I'm finding a lot of problems trying to develop a google app to place in the market, with OpenID and accesing some google apis like G+ from the backserver on GAE
I have applications running using google apis to acces G+ data, with 3 legged oAuth (code flow) without problems and i understand the "magic" behind the scenes, but i'm getting lost with OpenID and google market. Do i need to do the 3legged oAuth after the user pass the OpenID google filter, and send the user to acept the G+ permission API to use that token to access google apis? If this is the case, what happen if the user access the application from his company gmail account, and when prompted to accept the g+ access, he change accounts? Is there any good reading that make things easier with google apps, openID and access google apis from GAE?
Why I can't specify the scope of G+ when sending my application to the market, in the app conf files?
In this scenario, what is the best way of getting the user g+ profile (picture, fullname, nickname? What i'm missing? google documentation is really good, when you find the correct one ,but a lot of links are dead and millions of examples with deprecated gdata apis are flooding the net...
Ok, after further reading and testing i came up with this points:
Google Marketplace just alow you to access this apis without extra "oAuth dances"
If you want to access more APIs than the listed above, you need the oAuth exchange to get specific token/s for the APIs you want to access.
In my case, i want to access G+ API before the openID from market, so after logging the user with openID, i need to redirect him to google api oAuth accept screen (just for the first time)
More things about the market that take me long time to catch:
- Billing API and license API are deprecated, this mean you are responsible for billing your users and keep them tracked to know if a given user has paid the application or when the license has expired
- You need to map /_ah/login_required becouse your application should be setted (when you create it) to only accept federated logins, wich will lead to a redirection to /_ah/login_required from where you need to do the openID stuff.
A lot of links in the documentation are broken and the examples are too old :(
It's actually a little simpler now with the new Google Apps Marketplace experience. If you follow the steps in the docs and make sure you ask for the same scopes in your App Engine code, the user should never be prompted.
Related
I'm using the Google Cloud Speech-to-text API, within my android app.
How would one authenticate to the API without the ability to set the necessary environment variable?
I've not been able to find any documentation covering authenticating on android, with the environment variable, and file
Your question is unclear but I think you're trying to use a service account ("file") and perhaps GOOGLE_APPLICATION_CREDENTIALS ("environment variable") to authenticate your app.
You should not.
Service Accounts are best applied to software (e.g. another service) that's running autonomously (i.e. not directly by a human user) that needs to authenticate with a Google API.
For an Android App, I think you probably wish to authenticate the human user of your app against the Google API using the full OAuth flow were your user is prompted to approve use of the Google API and then, your application is authenticated as this user.
See here for an explanation of the 3 primary authentication methods:
https://cloud.google.com/docs/authentication/
See here for an overview of authenticating a human user to a Google API:
https://cloud.google.com/docs/authentication/end-user
See here -- less confident in this as I've not used it -- as a way to authenticate Android apps using Google Sign-In (i.e. OAuth):
https://developers.google.com/identity/sign-in/android/sign-in
HTH
I'm trying to create a web service to use the Google Plus API. I'm writing it in java, however I can't figure out what files I need and how I would go about posting to Google plus groups using Java
If you have any insite please could you post relavent links and helpful tips to help me out.
EDIT 1:
I have been playing around with the GooglePlus API provived by Google and have written a project based on the sample code given from this page: https://developers.google.com/+/domains/posts/creating
The code runs fine until it gets to the GoogleTokenResponse tokenResponse = flow.newTokenRequest(code).setRedirectUri(REDIRECT_URI).execute(); line. Where it returns a null error. I am copying the link provided in the console and pasting in the code, however everytime it just returned a null error, is there a specific part of the returned code given that causes an issue?
Posting to Google+ is only supported for accounts in a Google Apps Domain (and even then, with restrictions).
If you are logging in using a GMail account - you don't have an Apps Domain account. If you're logging in using some other email address (ie - you have an email address, but you can't use Google account features such as GMail or Google Drive with it) then you don't have an Apps Domain account. If you are using a Domain account, your Domain admin may need to enable Google+ for your Domain before this works.
See https://developers.google.com/+/domains/getting-started for the differences between what you can do with the Domains API and the regular Plus API.
Note that neither API lets you post to a Google+ Community or post publicly. The Domains API does let you post to a user's circle, as long as the members of that circle are also part of the Domain. The Domain API also lets you post to everyone in the Domain. The normal Plus API does not allow posting at all.
There is a third API, knows as the Pages API, which allows Pages to publicly post on their stream. This API, however, is available to a limited number of partners such as Hootsuite. You can read more at https://developers.google.com/+/api/pages-signup, but there isn't much more available publicly.
Your web service should first authenticate against Google. This authentication can either be using a service account (if you want to post only through one account) or users's account (if you want to post via user's account) using oAuth mechanism.
For more details about how to authenticate, refer to How to authenticate our users in our website with Google Account
Have a look at https://developers.google.com/+/api/ for detailed information about how Google Plus APIs can be used.
We are developing a web service application to retrieve Google Analytics data for user's website using Google Analytics API.
