I have a website that uses Django piston for the API. I have also created an iPhone app that successfully connects to the API and parses the JSON and displays the correct content on the iPhone. The API resource URLs are as follows
http:/mysite.com/api/pics
http:/mysite.com/api/pics/username
I'm currently hard coding the username into the above URL from within the iPhone app and there is no authentication at all. I would like these URLs to require the user to be authenticated.
My website allows logging in via the /accounts/login provided by Django. However, the code redirects the users to their profile on the website, so I'm assuming I can't just use this URL in an asihttprequest from the iPhone.
So, if I want to log a user in, using the Django's built in authentication system, what URL should I be pointing them to. Also, once the user is authenticated I know that I'm supposed to use "is authenticated" and "challenge" for any "protected resource" in piston. I've seen code snippets that define these functions but I'm not sure where and how to implement them. I'm used to using a decorator that just says #login_required.
if you followed the instructions at: http://yml-blog.blogspot.com/2009/10/django-piston-authentication-against.html then looking at the example applications urls.py file https://bitbucket.org/yml/django-piston/src/dfb826a31ca8/examples/blogserver/api/urls.py you will see that authentication is passed to the resource handler.
If you've done this there is no need to use a decorator :)
Related
I am trying to build an OSX application using swift and storyboard. I am implementing Google OAuth for the app. Following the google guide https://developers.google.com/identity/protocols/oauth2/native-app#sample-authorization-urls, I am opening a browser with the a loopback authorisation url (i.e. after signing in, it loopbacks to localhost where the url contains authorisation code and other meta data.
To give a better overview of how the authentication workflow works:
User selects authorise button in app
Browser opens up with an url like:
https://accounts.google.com/o/oauth2/v2/auth?
scope=email%20profile&
response_type=code&
state=security_token%3D138r5719ru3e1%26url%3Dhttps%3A%2F%2Foauth2.example.com%2Ftoken&
redirect_uri=http%3A//127.0.0.1%3A9004&
client_id=client_id
The google account chooser and permissions consent screen renders and prompts user to give permission..
Once user gives permission, the page redirects to localhost with the authorisation code or the error (when not permitted). The redirect url looks like:
http://127.0.0.1:9004/?code=auth_code&
scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&
authuser=0&
prompt=consent
So now I want the parameter code in my app. Google document says I have to create an HTTP listener in order to get the parameters. So I want to setup an HTTP listener at that port (9004) and get the params. What HTTP library can I use to solve this problem?
I haven't tried to involve myself with any oauth library for osx and I want to implement myself but if there is a library which solves this problem with limited boilerplate suggest them.
Thanks.
I would recommend the AppAuth framework for macOS and iOS. It takes care of all of this for you, and includes an option to set up an HTTP server on the loopback interface.
I like to distribute content from within our Content Management System to several online channels like the website, twitter, linkedin and, last but not least, Facebook. Editors can create items and, eventually after a worfklow process, distriute them amongst the different channels.
Off course the website is no problem (it's still a CMS, isn't it). Twitter integration was rather simple. But now I like to create a connector with Facebook.
The approach is like this.
Create a Facebook app: TheCMSFacebookConnector
Give it permissions to write on a wall, create events, add photo
collections, etc. A customer buys the CMS
Within the CMS Manager there is an action to connect the
TheCMSFacebookConnector app to the customers' (corporate) facebook
account
The OAuth dance is performed and the accesstoken en accesstoken secret are stored
From now we use the REST API to add content to the customer's corporate wall. This is exactly the way i did it for the Twitter integration.
But.........
choosing the right integration type
When I create the Facebook app, the Facebook asks me to tell how the app integrates with Facebook. The integration types that seems to fit the best are Native iOS App or Native Android App. In fact the CMS acts as a Native App as well. Has anyone a clue which App Integration type i have to choose?. And are there other parameters that are important to set in a, maybe, different way?
