I am trying to see if there is a way to access the Preflight accessibility results for all of my apps.
I can access each on individually but since my publisher account manages many apps it is tedious to do it that way.
Thanks!
Related
Update: I need more investigation to be able to ask.
I have a server that handles all my requests to Facebook on behalf of mobile clients. To secure the access_token from the Facebook user, Facebook recommends using appsecret_proof. I have more then one app.
Question: is it possible to get a appsecret_proof that covers all apps. Kind of like token_for_business is covering ids?
Update: I need more investigation to be able to ask.
appsecret_proof includes the App Secret, so of course you need a new appsecret_proof for every single App. Not sure why you would try using the same one for different Apps though, token_for_business is for something completely different: to identify a User between different Apps.
I'm currently building an oAuth2 server so that external clients/devices can access data from my service without having to send over user credentials with every request. I've finally grasped how oAuth works after spending an entire day reading numerous tutorials and online documentation, however, there's still one thing that I'm rather unsure of...
When sending a request for an authorization code to an oAuth server, how should I deal with a callback to mobile devices and devices that aren't a webserver?
E.g. this request to my oAuth server will send an authorization code as a callback to a specified webserver (http://client-url.com in this case)
http://mydomainname/oauth2/?client_id=test&grant_type=authorization_code&client_details=test&redirect_uri=http://client-url.com&response_type=code
The server at http://client-url.com will receive a response containing an authorization code and the developer will be able to store a user's oAuth credentials accordingly.
Obviously a mobile device isn't a webserver, so is there a standardised way of dealing with this? I've read online that you can define something called a custom URI scheme within iOS and Android apps. But what about the other mobile platforms out there? And desktop apps? I want my API to be accessible from as many platforms and devices as possible.
The reason why I'm asking this question is because I want to add validation to my oAuth server so that users can only register apps with valid callback URL's. I wasn't sure if should allow any other type of input as a callback apart from a valid URL.
Can anyone shine any light on this? I want to avoid spending hours validating and testing this across all devices as I'm sure anyone that has developed for multiple mobile platforms in the past must have some knowledge about this.
Thanks in advance.
I have a REST API that will be accessed from mobile clients and a web application. I would like to use oAuth for it. Not necessarily for the resource sharing aspects (it will just be for our application right now) but because of the standard it provides for how to tokenize and sign requests.
My questions:
Is this a sane use of oAuth?
There are quite a few posts on here discussing the issue of having to
store the client secrets on the mobile devices, but is that really an
issue in this case since I own the service too?
Is there any reason to give each client their own secret? This is normally used for access revoking, but again, I control the serivce and could just disable their user account.
I'm working on an app and websites. They have related information such as users, contracts, etc. What is the reason for designing an API and not connecting directly to the database?
Edit:
I'm just starting development and have no experience with web services. Please be as thorough as possible.
Sites such as Facebook, Google, and Twitter could never let third party apps connect directly to their database: it's an enormous security risk. (Would you be comfortable if Facebook allowed anyone to access their database, including private user information and messages?)
APIs serve as a gate through which third party apps can get the kinds of information they are permitted to access.
There are several reasons why you would use an API instead of using direct access.
The first 2 that come to mind:
Using an API allows you to write the client code without knowing any details of the specific implementation, so if you change your database structure or location for instance, you need only rewrite the API wrapper code, not everywhere its referenced.
It allows you to have different levels of authentication. As mentioned in another answer, it is not ideal for all users of an application to have access to every other users data.
We don't exactly comply with the XML-RPC spec, but the concepts are nearly identical. A client comes in over HTTP/HTTPS with an XML payload. We respond with an XML payload answering the request. This is primarily machine to machine, so no human to type a username/password. Our construct runs within apache tomcat. We would like to authenticate the request and since not every service is available to every client, we need to authorize the request as well. We have both subscription and per use charging models so it is necessary to log everything.
What would you recommend for both server and client?
HTTP BASIC/DIGEST works fine for most machine to machine tasks, and it handled by the server so your API is unaffected.
It doesn't work as well for interactive uses because it's difficult to "log out" the user without closing the browser.
Otherwise you'll most likely need to alter your APIs to include authentication information and have your methods authenticate that within your code.
Or you could use the classic "login", set a cookie, keep a session technique.
But, frankly, for machine to machine work, HTTP BASIC is the easiest.
edit, regarding comments.
HTTP BASIC is simply a protocol used to present the artifacts necessary for authentication, and it works well for machine to machine web services.
HOW IT IS IMPLEMENTED is dependent on you and your application. Using Java, you can use container authentication and that will provide authentication as well as role mapping. The user -> role mapping is handled in either a data file or database. The URLs protected, and what roles are valid for each URL, is managed by web.xml.
If you continue to add different roles to different URLs, then, yes, you'll need to redeploy that application.
However, if you're just adding new users, then you simply update your file or database. And if you're adding new logic, and this new URLs, then you have to redeploy anyway. If you have a ROLE structure with a fine enough granularity, you won't have to be messing with the web.xml until you actually add new methods. For example you could, at the extreme, create a role per method, and assign them individually to users. Most don't need to go that far.
If you don't want to use container authentication, then write a Servlet Filter to implement your vision of mapping user and roles to URLs. You can still use the HTTP BASIC protocol for your clients, even if you implement your own facility.
If you're looking for an overall generic Java security framework, I defer to google -- there are several, I've not used any of them. I've had good luck with container authentication and writing our own.
#Will
I second the HTTP Basic suggestion, and can testify that it integrates fairly well with Spring Security, which I implemented on top of a legacy application that rolled its own DB-based authentication/authorization logic.