I'm using the RingCentral Embeddable widget using the following code.
(function() {
var rcs = document.createElement("script");
rcs.src = "https://ringcentral.github.io/ringcentral-embeddable/adapter.js?clientId={client_id}&appServer={app_server}&redirectUri={redirect_uri}";
var rcs0 = document.getElementsByTagName("script")[0];
rcs0.parentNode.insertBefore(rcs, rcs0);
if (window.RCAdapter) {
window.RCAdapter.setMinimized(false);
}
})();
I want to store the token, refresh token and user id after a successful login. Can someone please help in how can I get the above details if I'm just using the ringcentral widget?
The access token is available in the browser's local storage with the key sdk-rc-widgetplatform. See the following:
Token is saved at Browser localStorage with key sdk-rc-widgetplatform. You can only access it when your deploy the app in your domain. But it is not recommended to use token, token will be expired and changed when the app refresh it.
If you want to manage token in server side, you can have a look at RingCentral proxy project, it make authorization in server side #349
https://github.com/ringcentral/ringcentral-embeddable/issues/510
Related
In my api, I have a /users endpoint which currently shows (eg address) details of all users currently registered. This needs to be accessed by the (Ember) application (eg to view a user shipping address) but for obvious reasons I can't allow anyone to be able to view the data (whether that be via the browsable api or as plain JSON if we restrict a view to just use the JSONRenderer). I don't think I can use authentication and permissions, since the application needs to log a user in from the front end app (I am using token based authentication) in the first instance. If I use authentication on the user view in Django for instance, I am unable to login from Ember.
Am I missing something?
UPDATE
Hi, I wanted to come back on this.
For authentication on the Ember side I'm using Ember Simple Auth and token based authentication in Django. All is working fine - I can log into the Ember app, and have access to the token.
What I need to be able to do is to access the user; for this I followed the code sample here https://github.com/simplabs/ember-simple-auth/blob/master/guides/managing-current-user.md
I have tested the token based authentication in Postman, using the token for my logged in user - and can access the /users endpoint. (This is returning all users - what I want is for only the user for whom I have the token to be returned but that's for later!).
The question is how to do I pass the (token) header in any Ember requests, eg
this.store.findAll('user') .... etc
This is clearly not happening currently, and I'm not sure how to fix this.
UPDATE
Fixed it. Turns out that the authorize function in my application adapter was not setting the headers, so have changed the code to set the headers explicitly:
authorize(xhr) {
let { access_token } = this.get('session.data.authenticated');
if (isPresent(access_token)) {
xhr.setRequestHeader('Authorization', `Token ${access_token}`);
}
},
headers: computed('session.data.authenticated.token', function () {
const headers = {};
if (this.session.isAuthenticated) {
headers['Authorization'] = `Token ${this.session.data.authenticated.token}`
}
return headers;
})
Ember is framework for creating SPAs. These run in the browser. So for Ember to get the data, you have to send the data to the browser.
The browser is completely under the control of the user. The browser is software that works for them, not for the owner of the website.
Any data you send to the browser, the user can access. Full stop.
If you want to limit which bits of the data the user can read from the API, then you need to write the logic to apply those limits server-side and not depend on the client-side Ember code to filter out the bits you don't want the user to see.
I don't think I can use authentication and permissions, since the application needs to log a user in from the front end app (I am using token based authentication) in the first instance. If I use authentication on the user view in Django for instance, I am unable to login from Ember.
This doesn't really make sense.
Generally, this should happen:
The user enters some credentials into the Ember app
The ember app sends them to an authentication endpoint on the server
The server returns a token
The ember app stores the token
The ember app sends the token when it makes the request for data from the API
The server uses the token to determine which data to send back from the API
Ours is a web application. The security team has suggested us to change cookie upon every escalation in the authorization.
Accordingly, I wanted to update the client side cookie after authentication. And I used the below code:
System.Web.HttpCookie cookie = Request.Cookies["ASP.NET_SessionId"];
System.Web.HttpCookie dummyCookie = new System.Web.HttpCookie("SessionId");
cookie.Value = dummyCookie.Value;
Response.Cookies.Add(cookie);
Problem is as soon as the cookie gets updated, the user is again taken as an unauthenticated user.
Thanks in advance.
I have implemented like below to handle this in my project.
When user browse the application login page. I am deleting the sessionid in the session-cookie using below code in the page load.
if(!IsPostBack)
{
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Session.RemoveAll();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
}
The above code will empty the sessionid in the session cookie. Now when user enter the appropriate credentials asp.net will create new session id automatically, so browser will get new session upon successful authentication. If user entered wrong credentials then using above code i am resetting the sessionid again so the new sessionid will automatically generated up on successful authentication.
Security tools no more showing session fixation issue after above implementation was in place in my project. I hope this helps.
Is it possible to retrieve the refresh token from a google account for an application?
I use a google oauth login for my web application. When signing in the first time the refresh token is generated. But when something goes wrong or the the program doesnt accept the user, but the user allready signed in the refresh token is allready generated. The second time when the user wants to log in the refresh token isn't generated. the user must first revoke the web application before the new refresh token will be generated.
