GitHub OAuth in lua - github

I am working on a library in LUA for an ipad app called Codea. I'm trying to figure out to use OAuth for GitHub Gists. Only part that i can not figure out is how to get an Auth token via code. I used curl in terminal to get myself a token but this seems to be to much work for other users.
I've read through the github api docs multiple times but I cant figure out how to get a Token programmatically. I've tried to duplicate the method I've used to GET and POST gists but it does not seem to work. I'm not sure how to pass the username and password.
I'm creating a table with the needed params then encoding it in json. Everything I try gets a 404 error or 500 error. Thank you all in advance.
local url = "https://api.github.com/authorizations"
local d = {}
d.scopes = {"gist"}
d.note = "AutoGist Codea"
projectAuth = json.encode(d)
opts = { data = projectAuth }
opts.method = "POST"
opts.headers = {Authorization = "basic " .."username:password"}
http.request(url,successCallback,failedCallback,opts)

Scopes are coming, but only in Q4 2013.
See "OAuth changes coming" (October 2013, by Tim Cleam - tclem):
Starting today, we are returning granted scopes as part of the access_token response.
For example, if you are making a POST with the application/json mime-type you’ll see an additional field for the granted scopes.
{
"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a",
"scope":"repo,gist",
"token_type":"bearer"
}
Right now, these scopes will be identical to what you requested, but we are moving towards a feature set that will allow GitHub users to edit their scopes, effectively granting your application less access than you originally requested.
You should be aware of this possibility and adjust your application behavior accordingly.
Some things to watch out for and keep in mind:
Most third party applications using GitHub OAuth to identify users have the best success in adoption by starting out with a request for the minimum access that the application can possibly get away with.
Something like no scopes or just user:email is very sane.
It is important to handle the error cases where a users chooses to grant you less access than you originally requested.
Now that we are surfacing the granted scopes on the access_token response, applications can warn or otherwise communicate with their users that they will see reduced functionality or be unable to perform some actions.
Applications can always send users back through the flow again to get additional permission, but don’t forget that users can always say no.

Related

LinkedIn API: fetching our company's posts & profile info

So, I'm making this application, and it's required that it has an embed thingy containing the recent LinkedIn posts as well as basic profile info of the company...
Since I like the Law of Minimum effort, the first thing I saw that made my eyes sparkle was the RSS feed... But it seems like it's been phased out. It just redirects to the company page, period.
Then I realized that we have 2 APIs, v1 being superdead since May.
So, I succesfully generated a v2 access token, keeping in mind that it will have to be renewed every 2 months, but hey, nothing's perfect.
Anyway, I know there's a v1 endpoint that would seem to put me on the right track:
https://api.linkedin.com/v1/companies/{id}:
(id,name,ticker,description)?format=json
However, when I go to the v2 docs (https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context), there's this entire, very detailed section about Authentication, and a section titled "API guide" which talks about "API Concepts" as well as "Best Practices"... but no section detailing just where the endpoints are and how to use them?????
Please, help me, SO, how do I get a company's recent posts as well as basic info like name and pfp?
Thank you in advance.
UPDATE: I have made progress, I think.
I found this: https://learn.microsoft.com/en-us/linkedin/marketing/integrations/community-management/shares/company-pages-migration
And this: https://learn.microsoft.com/en-us/linkedin/marketing/integrations/community-management/organizations/organization-lookup-api
I am making the call and after basically having to guess how to input my token (it must be included as the oauth2_access_token parameter) I get a 403 error DESPITE me being an administrator for the organization I'm looking up.
Call: https://api.linkedin.com/v2/organizations/XXXXXXXX?oauth2_access_token=my-token
Response:
{"serviceErrorCode":100,"message":"Not enough permissions to access: GET /organizations/00000000","status":403}
This makes me think maybe I need to request extra permissions on authentication... but THAT I do not find anywhere (i.e. what the permissions are. I only find really vague stuff with NO details. eg: https://learn.microsoft.com/en-us/linkedin/shared/authentication/permissions?context=linkedin/context)
UPDATE 2: As suggested by #ManvinderSingh I removed the oauth2_access_token param and instead included my token in the Authorization header. This works awesome for the /v2/me endpoint, for instance, BUT still 403's me on the v2/organizations/XXXXXXXX endpoint for an organization that I am an admin of.
As per the documentation https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context#step-4-make-authenticated-requests.
You have to send the token in the Authorization header like this.
Authorization: Bearer {access_token}