Choosing the authentication flow
A second question is about the OAuth dance. If we distribute the CMS amongst our customers, they host the CMS Manager environment in their DMZ with their own (mostly) corporate URL or, better, they host the CMS Server within the LAN and the Publication Server in the DMZ (we provide some tools to synchronize those servers)
When I do the OAuth dance, the CMS Manager (which is a webapplication) has is own URL. So in the definition of the app i cannot name an unique value for App Domains. From within the "OAuth dance"" code the redirect URL seems to have a connection with the App Domain and cannot be set in a dynamic way. So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Hope that someone can help me with, especially, the first question. Thanks in advance
E.
So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Not necessarily – you could always have an address from your app domain set as redirect_uri, and have that redirect to the CMS users web address afterwards (via a GET parameter in redirect_uri or something like that).
I am trying to create a login system for my iPhone application. My login system is not an ordinary one. Here is what I want the iphone to do.
First of all I will post to a website
"https://www.example.com/login"
my username and password.
If login is achieved (i.e. username and password are correct), it will redirect me to
"https://www.example.com/login/success"
else it will redirect me to
"https://www.example.com/login/retry".
I know it sounds strange but thats the way it works. By the way my application is programmed using Objective-C.
So what I want from the login system is to detect the address of the redirected site and if it is the success one, it will allow me to view the rest of the application.
Can I do that login system on iOS? Do you have any idea about that?
The NSHTTPURLResponse class has a method allHeaderFields that you can use to pull out the Location header. Be aware that header names are case-insensitive.
It sounds like you are trying to use the actual website for authentication. While this may be possible, I would advise against it. You should write a separate web service (aka an API) for the app to interact with. If you aren't familiar with the concept of an API do a quick google search.
For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.
I'm working on an iPhone app that ideally uses OAuth to communicate with Twitter. I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The problem is, Twitter has this whole scheme for working with desktop apps, using a pin number. When I register my app with Twitter, they have a web form asking me if I'm a desktop or web client. If I choose desktop client, when I try to have the user authorize, I can set the oauth_callback parameter but Twitter will ignore it after authorization and show a pin number. If, on twitter's form, I specify that I'm a web client, it requires me to enter a URL to redirect to after authorization. And, since I'm using an iPhone app-specific url scheme, their web form fails on validation as it only seems to accepts URLs conforming to the HTTP protocol.
So, it seems like I'm stuck - I can't say "desktop" because I don't want to bother with a pin, and I can't say "web" or I can't use an iPhone app URL. Any solution to this?
From your question:
I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The Pownce article suggests that quitting your application and opening Mobile Safari to perform the authentication step is problematic, and that they started receiving bad reviews from users for doing it that way. They also experienced a failure rate of around 40%.
Pownce's solution is to use a UIWebView within your application instead, so I have a feeling you may have misinterpreted their recommendations. That being said, they do label this as a "naive" solution and go on to suggest a bunch of theoretical "ideal" solutions.
Another point you might not realise is that desktop applications (using the "out of band" / pin number method) and web applications need to open the Twitter site in either an embedded or external browser.
So you've got two choices on the iPhone:
Open up twitter.com in a UIWebView, specifying no oauth_callback parameter or oauth_callback=oob to start the pin-based out-of-band flow. The user then needs to copy the pin using the iPhone's copy-paste functionality, manually close the UIWebView, and paste the pin into your application. The pin can then be used converted to an access token.
Do it how everyone else is doing it (UIWebView + custom-uri://foo.bar in the callback parameter).
For obvious reasons, the first option is pretty crap and really only useful on platforms where Twitter is unable to redirect to a custom URI.
A simple solution may be to create an HTTP page that always sends a 301 redirect to your custom URL scheme and then provide that HTTP URL to the twitter web API.
Aside from that, Nathan's answer is very complete.
Here's how I do it: tell Twitter you're a web app, and make up any old HTTP:// URL to satisfy Twitter during registration of your oauth client.
Then in your app, pass the URL you want to in the callback parameter. Twitter (in my experience) uses the one you give it.
You could use an intermediate website for the authentication. Your app creates a unique id (hardware based?) and stores it. It then records it has sent the user for authentication and sends the unique id to your website. It then redirects the user to your website. Your website then sends the user to Twitter using oAuth. The user returns to your website and you mark the unique id as authenticated and store the authentication information. The user restarts the app on the iPhone, it reads it has sent the user for authentication and contacts your website with the unique id - and reads in the authentication information.
Long winded and needs another website, but it should work.