I'm developing an android app, just for myself really, to learn android and also to make something useful for myself. The app is sort of an extension to a desktop application that I wrote. One of the things that the desktop app does is upload some textual data and images to a Dropbox account that I created just for this purpose.
The android app offers a pared down implementation of the desktop app, so that I can get some of the same functionality on-the-go. So, when the android app starts up, it checks the dropbox account and downloads any new data that it doesn't already have.
For the desktop app (Python), I just did an authentication manually by hitting the dropbox auth endpoint with my dropbox app key (in a browser) and then using the 'code' I got from that to finally get an access token. So I've hardcoded that token into my desktop app, and it bypasses the oAuth process and just uses the token for authentication. It's uploading data just fine.
But whereas the Python Dropbox API allows me to do that, I'm not sure how to do that with the android dropbox API. I've been browsing through the classes in the JavaDocs for the API, but it seems that I have to go through the oAuth process to get an AccessTokenPair for authentication (which seems to consist of a key and a secret). Can I not just provide the same token I use in the desktop app to some object (a DropboxAPI instance, maybe) to get authenticated?
I realize now that this kind of use for Dropbox is probably not very intuitive, but I'm invested now so I'd like to make it work if I can.
EDIT:
It seems that you can avoid having to go through the oAuth process if you have an AccessTokenPair (or it's values) saved from a previous authentication session. It looks like the AccessTokenPair is just wrapper for two strings: key and secret. So I suppose my question is now, what are these two values. I have an access token, which is a ~64 character string that my desktop app is using successfully for authentication. Can I use this to create an AccessTokenPair object, and if I can, is it a key or a secret and what I'm I missing?
SOLUTION:
As Smarx has said, the problem is that the Android and iOS Dropbox clients use oAuth1 whereas the Python, Ruby, PHP and Java clients use oAuth2. So, I actually ended up just following the oAuth1 process for Android, logging the resulting access key and secret and then hardcoding those for future use to bypass the oAuth process. It seems to be working fine.
Are you using the Core API or Sync API?
In the case of the Sync API, I think there's no easy way to use a token you already have.
In the case of the Core API, I think you can do it, but I believe the Android Core SDK still uses OAuth 1, and my guess is that you have an OAuth 2 token.
the oauth1 API seems to be deprecated. Looks like this is certainly a deficiency, because I am trying the same thing and it is completely broken basically, I can authenticate and then generate an oauth2 token which is stored but using it I couldn't logon again, unless I rebuild the API object again.
EDIT: sorry about the multiple comments below, I do not seem to have the privilege of being able to delete my own comments.
EDIT: yay now I can delete my own comments so answer is below:
//first logon - get the token and save it to shared prefs
if (emboDBApi.getSession().authenticationSuccessful()) {
try {
emboDBApi.getSession().finishAuthentication();
String accessToken = emboDBApi.getSession().getOAuth2AccessToken();
SharedPreferences.Editor editor = prefs.edit();
editor.putString("emboDBAccessToken", accessToken); editor.apply();
}
catch (IllegalStateException e) { Log.v(TAG, "Error authenticating", e);
}
}
//for subsequent logons use the saved token if it exists and then create a
auth session from that.
AndroidAuthSession newSession = new AndroidAuthSession(Constants.KEY_PAIR,
prefs.getString("emboDBAccessToken", ""));
emboDBApi = new DropboxAPI<AndroidAuthSession>(newSession);
Related
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
I have a desktop Java application that communicates with a GAE server. The client application signs in to the server using OAuth 1.0 with signpost via the provided endpoints
(appname.appengine.com/_ah/OAuthGetAccessToken and the like) with consumerkey and consumersecret set to "anonymous" and scope set to the GAE domain. The login process appears to be working fine:
Retrieve Request Token
Let the user visit the resulting authentication URL
Ask user for verification code
Retrieve Access Token
At this point, I have a seemingly valid token and token secret. If I use these to sign a request to the GAE server, I get an OAuthRequestException when identifying the user:
OAuthService oauthService = OAuthServiceFactory.getOAuthService();
try {
user = oauthService.getCurrentUser();
if (user != null) {
ri.userName = user.getEmail();
}
} catch (OAuthRequestException t) {
t.printStackTrace();
}
This used to work fine until this morning. I am using a modified version of the Chrome to Phone GAE backend. I noticed that Chrome to Phone is having the same issue: I cannot login to the service anymore, so I don't believe this is an error on the client side. Logins don't show up in the Google Connected Sites, Apps, and Services console. Here is a link to the affected line in Chrome to Phone's GAE service: Chrome2Phone affected source.
I already tried registering the application in the Google API console and provided comsumer key and secret, with the same result.
We made some back end changes to our authentication system which ended up not being compatible with App Engine code relying on the authentication system. It appears to be a rather straightforward issue and we are in progress with a fix. We don't have an exact timeline on resolution yet but expect it to be soon.
Update: the fix has been rolled out to production as of about 8pm PST. Thanks everyone your patience.
This isn't exactly an answer, but I'm seeing the same new behavior on a python app engine app using the built-in oauth provider libs (google.appengine.api.oauth). Existing saved tokens continue to work, but requesting a new token and then using it to call a protected service results in a InvalidOAuthTokenError. This is with unchanged consumer and provider code that worked flawlessly until last night (approximately midnight CST).
I have couple of doubts regarding the usage and working of /venue/stats Foursquare API.