Retriving data from facebook events

I have to create an webpage where i need to show all the events from the past or upcoming ones from an facebook page. I have to retrive the title, description, image, time and place of every single one and make a box with it.
After that, i have to retrive all the interested people.
I'm a beginner trying to make big things! Thank you very much.
This isnt a simple problem - I have just done this so will give you a start.
You need to use Facebooks Graph API to get the data, you will need to read up on the Graph API and how to use it. Documentation can be found here. Its worth noting due to a security breach the API isn't offering all of its services to new developers currently but you can get most - read about this here.
You can query the API using any language but I suggest do it with python and use the requests module. Alternatively you could use this SDK which makes things a lot easier, trust me! With the SDK you need to get a user access token which you can get from here.
SDK
With the SDK its possible to do this
import facebook
graph = facebook.GraphAPI(access_token="your_token", version="2.12")
event = graph.get_object(id='event_id',
fields='attending_count,declined_count')
print(event['attending_count'])
print(event['declined_count'])
You can add more fields to the fields list. However you can use any language you choose to request the data, as you can just construct your own URL's.
Graph API & Requests
This is how I did it in python using requests to query the API.
import requests, json
#Make a requests session to fetch data from URL's
session = requests.Session()
session.mount('https://', requests.adapters.HTTPAdapter(max_retries=10))
#API base URL
baseUrl = 'https://graph.facebook.com/v2.11/'
#Fields you want to get
fields = ['id', 'name', 'start_time', 'end_time', 'description', 'place']
#replace CLIENT_ID and CLIENT_SECRET with ones from a facebook app (make one)
tokenPath= 'oauth/access_token?client_id={0}&client_secret={1}&&'\
'grant_type=client_credentials'.format(CLIENT_ID, CLIENT_SECRET)
#Get the generated token
token = session.get(baseUrl + tokenPath).json()['access_token']
event = session.get(baseUrl, params={
"ids": "event_id",
"fields": ",".join(fields),
"access_token": token,
}
).json()
print(event["name"])
print(event["place"])
You can make a facebook app here which is where the CLIENT_ID & CLIENT_SECRET come from.
Why would you use URL requests and not the SDK?
Using the SDK the generated user access tokens expire every day, its possible to extend them but only for 60 days. If you want to use the SDK it has a method built in which allows you to extend the token, in order to extend the token you also need to create a facebook app. Its also possible to extend tokens using this website, though I cant vouch for its security - it could potentially access and exploit your data.
To extend the token with SDK:
import facebook
graph = facebook.GraphAPI(user_access_short_lived_token)
extended_token = graph.extend_access_token(app_id, app_secret)
print(extended_token)
Using the URL approach, you create a client access token at runtime (read about user access token vs client access token here) and the token is valid so long as your app is active. So if you are going to use this a lot or want to create it and not have to change/extend tokens then use the URL approach.
Hope this gets you started.

After AccountManager..getAuthToken, how to send that token to its provider to authenticate something?