The challenge we are facing is, at the authorization part. We are confused as to, which option to use for client authorization to access the analytics data.
As we are the third party application, it's obvious that the website owner wouldn't want to divulge any of his secret account information to us.
We are well aware of each option, it’s just that we need to know which is the safest / secure option for the website owner to provide us to access the analytics data.
Few options we know are:
Sharing client secrets file with us, or
Sharing service account details, or
If there is any other secure option which can be used here please
let me know.
Any guidance is appreciated.
Had posted the question in google groups site. Suggestion was to use OAuth 2.0 for Web Server applications.
Here is the link to the answer.
I am trying to build an application for android that uses Amazon SimpleDB. I have viewed the source code of the example code provided by Amazon. However in the demo, the credentials are just stored in a Constants.java and I believe this method is not secure at all as potentially there are people that could decompile the apk to expose the credentials even with Proguard on.
Therefore i went to read up on Amazon article regarding this and I could not quite understand as I am not very familiar with cryptography in android/java.
How am I supposed to actually allow access to Amazon SimpleDB from my application while keeping the access key safe from external parties?
Edit 1:
I want to use the application to retrieve data from the SimpleDB, showing in listview. For example like a simple review on food and other users will be able to retrieve the same review that other users posted. Maybe if the user wants to post a review, they would require to sign up an account and log in.
AWS offers a couple of solutions for delivering credentials to the device outside of hard coding them, one or both may meet your specific needs:
Token Vending Machine. AWS offers example TVMs for both Anonymous and User Authentication that can be customized to meet your needs.
Web identity federation which uses identities from Facebook, Google, and Amazon.
Our samples repository includes samples for integrating with both of these technologies, though not specifically in the SimpleDB example.
There is no foolproof way to do this. Whichever way we do, somebody taking your APK can potentially reverse engineer and crack the password (You make it difficult by obfuscating the code, but it is just making difficult and not foolproof).
If your app requires users to login (with some credential from your backend or using openid), then use this to let users access your server. Then on the server code, you can provide the AWS credentials using IAM Roles (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
So your web (REST) API access is allowed by using user-provided password and your server code gets the access by IAM roles. This is the most secure way.
If you dont want to have your server / backend, then there is no real foolproof way.
Answer from #Bob above is precise how to achieve this:
https://stackoverflow.com/a/21839911/2959100
This is related to OpenId authentication.
I have implemented the google and yahoo openId auth with java in struts2
but it is achieved through page redirection to openId provider auth page and then back to my own success web-page.
But what i wanted was same as facebook auth. were in json object is passed from fb and fb authentication is done in a pop-up. so that redirection can be avoided.
Plz help me out.
I have somewhat implemented which is mentioned in this post part1-part4: http://javadeveloperjournal.blogspot.in/2011/08/integrating-openid-into-my-struts-2-app.html
First, i will not suggest to use OpenID for Facebook and Facebook do not provides its own implementation for the OpenID but rely on certain third party implimentations.
Best way to go with OAuth which is quite similar to what OpenID is with only differences in the level of security and authentication.
While Constructing a URL to the OAuth Dialog, you can specify a parameter namely display indicating if you want a page redirect or pop-up, by default the value of this parameter is set to page
Please go through Facebook documentation for implementing OAuth
oauth using Facebook
That redirection is an mandatory part of the OpenID specification. Anyhow to authenticate users in that manner, whoever the OpenID Provider should support it. But facebook does't as far as I know. Use Oauth, facebook supports it and it is an open standard, so it is always better to go with open standards.
Well as the other answers have indicated, that passing you to the OpenID provider to login is part of the specification. Also in agreement with Umesh above, Facebook provides Facebook Connect, which isn't OpenId, but allows you to authenticate users using this method.
See: Is Facebook an OpenID provider?
What I do want to add however is clarification that you don't just run off and create an OAuth based authentication system because OpenID isn't what you want to use. OAuth provides you with more than just login authentication, there's more power in there - which strangely users are unaware of. OpenId passes along your credentials and OAuth passes along access to your data. So with OpenId the website can authenticate me, with OAuth the website can authenticate me and possibly have access to all my email or my documents in Google Drive. The good thing is that you the user has to explicitly allow this access.
But erring on the side of privacy you'd want to build a compelling case for an application that needs the power of OAuth. Like the picture in the article below, one's the different between asking for a notarized letter to prove your identity, and asking for a valet key to prove your identity.
A valet is OAuth, I need them to take my car and park it in the parking lot, so I give them a valet key. It can't open the glove compartment or the trunk, but they can open the driver's side door and start the ignition - which is all I need them to do, and no more. However I don't give the cashier at the grocery my valet key when I'm paying with a personal check, she just needs to see a photo ID, any gov't issued ID will work. Technically my valet key which will allow her to open my car and read my VIN and possibly authenticate it against a DMV database should also work, but that's probably overkill.
There are good uses for OpenId, OAuth and Federated logins, but as developers we need to understand when and where we should use each of them.
http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth