When creating a Messenger chat bot you must force people to subscribe to your page before they can use it.
To do this you need a Secure Callback URL, a standard http:// address won't do, it must be https://
I don't have a Secure Callback URL to my disposal. Can anyone recommend a site/way for me to get one?
You can configure your domain name with cloudflare to use it as a proxy between the user & your webserver.
You can enable their flexible SSL which is free of charge and very easy to configure. You can find more details here and here. I've recently configured my FB Chatbot webhook with cloudflare free SSL and it works pretty well.
Related
I'm supporting an installed application, a standalone desktop application. I would like to enable people whos use this application to send out emails using their Yahoo email account.
I know that I will need to create an application in Yahoo Developer Network, then generate a URL to request a Yahoo OAuth2 token first and then use this token, I can use SMTP or OpenID API to send out emails.
I've encountered a lot of problems while creating my application in Yahoo Developer Network, and requesting the token. I've compiled them and I'm listing them below:
Confidential client or public client:
Yahoo explains that one should choose confidential client for traditional web application and choose public client for mobile apps, native apps, or single-page apps.
If confidential client is selected, there will be client secret generated; and if public client is selected, there will be no client secret generated. Plus, if I choose public client, which I did for my application, when I request OAuth2 token, I can choose to not include client secret as one of the parameters and it looks like that that is not causing any problem.
API Permission:
I took it as scope. But the strange thing is that it does not include anything like Google. Google states "Send email on behalf of customer", but similar choice in Yahoo is like OpenID Connect Permissions-Email, which has a brief introduction as "Access to email address and verified status".
There is another possible choice for OpenID Connect Permissions, as well. It's called Profile, having a brief introduction as "Access to common profile information (eg. first/last name, gender, etc.)".
Another strange thing about permission is that when I started to request OAuth2 token by opening a generated request url, after logging into my yahoo account, the page stated the permission as "Read Profile", which does not meet our expectation, as I took it. Plus, it does not have anything like sending email on behalf of customer.
Redirect URI:
In Yahoo developer center, for the application I created, I set it to localhost, port 55555, the same as I set for Google OAuth2.
I have reviewed some code examples, the code uses the secret, the stuff that only exists for confidential clients, or traditional web application, and stated that I need to develop a redirect web page in our website, which redirects to localhost, port 55555.
Redirect URI is also a required parameter when generating the OAuth2 token request url. If I state localhost as the redirect uri inside the requesting url, Yahoo page says "Oh, no. There had been some problems, please try again. Developer: Please send a valid request."
If I set the redirect uri to "oob", which means "out of boundary", as stated in Yahoo OAuth2 Guide, the generated url will succeed, but the same page shows up again after I login to my Yahoo account and grand the permission requested. Well the permission is also wired. It's "Read Profile", nothing about email sending.
I have searched Internet to find out what exactly those settings should be set for my scenario and read thoroughly through Yahoo OAuth2.0 Guide. But nothing is clear enough for me to do my coding job. Could anyone shield some light for me? Thanks in advance.
Plus, I'm thinking of getting help from Yahoo regarding this task, but it seems that they do not have any communication channels for developers like me. Anyone knows more about that and would like to share with me? Thanks, again.
Sigh. The header says it all, really. I'm trying to go to paypal.com through a proxy of mine. And the result is a 502 error. There's a long waiting time before that happens. And it's the same on some other secure sites. Yes, of course, paypal uses https. So does stackoverflow, but I have no trouble going to SO through my proxy. What's going on here? I suspect paypal uses a firewall and tries to detect bots accessing from web servers. But is it somehow against the rules to access through a proxy? How does paypal see the difference between a person surfing from a browser and a script running on a server? I mean I can't even get at the home page; this has nothing to do with logging in.
I haven't investigated much so far because I'm hoping that some hacker out there already knows all about this and can guide me along. I'm only speculating. Are the request headers sent to paypal somehow incompatible? I impersonate a user agent that possibly contradicts some header that the server adds without my knowledge? Does paypal check the ip address and decide that it's a web server? Can you see that even from the headers? The proxy uses https - it doesn't tunnel. Does that lead to paypal seeing the certificate of the web server?