Q1. I would be using /venue/stats for getting information provided a venue id. So I have registered my app and got the client id and secret values. I went to Foursquare API endpoint and tried using /venue/stats api and I noticed a oauth_token generated automatically by FSQ so is this oauth_token the same token that I am required to use everytime I use this api ? Do I need to do the authentication steps mentioned ?
Q2. Try the api generates a link which has /simulate in the api URL. I assume that this is due to the fact that I am testing the API so FSQ has categorized such api calls as simulate calls. Please confirm my understanding. If this is so then whenever I use the api as mentioned i.e. /v2/venues/venue_id/stats I get an error JSON stating that I am unauthorized to view venue stats. Can you please tell me why ? If this is due to access_token issue then the same issue should have been with simulate call also ?
Hoping to get a reply soon.
Right underneath the API Explorer bar it says "OAuth token automatically added". You do not use this token. I am sure it is either temporary or created using your log in info if you are loggged in while using the API Explorer. You will still have to use the authentication process to get a valid access token. However, you can save this access token and use it again skipping the Auth process. An access token serves as a key unique to a user and app. Read more about it here: https://developer.foursquare.com/overview/auth
The simulate feature is used mostly for API calls that normally would require you to be a manager of the venue. There are certain calls that can not be done unless the app is by a user that is the manager or unless you make the call using an access token of a manager.
I have a Flex/Java application on Google App Engine and all I want is to load large images from Google Cloud Storage using URLRequest in Flex. I'm sure this is simple but I can't get it to work. I will manually upload the images using the Google APIs Console so I don't need to write anything from the App. The images can not be public.
I'm not 100% sure how to access the file so this may be the problem. I tried these:
"/gs/mybucket/myimage.jpg" : not found
"/mybucket/myimage.jpg" : not found
"http://commondatastorage.googleapis.com/mybucket/myimage.jpg" : denied
I added myappid#appspot.gserviceaccount.com in the Team tab in Google APIs Console with Can View permission and I used GSUtil to get and set ACLs on both mybucket and myimage.jpg to add a READ permission for myappid#appspot.gserviceaccount.com but that didn't help.
What am I doing wrong?
I'm not really sure how flex works or how it is trying to access the blobs.
However, if you want to respond to a http request with the content of a Google Storage object then you can use the serve method.
https://developers.google.com/appengine/docs/java/blobstore/overview#Serving_a_Blob
Are you authorizing the URLRequest call with an OAuth token? If not, then even though the request is initiated from an app engine app, it'll look to Google Cloud Storage like an unauthenticated, public read. I don't know if flex has a trace option but if there's a way to examine the request details, I'd check to see if you're setting up the proper authentication.
If it turns out to be too difficult to get flex to play nicely with OAuth, you could also use signed URLs (a.k.a. query string authenticated URLs). This gives you the ability to create a URL with a special signature that implicitly conveys your authorization but only people with that link can access the object. The object's ACL can be be set to disallow public access but your signed URLs will be able to read the object. You can also time limit a signed URLs, if you like. Here's the documentation on how to use this technique.
I am developing a Java application that needs to access personal account Google Data of a user. The development is currently in netbeans on my localhost. I am implementing 3-legged OAuth. And while sending Grant request, it sends me Unauthorized Request Token and then redirects to Callback URL.
While trying to access Access Token, it gives me Error "Error Getting HTTP Response". Now, as per it given in Google Documentation, it is given that "If the application is not registered, Google uses the oauth_callback URL, if set; if it is not set, Google uses the string "anonymous"." Does it mean that I must register my application on Google Apps Engine before granting authorization & accessing request ? Please Help.
For reference : OAuth for Web Applications, OAuth in the Google Data Protocol Client Libraries
Based on your question, it's probably not the registration piece that's causing you trouble. It sounds like you just haven't implemented OAuth correctly — not that doing so is easy. The OAuth process is roughly as follows:
Get a request token. You must pass in a bunch of stuff that declares what kind of stuff you want access to and where you want Google to send the user when they're done granting you access to that data. This is where you pass in your consumer key, which you get by registering. The consumer key will be the string anonymous if you are developing an installed application (i.e., mobile app, desktop app, etc). This is a work-around; the alternative would be to embed your client secret or RSA private key within the application itself, which is a very, very bad idea. If you use 'anonymous', you should absolutely be setting the xoauth_displayname parameter. (Actually, everyone should set this parameter, but it's especially important if you're using anonymous.)
Once you have a request token, you then redirect the user to the special authorization endpoint, passing along the request token key in the query string. Assuming the user grants access, Google will redirect the user back to the callback URL that you associated with your request token. The request token is now authorized, but it can't be used directly just yet.
Once the request token is authorized, you can exchange it for an access token key/secret pair. The access token key/secret can then be used to sign requests for protected resources, such as the private data in the API you're trying to access.
For web applications, registering is almost always a good idea. It makes it much easier for users to manage their access tokens and revoke them if your application misbehaves or if they don't want you to have access anymore. If you don't register, your application will probably show up as a fairly scary-looking 'anonymous' in that list. It's really only installed applications that you wouldn't want to register for. You probably also want to register for an API key. An API key will dramatically increase your rate limit and it will also allow Google to get in touch with you if your application starts to malfunction.
I'd link to the OAuth docs, but you've already found them. Hope my explanation helps!
If you're developing on your local machine, you'll continue to get the same result as above.
For more interesting tests, then yes, you'll have to register your app and push it to the app engine.
Google will check if the domainname of the return-url is registered. You could also modify your dns/host-file to point the domain-name you're using to localhost.