on. It could be something like www.docusign.net or na2.docusign.net, but there are several possible domains.
In order to get Impersonate GUID ,
Login to admin account
Under setting options Click API and keys
Value under the user id text box is Impersonate GUID
During configuration & setup:
1. You have an account admin enter information such as account, their userId ("API User Name" in web app). Save both items.
2. You follow the "consent flow", get their consent, generate a JWT and
exchange for a token.
3. Use the /user_info call against the account
server to get the list of their accounts. If more than one account
in the array, find the one that matches what they entered in the
configuration. Get and save the associated "base_uri". You will
use that for all subsequent API calls.
Your application now has stored the account ID, the admin's "userId", and the base URI to built API URLs.
During business application operations:
Admin is "Bob". Sender is "Jill"
You need to get an access token for Jill.
1. Create JWT for Bob, exchange for access token, make GET /users?email={Jill's email). This gives you Jill's "userId".
2. Create JWT for Jill, exchange for access token.
3. Make API call as Jill, using her access token.
I have an app where the user logs into Facebook (and thus has an Auth Token) and then sends that token to my server for authentication within the app.
If it's the users first time in the app, I need to sign them up as well (gather email and name)
Using the users FB auth token (and any server-side tokens) how do I retrieve the user's email address and name? (What endpoints do I need to hit with what tokens/body?)
--
Additional Info:
The login is scoped with ['public_profile', 'email']
The application is running in Node.js on AWS Lambda, and I'd prefer to make a simple fetch if possible instead of installing a whole gql client.
I have tried looking at their graphQL documentation, but I can't
seem to make heads or tails out of it.
I do have access to the user's ID (example: 10157426730xxxxxx)
This would be the API call to get the name and email of a user, with a User Token:
https://graph.facebook.com/me?fields=name,email&access_token=xxxx
Alternatively, you can add the version:
https://graph.facebook.com/v4.0/me?fields=name,email&access_token=xxxx
All the existing fields for users are here to find: https://developers.facebook.com/docs/graph-api/reference/user/
You do not need the User ID, the User Token identifies the User anyway and you can just use "me" instead of the ID. The Graph API is a REST API though, not GraphQL.
I just have a quick Auth0 question. I've looked all over, but the more I look the more confused I get.
In the payload of the JWT that Auth0 gives me when I log in there is a Sub claim that look like this "sub": "facebook|123456789".
I'm just curious if sub will always be unique and if I can use it as a sort of foreign key in my database to link users to different tables.
The sub, short for subject, in this case is the User Id for the normalised user profile representing the user in Auth0.
Here, facebook|123456789 is the connection strategy (social connection of type facebook in your example) piped with the facebook ID for the user (which came from facebook). However, bear in mind, that with facebook, when you set up a Connection, you are actually setting up connection to a particular Facebook App - (the App ID and App Secret that you configure in Auth0 for that connection strategy). Long story short, for a single connection strategy of type facebook, defined under social connections in Auth0 Dashboard - then yes, this would be unique and could be a correlating identifier to a separate datastore with enriched info about that user profile etc.
Just bear in mind, if you were to create another separate App defined in Facebook, then setup a new Auth0 facebook connection to that facebook app, and login with same user - they would almost certainly receive a different sub since the facebook userId would be different. For example, it might be facebook|987654321 etc
I am developing REST API secured using Google OAuth2 (using java if that matters). The approach is as follows:
UI is authenticating through Google and has: google id + token id,
google id + token id are both sent on each request to API as headers,
REST API uses URL https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=token_id to obtain JSON similar to below (where token_id come from request header):
JSON:
{
"iss": "accounts.google.com",
"iat": "14791197651",
"exp": "14795233651",
"at_hash": "xDLxhM85hTYU0KwU-rhPgg",
"aud": "541950199239-s1fag9iaes0s99g4feipe0ih0l75km1l.apps.googleusercontent.com",
"sub": "197763402127980067798",
"azp": "541950819239-s5fag9iaes9s99g4feipe0ih0l75km1l.apps.googleusercontent.com",
"alg": "RS256",
"kid": "db9e3d7cdd1b4178010f89af11cfd37400061afc"
}
and compares sub value to google id from the request header,
if the check passes and user by google id is in our database, then user is authorized to use the REST API (additional logic might be applied).
Is that correct workflow or additional checks need to be done?
Thanks in advance for your help.
Looking into the Google documentation, if you're going to use the tokeninfo endpoint (which you are), you need just the id_token, and then you must also
check that the aud claim contains one of your app's client IDs
so that you can not only validate the token, but ensure it's actually intended for your client.
Ergo, you can just pull the user's unique Google ID from the sub claim, no need to match it against the one received by the client.
I am using app login access token retrieved through following API -
https://graph.facebook.com/oauth/access_token?client_id=&client_secret=&grant_type=client_credentials
Can I retrieve email address (primary email not the facebook email) of any user if it is public using Graph API?
Thanks
Lakhan
Two ways to get users primary email:
For the authenticating user (ie the one who has granted your application access to their profile) and only when you explicitly request that permission.
If the email is explicitly made public by some arbitrary user not authenticating with your app, then that will be available to you also. Any publically visable info you can see via facebook.com is equally accessible via the API.
For getting the authenticating users email, when you first request the oAuth dialog you need to pass a scope with the email permission (as well as whatever other permissions you require). See more about permissions here and more about using scope here .
When the email is available it can be found in the User payload, see more about the API request and payload here.
Check the doc here : http://developers.facebook.com/docs/reference/api/user/
With the email argument, you will be able to get the email.