We're writing an app with an Android view and a website. Our app needs to associate some data with Facebook, Google, or Twitter (call them 'FGT'), and then hit the associated service to return true if that data is authenticated. The control flow is...
Android generates some data
User selects an FG or T account
getAuthToken
upload the data+token, via HTTPS POST, to our website
Our website (in Django, not that it matters) sends the Auth Token to FGT
FGT returns true if it likes that token, and false if it doesn't
The goal is preventing an attacker from concocting data and throwing it at our site with curl. And we /don't/ need to upload the data all the way to F, G, or T. We don't need to go all the way to a Hybrid App, where our webservice authenticates itself to F, G, or T, and then uses F, G, or T's API to post, e-mail, or tweet in the user's name.
There's obviously a simple answer for this out there somewhere; hopefully just three URIs, one each for F, G, or T, into which I can insert the Auth Token. That's why I would prefer NOT to download and install the SDK for each of Facebook, Google, and Twitter, and then write tons of service-specific code for each case. That would clutter up the code, and leave me screwed when the client requests Tumblr or MSN.
(A related question: What's the second parameter of getAuthToken()? "ah"? "mail"?)
So, while I continue to read books, source code, and SO posts showing how to do hard things the hard way, can someone tip me off how to do an easy thing the easy way?
The thread "validating Android's authToken on third party server" answered the sub-question "what simple URI to hit to test a token?"
The magic uri, for Google, is: https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%
The next question is How to thump an Access Token out of getAuthToken. The scope there should be the minimum possible to show a user really lives here:
String SCOPE = "oauth2:https://www.googleapis.com/auth/userinfo.profile";
am.getAuthToken(a, SCOPE, false, this, null);
My this class implements AccountManagerCallback<Bundle> and provides the method run(AccountManagerFuture<Bundle> result). That, per documentation such as "Android AccountManagerFuture getResult gives IOEXcelption when trying to get authorization token", might call startActivity() to challenge the user to authorize this activity, or it might use a token that's already stored in the AccountManager. (And note that implementing a class just to call-back yourself is pernicious, especially if the target method's named merely run(), so do as I say not as I do, kids!)
The resulting token is 52 bytes long, beginning with 'ya29.', so it's _ probably _ an access_token, not 331 characters, which is probably an id_token.
The resulting token is not bound to any specific channel (where "channel" is one unique set of client, server, and scope). So, from a simple curl, I can hit that /tokeninfo URI with it, and get this (scrubbed) JSONic wisdom:
{
"issued_to" : "442575845966-mde4be7eingpb5pntfs839jipsetro6s.apps.googleusercontent.com",
"audience" : "424242424242-mde4ab7defghi5jklmn839opqrstuv6s.apps.googleusercontent.com",
"user_id" : "424242424242424242424",
"scope" : "https://www.googleapis.com/auth/userinfo.profile",
"expires_in" : 2272
}
And so this answer would have formed, for me, the missing link between all the other documentation I was trying to read. Aaand now I need to do it all again for Facebook & Twitter...
There is a simple URL.
Each authtoken is granted against a scope. Each scope allows the authtoken to do certain things. If you try to do something that the scopes permit, that thing will fail or succeed based on the validity of the authtoken.
The simplest scope to request is probably 'email'.
If you go to the Oauth2 Playground at https://developers.google.com/oauthplayground/ you can experiment with scopes and calls to get one that suits you. You'll be able to see the URLs that you then need to replicate in your app.

How to have users 'reconnect' with soundcloud on each page reload?

I'm using the Javascript SDK inside a node.js (Express) App.
Connecting Users works fine, but the connection does not persist between page reloads.
Is this the default behaviour, or is the User supposed to stay connected in new requests?
Do I have to use OAuth token authentication and if so, how can this be done with the JS-SDK?
Inside the "Permission"-Popup, Users are already logged in with soundlcoud, though.
(just have to click the "connect" button each time)
Figured I'd share my answer for those who are unsatisfied with the current answers for automated oauth:
Retrieving access_token:
I had to define get and set cookie functions and then I use the functions to set and retrieve a function holding the access token. I'm not going to give these functions for conciseness but you can easily find them with a google search. I then use this line of code to get the SC access token (once the user has authenticated for the first time)
SC.accessToken()
Setting token:
So this is kind of just an elephant in the room in my opinion that for some reason no one has mentioned. How in the **** do you connect w/ SC using the access token? Do you set it as oauth param? On each call pass it? Well, after experimenting with putting the parameter in every single place I could think, I found out you have to do something like this:
SC.initialize({
client_id: '[removed for security reasons]',
client_secret: '[removed for security reasons]',
redirect_uri: '[removed for security reasons]',
access_token: getCookie("sc_lm2"),
scope: 'non-expiring'
});
//Where "sc_lm2" is the name of my cookie
Hope the helps! Took me a while to figure this out for such a simple thing
EDIT
Using PHP and Wordpress:
$json = wp_remote_get("http://api.soundcloud.com/users/[user_id]/tracks.json?client_id=[client_id]");
$soundcloudData = json_decode($json['body'],true);
(substitue cURL functionality if you're not using Wordpress). #krafty I assume you would just change the endpoint from "/tracks" to "/users" but I can't say I have ever really needed to grab anything but tracks using the Soundcloud API. Hope this helps, though I'm not sure I fully understand what it is that you are trying to accomplish (or rather, how exactly you're going about it) - are you trying to allow user logins? If you want to explain fully what you're trying to accomplish and the steps you're taking I'd be happy to take a crack at it.
Yep, this is the way to do it, officially. :)
For the Next SoundCloud site, we store the token in localStorage (until the user logs out, of course). In each AJAX request to the API from the front end, we put the oauth token in a request header:
jqXHR.setRequestHeader('Authorization', 'OAuth ' + the_oauth_token);