Is there a way to retrieve the refresh token of a user? or maybe even better, kick out the user from the web application?
this is how I get the refresh token:
code = request.args.get('code')
credentials = cls.flow.step2_exchange(code)
print 'refresh_token:{}'.format(credentials.refresh_token)
I am using Flask
Ok I found the answer.
When a user accepts your application a refresh_token is generated.
If a user comes back later and hasn't revoked your application, google won't generate another refresh token. You can use approval_prompt='force' to force the user to go through the approval prompt.
A user can revoke your application by going to myaccount.google.com > Connected apps and services, selecting your application and revoke.
To revoke the user in your application you can call the following URL:
'https://accounts.google.com/o/oauth2/revoke?token={token}'
example:
def revoke(token)
url = 'https://accounts.google.com/o/oauth2/revoke?token=%s' % token
h = httplib2.Http()
return h.request(url, 'GET')[0]
the token can be an access_token or a refresh_token
I'm trying to get access to salesforce report data using oauth token. Some time ago it worked fine, I used the oauth token as session id.
...
URL remoteFile = new URL(instanceURL + "/" + reportId + "?export=1&enc=UTF-8&xf=csv");
URLConnection fStream = remoteFile.openConnection();
fStream.setRequestProperty("Cookie", "sid=" + accessToken);
...
But it doesn't work, everytime I try to access the url it returns an html page which corresponds to login page. Is there any way I can access report data (not meta-data) using the oauth access_token?
Thanks.
In order to use the token with such a URL you need to set the scope parameter to include web:
web Allows the ability to use the access_token on the Web.
The oAuth User Agent Flow documentation details where the scope parameter is specified.
I have been requested by a client to pull the latest posts from their LinkedIn group to one of our website pages.
I am developing using ColdFusion 9 and have been researching this for quite a few days now and decided to post my query here in the hopes that someone will be able to help me out.
I can get to the point where I have a requestToken. My understanding is that I now need to sign the request token to get the accessToken. My problem is that I need to do this behind-the-scenes. However, all the examples that I can find are redirecting the front-end user to the authorisation url to allow the user to authenticate, but I don't want the user to authenticate, I want to authenticate server-side instead.
I am trying to use the Scribe Java wrapper library. Below is the code that I have so far which gets the requestToken (as well as the authorisation url). I need someone to point me in the right direction to sign the token on the server-side code so that I can make the necessary calls to consume the Groups API (e.g. http://api.linkedin.com/v1/groups/{id}/posts?count=5&start=1)
<cfscript>
var l = {};
//The LinkedIn public and private keys for application
l.oauth_consumer_key = "[My public key]";
l.oauth_sign_key = "[My secret key]";
l.serviceBuilder = CreateObject("java","org.scribe.builder.ServiceBuilder");
l.LinkedInApiClass = CreateObject("java", "org.scribe.builder.api.LinkedInApi").getClass();
l.service = l.serviceBuilder.provider(l.LinkedInApiClass).apiKey(l.oauth_consumer_key).apiSecret(l.oauth_sign_key).callback("[My callback url]").build();
l.requestToken = l.service.getRequestToken();
l.authUrl = l.service.getAuthorizationUrl(l.requestToken);
// I NEED TO DEFINE WHAT TO DO AT THIS POINT TO SIGN THE REQUEST SERVER SIDE
...
...
</cfscript>
Kirsten is technically correct - Linked In Api's require user authentication. It's annoying because you need to authenticate to even retrieve group posts.
However there are ways round it.
With scribe you can manually create an access token. So what I would do is create a dummy user account on Linked In, authenticate that user as normal and save the returned signed credentials on your database, which you can then use to create the token:
var accessToken = createObject("java", "org.scribe.model.Token").init(
"singedTokenStringReturnBackFromLinkedIn",
"singedSecretStringReturnBackFromLinkedIn",
"oauth_token=singedTokenStringReturnBackFromLinkedIn&oauth_token_secret=singedSecretStringReturnBackFromLinkedIn&oauth_expires_in=0&oauth_authorization_expires_in=0"
);
You can then skip the authenticate part and call the api allowing you to display the group posts without the current user having to sign in:
var req = createObject("java", "org.scribe.model.OAuthRequest").init(
createObject("java", "org.scribe.model.Verb").GET,
"http://api.linkedin.com/v1/groups/123456/posts"
);
oAuthService.signRequest(accessToken, req);
I have no idea if this would violate Linked In's T&C though.
OAuth authentication is designed for the user to give their permission to the application via a login on the site (in this case LinkedIn). It is not designed for you to automatically have the user grant permission for your application.
In order to get an access token to use the LinkedIn APIs, you have to include the part of the authentication flow that sends the user to LinkedIn to give your application permission to act on their behalf, at which point you can retrieve a verifier token either via PIN (which the user inputs) or via a callback to your application.
In short, there is no way to "authenticate server-side" without having the user interact with the LinkedIn site.