I am working on a Soundcloud XBMC add-on. The add-on is open source, and written in Python. I would like to allow users to login to their SoundCloud account via the add-on, however it's possible to have XBMC instances running in an environment without access to a typical web browser (e.g. raspbmc, which provides no window manager or graphical browser by default). Is there a way to still allow users to authenticate with this add-on without requiring use of the 'SoundCloud Connect Screen' and without violating the SoundCloud API TOS?
This is not provided in theirs API, but after some digging into the libraries i figured it out.
Make a POST to: https://api.soundcloud.com/oauth2/token
with these params
grant_type=password&client_id=YOUR_CLIENT_ID&client_secret=YOUR_SECRET_ID&username=USERNAME&password=PASSWORD&scope=non-expiring
this will return non expiring token that you can use for future authenticated requests.
Related
I want to create a simple VSCode extension that does a REST API POST of the contents of the editor window to a URL.
The issue is the URL is in a corporate environment behind a browser based single sign on sequence that requires multi-factor authentication with a hardware token and does multiple redirects when a user logs on normally through the browser. I'm not looking to circumvent this in any way, but simply authenticate the VSCode extension somehow so it can do the POST (and re-authenticating every session is fine, just not for every post).
The SSO authentication process seems to be fine with multiple windows in the browser, so e.g. you can login in one window and then do say AJAX POSTS from Javascript in another window to the REST API. So I kind of want VSCode to be considered just another window in that scenario.
I am thinking something like opening a browser window within VSCode itself to allow the user to manually authenticate, then somehow the session is maintained and VSCode can POST to the REST API URL when it wants?
Or perhaps triggering a window in an external browser for the authentication but then how would VSCode be authenticated to do the POSTS as the external browser would be a separate application.
Client OS is Windows 8 (corporate policy!) if that makes any difference. I don't have any access to modify anything on the server.
Any thoughts/suggestions welcome, thanks.
We are developing a hybrid mobile app (code is written in HTML and runs on browser shell as a native app on the device). We need to authenticate the user against an external security manager. I've seen the Gmail App in iPhone which opens a browser to authenticate the user. We are also looking to do something of that sort. We just need to gather your thoughts on how authentication can be done with some external security manager in a mobile app.
Also I noticed that Dailymotion website was able to know if the user is authenticated with Facebook. This looks like a cross domain authentication.
Can you please share your thoughts on how Google and others have implemented it?
What you are looking for is OAuth and OpenID services to federate your login. Depending on the architecture of your system you can implement whichever one you like or even a hybrid of both.
Take a look at this link: Federated Login for Google Accounts
It provides all the useful information you need.
Hmm this question seems old but in case you haven't found an answer here's how I did it with my hybrid apps :
open url on client side with the provider's (facebook/twitter/instagram) url for login
the user logs in and is redirected to the server's callback url (my server is written in nodejs)
once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.
Download the apk and test it.
If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic
And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server
Cheers
Is there a way to take a existing web application and make it available as a Facebook application or in Google Marketplace without doing recoding. How much effort would that require (10% or 90% of original effort).
What would be the pre-requisites around that within application.
If your application don't use any sort of authentication, you can just link it on Facebook's dev dashboard (as iframe) and it'll work. My guess is that Facebook won't allow any other kind of authentication besides their own, so if your app uses authentication, then you're going to have to implement Facebook's authentication.
With Google Marketplace you'll need a manifest for your app and also a listing manifest. And the authentication thing also applies, but with Google's.
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.
I've looked at Net::Google, and 90% of the modules use AuthSub with a mandatory login/password. The right way for a web application to interact with Google applications on behalf of a customer is to use OAuth. That way, the authentication is done by Google, and the application does not know the user's password. This is supported by Net::Google::DocumentsList for example.
Are you aware of modules that can work well with Picasa and Blogger, for example, using OAuth. The current Net::Google::PicasaWeb handles read-only queries, no add/remove/update actions.
I noticed this blog entry with an example, http://blog.case.edu/jeremy.smith/2009/03/30/using_2legged_oauth_with_google_apps_in_perl, perhaps it will get you started.