I want to integrate Dropbox to my web app. The idea is that, having a user's mail and password I can access his files and allow him to work with them, all this using APIs. Is this possible, can anyone point me out to an example or explain how can I achieve this, I'm new to Dropbox APIs so if this is to simple to answer please do it anyway. I'm using php.
As said in APAD1's comment this can't be done with out the express user authorization. the oauth will redirect the user to a page and there he will aprove your request to use his data through APIs.
Related
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
not sure if this is strictly programming question (apologies in advance).
We have windows service which is responsible for downloading data from different API's on regular basis, it's just internal tool we are using on our server.
For purposes of oauth2 authentication we use our another tool, which can
handle multiple Oauth logins through different API's, then we just ask this tool for access token and use it in our calls. This works perfectly with e.g. AdWords, BingAds, etc.
Now we have a task to download data from Facebook API. But the problem here is that according to FB we need to apply application for approval in order to get permission to "ads_read" source, which can allow us to download ad insights.
But the problem is that our tool is not an application it does not have any icon, screenshots or Privacy Policy URL. Is there any possibility to get these data without application to FB? Maybe is there another way to login and get the data from user without using oauth2, thus no need for using the oauth2 and scope permissions?
Thanks in advance
As long as you're only using your app with admins/testers/developers of the same app, you don't need to go under Login Review. Only if you also want to authenticate "other" users as well.
I'm writing an API for our product and I'm trying to understand how some basic OAuth works with regards to mobile apps that might leverage our (to be created) api.
Lets imagine that our website currently allows a person to LogIn to our site via Twitter OAuth.
On the callback from Twitter, our server retrieves the twitter OAuth result and if all good, then checks to see
if this user already exists in our DB (eg. lets assume the Email is the unique key). If they don't exist, we
create a new user.
Of course, we then log the user 'in', which means we create a cookie for them, for their browser.
So far - nothing new here. All normal stuff.
Now .. if we want to do this via an iPhone or Windows phone using their native language and the app's use our API, i'm not sure of the point where OAuth ends and our API takes over?
For example, lets pretend it's an iPhone app that takes advantage of our API.
The iPhone app will try to authenticate the user against their Twitter cred's. Ok, fine. But when it callsback, it's back in the phone, right? Not our servers. So then the app needs to try and create a new user? So then the iPhone might try and call /api/CreateAccount. But this means -anyone- can call this api? And how does the website really know they have authenticated? Only because the app says so? What's to stop the person from creating a malicious app and calling our API by flooding it with new account creations? And what about authentication to api resources? Forms Authentication isn't available here. So do people use querystring authentication over SSL for api calls? How does the iphone authenticate with -our- server?
I'm so confused.
Can anyone please explain the differences and common practices people are doing these days when they have a website and an api .. and use OAuth as the authentication mechanism, please?
The naive app would call not CreateAccount, but VerifyAccount with twitter's oauth set of data so you site and API could verify it. The site would respond with a unique userID and your iOS app would use that as it's internal user id. More info.
Im starting to implement the Facebook apis into my website..
Where i am having trouble is understanding the oauth api. Maybe this inst the correct api?
Basically what i am trying to do is allow the user to sign in / register with Facebook and and storing that information in my database as a new user as i will be creating a profile from this. I would also like the user to be able to login with or without Facebook using his credentials. I understand he would have to create a password on my site. Is it practical to store his information .. Name Address email and other information.
I am very confused with the api and need help. reading through the documentation i cannot find where this explained.
Look at how to authenticate user using facebook login system on your website
About your question on storing emails, check facebook policies are mentioned here
Use graph api for accessing user details and other stuff
Hope this helps
I'm building a iPhone App, that communicates with a webserver (Java webapp) using REST (XML over http). In my prototype I used http's basic-authentication to allow access and identify the user, using username and password. Since there should be friendships and profiles in my app, I want to use facebook-connect so I don't have to implement it and the users don't have to manage there friends and profiles twice. When I use fb-connect, I may even go without all the basic user management stuff, like create a new user, change password and so on.
So here is my question: Is it possible to use facebook-connect as my one and only user authentication? And more importantly: How can I authenticate the user while communicating with the webserver?
To clarify: I don't want to link the facebook account to my user accounts, I want to use it instead.
You can use the Facebook Graph API to do this. Here are some links to get started
A tutorial on the subject:
http://www.capturetheconversation.com/technology/iphone-facebook-oauth2-graph-api
Some objective-C work someone did to make life easier:
https://github.com/facebook/facebook-ios-sdk
The official graph API:
https://developers.facebook.com/docs/reference/api/