I've created a Glass app in Python. I began with the mirror quickstart for Python and have my app running fine except some users are getting multiple notifications. I only have one row per user in my Credentials table, however when I go and look at my own Authorized Access on my account I see that I have my Glass project listed 8 separate times.
Can anyone tell me how to check and see if the user has previously granted access to my app when they sign in and if so then skip creating a new token.
You can use the user's ID to prevent storing more than one credential for each user.
When you complete the OAuth flow, you'll receive an ID token along with the access and refresh tokens. If you decode this token, you'll see something like this:
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"1234987819200.apps.googleusercontent.com",
"email":"jsmith#example.com",
"aud":"1234987819200.apps.googleusercontent.com",
"iat":1353601026,
"exp":1353604926
}
The sub key is the one you're interested in. Use this value to uniquely identify your user. If you see a user authenticate with a user ID that you already know, replace the old value.
If you update your question to include the code you're using for your OAuth flow, we can provide more specific advice. Or, you can learn more about this from Google's OAuth documentation.
Related
I'm trying to create an App which has a log in page where user should be authenticated using azure AD. Basically the App has a log in form where user puts his id and password from ad and django should check with ad and allow him in or not. Later on ofc would like to add permission depending on AD group.
So far I searched a lot on the internet and found nothing. Could you guys help with some example or link to documentation what I could use.
First of all, I'd like to suggest that you don't do that.
What you are asking for is ROPC flow: https://joonasw.net/view/ropc-grant-flow-in-azure-ad.
Usage of this flow is not recommended unless this is for migrating a legacy application (which is the original purpose of ROPC).
It also won't work if the user has MFA, an expired password etc.
There is usually no reason why you'd want to handle user passwords when using a federated identity provider.
I'm using Ember 2.3 with Ember Simple Auth 1.0 and am wondering if anyone had any suggestions on the best approach to handle the following situation:
With the particular industry my platform serves, most staff are actually independent contractors and therefore could belong to multiple businesses. With that said, I have some specific requirements that I'm trying to address:
Avoid having to create a separate account with separate credentials for each business the staff member belongs to.
Allow credentials to be revoked at any time for a particular account.
Allow for account-level permissions.
Make it simple to switch accounts from inside the application without having to fully-reauthenticate.
To achieve this, my initial implementation is based around issuing a single JWT (using ember-simple-auth-token) for each user account. The proposed authentication flow would be as follows:
User logs in with username and password
System authenticates and if credentials are valid, return a token for each account.
If the system returns no tokens, return an error.
If the system returns a single token, use that token by default and redirect to the authenticated area of the site.
If the system returns more than one token, display a list of the accounts associated with those tokens and allow the user to choose the one in which they will be assuming the role of at that point.
What to do when the system returns more than one token is where I have questions:
Is there a way to "intercept" to allow the user to choose which account/token to use before ESA commits the token to the session in local storage?
If I want the user to be able to switch accounts, is it just a matter of swapping out the token value in local storage?
If there's anything else I should consider, I'd appreciate the feedback. If you also happen to think this is a terrible approach and have some feedback, I'd absolutely love it.
Cheers.
From ESA's perspective the user would be authenticated when the backend responds with one or more tokens (you'll have to implement a custom authenticator and authorizer of course). The fact that the session actually contains multiple tokens for multiple accounts isn't relevant for ESA really - that would be sth. that you'd need to handle in your application code instead.
Once the session is authenticated with one or more tokens, you can access them via the session's data.authenticated property, e.g. this.get('session.data.authenticated.tokens') etc. You could store the currently active account the user wants to use in the session's non-authenticated area, e.g. this.get('session.data').set('activeToken', 'whatever').
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.
I was just wondering if an app exists for Django that helps connecting all 3 social networks, imports basic info, profile picture, but most importantly pushes the post user makes to these three website accounts. I looked into django-social-auth but that just lets you register or login with these websites,not push posts.
django-allauth http://github.com/pennersr/django-allauth/ stores basic info for FB/G/Tw (and more), provides basic access to the profile picture, and stores the access tokens in the database.
Whatever you do with the access token is project specific and beyond allauth scope. For example, in order to post to the users wall you need:
The user's permission (you can do this by configuring the proper scope for the Facebook provider, search for SCOPE in the README.txt)
Once the user is logged in via FB, the access token is stored in allauth.socialaccount.models.SocialToken. Simply lookup the token for the user that is logged in.
Then, given the token use whatever method you like to post to the Facebook API on behalf of the user. E.g. https://github.com/pythonforfacebook/facebook-sdk
For some more background on the relation between a Django user and the Social* models, see:
How can I get the user's facebook id with django-allauth?
There are django apps that do what you need individually (Facebook example), but I'm not aware of one that works with multiple.
django-social-auth will get you half way there by obtaining the users information and permission to post to the social network on their behalf.
Once you have users authenticating via django-social-auth you'll have access to the users access token needed to post to respective network on their behalf.
From there, you're going to have to stitch together some additional python modules like the Facebook example above to do the actual posting.
I am building an in-house application which would accumulate the information from several social networks at once. Possibly, the URL of the application will not be known or it will not be allowed anywhere outside localhost.
One of the information pieces I will be accumulating is FQL insights table information: https://developers.facebook.com/docs/reference/fql/insights/ . As you may notice, this information is private, so I just cannot fetch it anonymously.
The application itself is written in a "configure once and use forever" fashion, and possibly the person using the application will not be allowed to the Facebook login credentials at all.
My problem is the Facebook login. As I understand the login with "forever access" is now deprecated and Facebook does not allow API access the same way as Twitter does (creating the forever lasting key and forgetting about it). Question is:
Is there any way to overcome the fact that I need to ask the person for permissions every time I would like to fetch them? What can be the longest period between asking?
My current thoughts about it are:
Creating a dummy user for the 'manager' and giving him read-only
access to FB pages, therefore enabling him to log in to the account.
Then asking him for the permissions every (n) hours when I need them.
Automatic log in to the FB account given that we have the
login/password for the account and obtaining the API key myself.
Which is doable? Did anyone have any experience in doing this kind of things?
What can be the longest period between asking?
You can use Long-lived user access_token which is valid for 60 days.Use below FB call to get extended access token:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
You can check more details here:
https://developers.facebook.com/roadmap/offline-access-removal/
One more point which is worth to note here:
When a user change his password, deauthorizes an app their OAuth token get expired.
Hope this help !