I know this is a pretty noob question but I've been reading some manuals and documentations and can't figure something out.
I have an automation suite (in Java/Groovy) that in some cases needs to query an email inbox to check that a message with a given subject has been received and also probably delete all messages older than X. That's pretty much all I need to do and I've been looking into creating a gmail account and using the Google API Java client that's available here -> https://developers.google.com/api-client-library/java/apis/gmail/v1 but I can't figure our how to actually do it.
Right now what I have absolutely no clue how to do is the authentication. I can probably figure out how to interact with emails by going through the methods/code but I can't find any examples on how to authenticate so that the code can get access.
I tried looking for examples here and checking the code here. I know the answer is there but I still can't wrap my head around how to implement the code to sign in/authorize based on a username and password.
Thanks!.
This is the link you need. In this page it's explained authentication mechanism for Google API. They are using OAuth 2.0, which is probably the most used authentication method nowdays.
There is a standard flow that takes the client from credentials to an access token that can be used to perform authorised requests. This flow is described in the OAuth specification which is very useful to understand. Many APIs use it.
If you have specific questions, please let us know.
Related
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
Is it bad if I shared with the ones developing my website my Facebook client id and secret id so that they can create the Facebook logged in button?
He also asked me for all these other information and I gave it all to him to create the Facebook, Instagram, and Twitter logged in button on my website. I also gave him the ones for google.
INSTAGRAM
Client_name
Client ID
Client Secret
Client Status
Website
Description
FACEBOOK
App_id
App_secret
App_page_id
TWITTER
Consumer_key
Consumer_secret
In short: No
This is a question the answer of which depends heavily on the circumstances and kind of setup you have, but in short these days its not a good idea as its easy to avoid the need to share these secrets.
The IDs are normally public so there is no harm in sharing that, but the secret keys should be entered directly into server's (or app service) environment settings if you can manage them yourself. Different hostings have different ways to enable this, consult your hosting provider and developer team to guide you.
When its fine
If you are not technical yourself, don't want to go through the hassle of managing access to your server, find it hard to learn and trust your developers greatly then its fine and they would need it to do actual deployment.
Remember, while they are developing and testing the website/service they can use temporary app-id and secret keys that they themselves can get in most of the cases.
Follow up questions:
Q. If I go to the settings and ask for a new secret key for all of these social services, will it affect the programming of the developers and create a problem or will it be fine since the client id is good enough for the job?
Answer Yes if you reset the secret keys the service would fail and would require the new keys to be configured on the server. There are tons of guidelines on each of Facebook, Google, Instagram developer pages that you can read on this topic and are pretty easy.
Q. Can they get inside my Facebook, Instagram, etc if they have the secret Id?
Answer No the keys are for the app/service to allow your website request user's information who allow your app, not for accessing your account.
Q. Please tell me whats the worst thing that can happen with the secret after sharing it with the developers if they do something wrong with it?
Answer Its basically a security risk. One of the worst things, IMO, that can happen is that they commit it into an open code repository or implement it in the wrong way so its accessible to anyone easily. That would allow attackers/hackers to get your app users to believe they are giving access to their requested data to your app (by using your app id and secret) in their attacks. But again this is heavily based on how careless the developers are, if they are good they would work to keep it secure. Ask them in your next meeting how they are using it and how it will be secure from other people copying it. Chances are they are good people and have taken this into consideration and would also explain it to you.
I've Googled around, though I can't seem to find an answer.
Currently using Google endpoints with android studio.
I'm looking to send a Facebook request via my backend server (java). (Assume i have the access token).
How can I achieve this?
please include code and examples of what you have tried to do already. Your questions needs to be specific about a programming issue. Right now it is too general.
Though I'm not 100% about this, I believe facebook doesnt allow this to work. Access tokens should not be shared. And servers shouldnt be able to pretend to be other clients.
Any allowed uses of the fb API will be done using the server's own access token, and not any other.
I'm trying to create a web service to use the Google Plus API. I'm writing it in java, however I can't figure out what files I need and how I would go about posting to Google plus groups using Java
If you have any insite please could you post relavent links and helpful tips to help me out.
EDIT 1:
I have been playing around with the GooglePlus API provived by Google and have written a project based on the sample code given from this page: https://developers.google.com/+/domains/posts/creating
The code runs fine until it gets to the GoogleTokenResponse tokenResponse = flow.newTokenRequest(code).setRedirectUri(REDIRECT_URI).execute(); line. Where it returns a null error. I am copying the link provided in the console and pasting in the code, however everytime it just returned a null error, is there a specific part of the returned code given that causes an issue?
Posting to Google+ is only supported for accounts in a Google Apps Domain (and even then, with restrictions).
If you are logging in using a GMail account - you don't have an Apps Domain account. If you're logging in using some other email address (ie - you have an email address, but you can't use Google account features such as GMail or Google Drive with it) then you don't have an Apps Domain account. If you are using a Domain account, your Domain admin may need to enable Google+ for your Domain before this works.
See https://developers.google.com/+/domains/getting-started for the differences between what you can do with the Domains API and the regular Plus API.
Note that neither API lets you post to a Google+ Community or post publicly. The Domains API does let you post to a user's circle, as long as the members of that circle are also part of the Domain. The Domain API also lets you post to everyone in the Domain. The normal Plus API does not allow posting at all.
There is a third API, knows as the Pages API, which allows Pages to publicly post on their stream. This API, however, is available to a limited number of partners such as Hootsuite. You can read more at https://developers.google.com/+/api/pages-signup, but there isn't much more available publicly.
Your web service should first authenticate against Google. This authentication can either be using a service account (if you want to post only through one account) or users's account (if you want to post via user's account) using oAuth mechanism.
For more details about how to authenticate, refer to How to authenticate our users in our website with Google Account
Have a look at https://developers.google.com/+/api/ for detailed information about how Google Plus APIs can be used.
This question already has an answer here:
How reliable is HTTP_REFERER?
(1 answer)
Closed 8 years ago.
I am interested in logging from where a user comes in order to access my web app.
I thought of using HTTP's referrer header for that, but from e.g.HTTP referrer wiki
it seems that this is not a accurate/reliable way since in many cases it is not send.
I was wondering is the referrer header the only way? Is there a better/standard approach?
Reliable way would be to have ?ref=somehash a GET parameter
For example:
Consider this site SO, they have list of questions, now there is a portlet which streams the recent questions to some other site for example abcd.com now to see if user clicked the link from abcd.com you pass a parameter ?ref=423jahjaghr where this string maps to abcd.com
Referrer header isn't the only way, but it is the most standard.
You can consider using Google Analytics, which has extra referrer capabilities, but you'd have to manually setup collecting the data from their services to input into your logging infrastructure.
Nothing is going to be 100% fool proof though. It's pretty straight-foward to block Google Analytics, and spoof referrers, and HTML5 will make it even easier to prevent sending referrer information.
If it's mission critical that you know the referrer of all inbound traffic, you'll have come up with a more draconian approach (like #Jigar Joshi has suggested)
Depending on the browser, you may OR may not get the referrer header. You may not get it always. You have to have a request parameter OR a form field to get the referrer.
HTTP Referer is a good way to analyze logs. And to maintain analytics on user interactions. However a browser or any other system which displays webpages and is able to traverse a webpage might not send this header entry.
You might also consider to use a 3rd party application like google analytics. But you should check if this 3rd party tool is legal in your country. Most of them have data-privacy issues.
Very important is. For analytics its ok if you have a certain error in the expected outcome. However never do any security related checks on the http referer. Someone might enter whatever he wants as referer.