Google Data/OAuth/AppEngine/Python - Properly Registering a Web Application

I'm creating a webapp with this combination of tools. I'm authenticating with App Engine in the following manner:
class googleLogin(webapp.RequestHandler):
def get(self):
callbackURL = 'http://%s/googleLoginCallback' % getHost()
#Create a client service
gdClient = gdata.docs.service.DocsService()
gdata.alt.appengine.run_on_appengine(gdClient)
gdClient.SetOAuthInputParameters(gdata.auth.OAuthSignatureMethod.HMAC_SHA1,
_GoogleConsumerKey,
consumer_secret=_GoogleConsumerSecret)
#Get a Request Token
requestToken = gdClient.FetchOAuthRequestToken(scopes=_GoogleDataScope,
extra_parameters={'xoauth_displayname': APP_NAME})
#Persist token secret
self.session = Session()
self.session[TOKENSECRETKEY] = requestToken.secret
gdClient.auto_set_current_token = True
gdClient.SetOAuthToken(requestToken)
authUrl = gdClient.GenerateOAuthAuthorizationURL(callback_url=callbackURL)
self.redirect(authUrl)
I authenticated my domain with Google at https://www.google.com/accounts/ManageDomain, entering a target URL and am using the given Consumer Key/Secret. For instance, if my domain was 'juno.appspot.com', I am using http://juno.appspot.com as the target url path prefix.
The process is working; however, Google presents this message to the user in a yellow security box:
"The application that directed you
here claims to be 'xxxxxx'. We are
unable to verify this claim as the
application runs on your computer, as
opposed to a website. We recommend
that you deny access unless you trust
the application."
I don't think I should be getting this error, since my server is getting the request token and creating the authorization URL. Does anyone have any insight on how to get rid of this warning?
Google's domain registration has an option to upload a certificate, but I shouldn't need to do that because I'm using OAuth with the HMAC_SHA1 signature method.
Also, not that it should matter, but I'm doing all this through a UIWebView on the iPhone. I'm specifically trying to do all authentication server-side to avoid exposing my Consumer Key/Secret.
Thank you for any tips :)
Solved.
The culprit is this line from above:
extra_parameters={'xoauth_displayname': APP_NAME})
Setting this value for a registered application intentionally triggers a warning to users, as indicated by the Google documentation:
xoauth_displayname:
(optional) String identifying the
application. This string is displayed
to end users on Google's authorization
confirmation page. For registered
applications, the value of this
parameter overrides the name set
during registration and also triggers
a message to the user that the
identity can't be verified. For
unregistered applications, this
parameter enables them to specify an
application name, In the case of
unregistered applications, if this
parameter is not set, Google
identifies the application using the
URL value of oauth_callback; if
neither parameter is set, Google uses
the string "anonymous".
Removing this line no longer allows me to use a 'nice' name in place of the domain, but it gets rid of that annoying yellow box :)
I'm not sure exactly where the issue may be in your code, but I've got a one page oauth/appengine/gdata example which may at least set you in the right direction. Have you tried to navigate to the site directly from the iPhone/desktop browser to see what message is delivered?
Hope it helps.
Alternatively, is it possibly to do with the user agent the UIWebView sets?