Flask-OAuthlib to implement OAuth implicit flow - flask

Is it feasible to implement oauth provider implicit flow using Flask-OAuthlib?
I have been trying this for more than a week now. I can't share codes because of some internal company policy.
My issue is OAuthlib has everything predefined: from what arguments to pass to the type of arguments. And, most of these are not even needed in the implicit flow. If I try to work around these, it starts throwing multiple errors. As long as I have OAuthlib decorators on, I'm not allowed to bypass these API internals. And somehow I feel the Flask-OAuthlib is skewed towards authorization flow.
Please, provide your point of view. Because I'm definitely missing something. Or has anyone tried implementing it earlier, and is it achievable?

Related

How to see all conversions and custom conversion fields? Facebook ad insight api

I'd like to list all the possible conversion types that are listed in the ads manager from the ad insight graph api.
The conversions from a query like so give me only a small sample set of whats here.
insights?fields=actions,action_values&time_increment=1
Potential reasons:
They limit what graph api can do
They remove conversion types that have no values.
They wanted to make it extra confusing. :O
Anyone run into something similar? This is super frustrating.
insights are little bit more complicated and messy....
Insights api returning only non-zero values.
backwards compatibility of api versions and constantly introducing new metric and changing existing ones by request of rapidly changing marketing industry
There is potentially unlimited number of conversions attached to every campaign/ad-set/ad entity.... what you show on your screenshoot are only some of standard events but there are also a custom ones...
Conversions are not only in actions but for example also in conversions...

WS-Security actions explanation specifically SAML related

The WSHandlerConstants class defines action constants like SAML_TOKEN_SIGNED and SAML_TOKEN_UNSIGNED
I am struggling to find any documentation about these action constants, after looking around a lot I am still unable to find explanation for the below
Mapping of action constants to the expected behaviour they are
suppose to trigger
Which constant should be defined on the outgoing end (client) versus
which constants should be defined on the incoming end (server), if a
constant can be used at both ends then how does its behaviour change.
What effect does each constant have on the SAML token being produced
I am investigating actions related to SAML authentication and generation.
After digging through the source I have found that in the WSSConfig there is default action mapping.However the action classes only get invoked via the WSS4JOutInterceptor.
The WSS4JInInterceptor uses the actions configured on the server side to work out if the tokens are valid,I however could not work out exactly how.
I suspect that there should be some easy way to find out these different combinations. At the end I hope to have some clarity on,
If a SAML token is generated with these(X,Y,Z) characteristics then it can be validated successfully when CXF is configured with these (A,B,C) actions and a brief explanation for each of them. Some guidance on best practices and most used combinations wouldn't hurt.

Using Redmine REST API to concurrently update Issues

Hoping someone could shed some light as my searches have turned up very little information.
I want to use Redmine's REST API for Issues to do:
GET /issues/[id].json to get the content of a specific issue.
Make changes to the above content.
Finally PUT /issues/[id].json the content back.
But I want to perform this using some form of concurrency control (ideally optimistic locking), so that content isn't changed by someone else around 2, promptly followed by 3 destroying said change.
This link hints on such possibility:
redmine.exceptions.ConflictError - (Why does this class exist?)
I'd assume there'd be some way of specifying a compare value, possibly updated_on, to do compare-and-swap-esk locking with PUT /issues/[id].json, but I can't find anything regarding this.
Redmine's web interface provides a concurrency control mechanism, so I'm stumped as to why there's so little information on this.

Is there a way to detect from which source an API is being called?

Is there any method to identify from which source an API is called? source refer to IOS application, web application like a page or button click( Ajax calls etc).
Although, saving a flag like (?source=ios or ?source=webapp) while calling api can be done but i just wanted to know is there any other better option to accomplish this?
I also feel this requirement is weird, because in general an App or a web application is used by n number of users so it is difficult to monitor those many API calls.
please give your valuable suggestions.
There is no perfect way to solve this. Designating a special flag won't solve your problem, because the consumer can put in whatever she wants and you cannot be sure if it is legit or not. The same holds true if you issue different API keys for different consumers - you never know if they decide to switch them up.
The only option that comes to my mind is to analyze the HTTP header and see what you can deduce from it. As you probably know a typical HTTP header looks something like this:
You can try and see how the requests from all sources differ in your case and decide if you can reliably differentiate between them. If you have the luxury of developing the client (i.e. this is not a public API), you can set your custom User-Agent strings for different sources.
But keep in mind that Referrer is not mandatory and thus it is not very reliable, and the user agent can also be spoofed. So it is a solution that is better than nothing, but it's not 100% reliable.
Hope this helps, also here is a similar question. Good luck!

Ember-data in a non-RESTful environment

I would like to use ember-data in a project I am building, but the API I am working with does not follow REST conventions.
For example, all the HTTP requests are POST and the naming conventions of the endpoints are unique to the actions they perform. e.g. /api/thing/retrieve would require me to post a JSON object with some parameters, and would return a 'thing' to me.
Do I use the Restful adapter and reopen the class and redefine the various find functions?
OR
Do I have to make a new adapter?
OR
Should I just abandon ember-data and and use ajax in my models(or maybe even controllers)?
I'm not sure how I would handle any of those options. Any guidance would be appreciated.
The only information which I have seen on this subject has been an article by the Discourse folks linked below.
http://eviltrout.com/2013/03/23/ember-without-data.html
I personally have toyed around with the reopenClass method in the article, and would probably drop it into a mixin or something to that effect if I had a consistent but non-REST API which I was calling regularly.
I would say that, if your API is consistent (reliable) then you should create/extend the DS.Adapter (not DS.RESTAdapter) to implement to your specification.
All the hooks are there, you will just end up defining it once which all models can use.
I would also read through the Basic Adapter code - (https://github.com/emberjs/data/blob/master/packages/ember-data/lib/adapters/basic_adapter.js) it might be a better staring point for you then DS.Adapter.
If your API is not reliable, then you are probably better off with just using the $.ajax() calls as necessary. But, in my opinion, that does not scale well.
A link worth reading when looking at Basic Adapter: http://emberjs.com/blog/2013/03/22/stabilizing-ember-data.html
One last note, building an ORM or even a something more simple then an ORM is not a trivial task, that for me, makes using ember-data worth the effort, and yes sometimes pain.