I'm sure paypal has lots of protective software sniffing at the requests coming in. To prevent DDOS attacks? To defeat hackers? To exclude bots? A proxy is not exactly a bot, it just relays requests from a human user. Anyway, what's the difference, as seen by paypal, between a request from a browser and from a proxy?
This is not about wildcard domains. It's about the need to add completely different domains to Valid OAuth redirect URIs on Facebook Login.
We have a web app where our clientes can setup their own custom domain (example.com, xyz.net, etc). We don't know what domains will be used.
On Facebook we have a single app that takes care of the Facebook login. It seems that we need to whitelist specifically every domain that uses the FB Login.
Adding the domains manually is not an option. What options do we have?
Thanks.
The simplest solution that I can think of is to use an intermediate identity service with a very lax redirect uri validation. There is a good discussion of this approach and some of the security concerns with it in relation to IdentityServer4.
I have used custom redirect uri validation for an identity service before but only for very restrictive cases as this is one of most exploited vulnerabilities in an OAuth flow. The flexibility that you would need would weaken security considerably.
To implement it in IdentityServer4 you would set up Facebook authentication on the identity server and register the identity server's address with Facebook. You would then create clients to represent your new domains. This could be a single client for everything (making things more insecure still) or you could add a way for your clients to register themselves with the identity server (for instance dynamic client registration).
When a client wants to connect to Facebook they will use Open Id Connect to connect to the identity server which will then communicate with Facebook. In IdentityServer4 the client would add middleware for this with UseOpenIdConnectAuthentication (see here for an example).
Long story should you can resolve your issue by using an intermediate identity service. The identity service will be the only url that needs to be registered to Facebook and your clients will register with your identity service which you will have control over.
With great power comes great responsibility though. Taking the path of least effort will lead to a solution that lowers security considerably. Enforcing a secure dynamic registration with the identity service such as dynamic client registration protocol will allow you to use a single strict redirect uri per client and make your system about as secure as you can reasonably get it.
I know that you need a secure https thingy to hose a valid app on. But if I just want to test some stuff, like how to make use of the social plugins from within a flash app and so on, do I need a secured url as well?
Or is there something like a testuser for that too, that doesn't care about this but let's me simply test the stuff?
Thanks for any help.
"All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode)." Via: Facebook Dev Blog - https://developers.facebook.com/blog/post/497
Just set your app to sandbox mode. And you should be all set. Otherwise you could always look into a service such as this: http://www.social-server.com
This is no longer possible. Facebook now requires a HTTPS connection: the Secure Browsing option under Account Settings is no longer available.
I'm starting to create an iPhone/Android app that will need to use Plone users (i.e. register on the website and then enjoy the app on your mobile).
What's the best approach on doing this? I've seen some apps using OAuth or other techniques, which ones currently supports Plone4 (4.0.3 exactly).
I have the users on a LDAP server (OpenLDAP) but even that I still have to log them on Plone to be able to send and retrieve data from there to the mobile phone.
You have 3 options, and what you choose is dependent on what your skills are and how much time you are willing to invest:
Basic auth
Have your user enter a username and password into the app, and just use HTTP BasicAuth headers to access the site. Plone supports Basic auth authentication out of the box.
This is not the most secure method; passwords are basically sent base64-encoded, so you may want to use HTTPS to communicate with the server. A good idea in any case for authentication anyway.
Cookie authentication
Send a POST request with __ac_name and __ac_password items to '/login_form' on your Plone site, and capture the Set-Cookie header on the response, containing the __ac cookie. That's a tk-auth authentication token you can use on any subsequent request. This is a secure cookie, but any attacker sniffing the HTTP communication stream could re-use this, so again HTTPS is the secure way to communicate.
OAuth
Plone does not (yet) support OAuth out of the box, but integrating with python-oauth should be trivial. This would most likely require a PluggableAuthSystem (PAS) plugin to be written.