I am writing a web app that will allow a user to migrate their Dropbox Datastore data to a new database file that I will store in their Dropbox account using the core API.
The user authenticates using the PHP SDK, but when I attempt to make a Datastore call via JS, the Dropbox client isn't authenticated.
Is there a way I can grant access to both the PHP core SDK and JS Datastore SDK within the same authorization flow? I'd hate for my users to have to authenticate twice (once for each SDK).
Yes, both the Dropbox Datastore JavaScript SDK v1.2 and the Dropbox PHP Core SDK v1.1.5 use OAuth 2 access tokens and have constructors that taken an OAuth 2 access token directly.
To create a client in the PHP SDK using an OAuth 2 access token, use this constructor and pass in an OAuth 2 access token as $accessToken:
https://dropbox.github.io/dropbox-sdk-php/api-docs/v1.1.x/class-Dropbox.Client.html#___construct
To create a client in the JavaScript SDK using an OAuth 2 access token, you can use this constructor and pass in an OAuth 2 access token as token:
https://www.dropbox.com/developers-v1/datastore/docs/js#Dropbox.Client
Remember that a Dropbox OAuth 2 access token is specific to a particular user-app pair, and will only have access to the extent allowed by the permission the app is registered for.
Related
I have a Web API developed with ASP.Net Core. I also have a client app developed with Next.js and it uses NextAuth.js to handle the authentication.
In the UI, when a user is authenticated, I have access to the access token from Facebook.
My question is how can I use this access token to authenticate the requests sent to the back-end API.
This is the back-end code used to register the Facebook authentication scheme (it is all standard):
builder.Services.AddAuthentication()
.AddFacebook(
facebookOptions =>
{
facebookOptions.AppId = "<my_app_id>";
facebookOptions.AppSecret = "<my_app_secret>";
});
I want to construct a Postman request that can authenticate my user using a specific access token but I do not know where to put this access token and whether this is possible at all.
Just sending the request like this (without any modifications) results in visualizing the Facebook login page.
Your Asp.NetCore project integrates Facebook login. After logging in, the token you get can only access protected resources in the current project, such as: [Authorize].
If you want to access Facebook's resources, you need to write your own code to get the token and then access the resources.
1. How to Get Facebook Access Token in a couple of minutes: 2020 guide
2. How to get current user access token from Facebook SDK in C#? Not the App access token
After you get facebook access_token, then you can access Facebook's resources.
I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/
I'm investigating how to use id server to provide auth services for a native mobile app that will talk to a Web API that we are developing. I started off with the flow as described in the MVC walkthrough - so the user is redirected by ID Server to FB (with acr_value/idp) and then redirected back after sign-in, where I can do the claims transformation and issue a token for our application.
The developers of the native client have concerns about this though, and would rather use the FB sdk to log the user in to FB, instead of having id server issue the token after redirections. The following issue on the previous version of ID server explains this well:
https://github.com/IdentityServer/IdentityServer2/issues/503
How would I go about doing this with id server 3?
This is a perfect use case for a custom grant.
1) first do native FB login
2) send FB token to IdentityServer token endpoint using custom grant
3) write a custom grant validator that validates the FB token
4) return JWT token for your APIs
Documentation:
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html
I saw PayPal REST request documentation for java SDK at https://developer.paypal.com/docs/integration/direct/make-your-first-call/.
It requires a developer to register an application.
Now, using the calls mentioned by using the clientId and secret, i can receive an access token. This access token will belong to me and not any other user, so i will only be able to access my resources.
Now, If i make an application, and want to obtain access token of the user using my application, how can the SDK be used to achieve this workflow?
We recently created the instructions to use PayPal Java SDK. You can read them about it here: https://github.com/paypal/PayPal-Java-SDK/wiki/Making-First-Call
Using Java-SDK, you do not need to create access token separately. Instead you create an APIContext object, and pass your clientId, secret, and mode(sandbox/live). You pass this instance to all the API operations, and SDK will automatically call the oauth, and get the access token. This also improves performance by caching the access token and re-using it for later use. This only should reduce number of network calls to half.
Are services like Facebook and twitter using the same oAuth mechanism for their own (mobile) apps as the rest of us? Or are the using some kind of "special mode" in oAuth which bypasses the permissions stuff etc. ?
Would really like to know how they are authenticating their users.
Facebook is not using oauth and have special login/private API for their own purposes. Only Facebook is 1st class citizen for these APIs and they don't need to bother with public APIs.
Facebook's iPhone,Android,etc apps can log users in directly with username and password and create a new Facebook session directly, but other apps using the API need to use Oauth to get a user access token
If you're using android or iphone SDKs, this can be without the user needing to log in again, they simply need to authorise the app in a dialog, which is rendered by the Facebook app and uses the session created by the Facebook-supplied app
yes, they use oAuth
Twitter oAuth
Facebook oAuth
Facebook Connect is based on OAuth 2.0. In OAuth 2.0. SSL is required while signatures are not required for the actual API calls once the token has been generated. It has only one security token.
Twitter uses 1.0a. OAuth 1.0 requires client to send two security tokens for each API call, and use both to generate the signature.