I have a Chrome Packaged Application that I am currently integrating with the Facebook API. The Facebook Javascript SDK requires that I provide the URL of where my application is hosted and for security reasons they only redirect to this url.
The problem is that a Chrome Packaged Application doesn't have a url. I am aware of the chrome.extension.getURL but this url is not static, it changes per installation. Is there any way to set a URL for a Chrome Application that works for all installations?
Once you publish your app the id from chrome.extension.getURL will not change. The id matches the key used to sign the extension and once you publish an extension to the Web Store that key doesn't change. Developing locally will be more annoying since each time you "load an unpacked extension" it will get a new id.
Related
I'm trying to build a plugin for a WordPress App, that uploads file to the users Google Drive space. I don't want the end user to create the Cloud Console Project. but rather just have him give consent so the plugin can access the needed data from his Google Drive account.
When I create OAuth 2.0 Client IDs in the Google Cloud Console (Web Application), Google asks for Authorized JavaScript origins and Authorized redirect URIs. Since the plugin will be portable and can be installed on different websites I can't define this.
How can this be solved that an OAuth2 Authentication by the user can be done, without knowing the URL where the app is running?
Thanks
You cant. Redirect uri must be configured properly, to point webserver the code authorization is running on.
You will need to instruct your users in how to create their own client.
Also as this is a WordPress application, you would need to share your client id and secret with the users. This is also against googles TOS.
possible workaround.
If you put up an authorization server on your own server. The users of your app could then login though that. A refresh token will be returned to their website running your app and stored locally. Your code could then run using the refresh token to access their data.
However you are then going to be responsible for verifying an app with google drive scopes.
I have a basic website written in Python Django, hosted on IIS 8.5. The website is used in the company intranet with Windows Authentication.
Accessing the website through a browser gives no problems for authentication. However, making use of a simple web API to retrieve data for reporting purposes is giving problems.
I'm trying to load a URL into Excel which supplies data in CSV format (Data -> From Web). Disabling IIS Windows Authentication and using Anonymous works perfectly. However, enabling Windows Authentication does not work as Excel says 'credentials are incorrect'.
The URL response is a simple HttpResponse object with CSV data. Nothing weird or complicated happening.
Any idea where to troubleshoot this? My IIS knowledge is limited in this regard.
So I changed the API part of the website to anonymous authentication as per this answer. it did the trick for me:
IIS 8.5: Change authentification mode for url sub path
I have created a chrome extension which gets data from the current active tab in chrome. I send the data to my webapp via an API which stores it in the database.
At the moment my chrome extension has a fixed user_id. I would like to prompt the user the user to log in in order to get the correct user.
Is it safe/valid to check for cookie - if it exists use it otherwise prompt user to sign in via the browser?
It's probably okay, as long as you're not storing anything sensitive in the cookie like a password (obviously).
However, the appropriate way to accomplish this would be through something like oAuth. In this scenario your web app's API would be a oAuth consumer, and you would use the following library to authenticate in a Chrome extension:
https://developer.chrome.com/extensions/tut_oauth.html
This library will save an authentication to local storage for you. It's pretty easy to use. The difficult part is ensuring your web app's API supports OpenID. Google's AppEngine supports this pretty much out of the box with little configuration on your side, but this may not be the case with your API.
I have a Facebook application hosted in Azure coded in c#. But configuration in my Facebook application asks for Hosting URL: that must be hosted in Heroku. So my application can't post actions to Facebook because this error always pops:
Given URL is not allowed by the Application configuration.
How is it supposed to work if I can't add my Azure URL: app.cloudapp.net as a hosting URL if only Heroku URLs are accepted.
Adding my applications's URL to the App Domains in application configuration hasn't helped either.
And strangely another application that I have works fine with no Hosting URL defined.
What I'm supposed to do to solve this, migrate everything to PHP? I know there can be another answer.
I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.