So, I am trying to use GroupMe's API. The issue is that I don't really know how to get the users access_token once I send them to the site to login. I don't really know how to create a callback or how to use it. So to sum it up
I need to send users to this site
https://oauth.groupme.com/oauth/authorize?client_id=CLIENT_ID,
then they login and groupme sends them to here
https://YOUR_CALLBACK_URL/?access_token=ACCESS_TOKEN.
But I don't know how/where to create a callback url. Then I don't know how to send that access_token back to the app.
Thanks.
A callback URL is simply a url exposed by your app that groupme can redirect users to. The page can be anything, however, oftentimes it takes the user back to your app if it is a webapp, or tells the user to close the page.
The important part is that the url is one that the app controls, so that it can get the contents of the url that contain the token and other data.
If you are writing a web app, then the framework or language should a method or variable you can call or read to get the url. If you are writing a desktop/moble app, one way of creating a callback url is to listen on a tcp port and speak http to the browser. Another way is using a lightweight web server library, or use a lightweight external server like lighthttp and communicate using cgi/fastcgi. All that matters is that you can get the url that groupme se,t the user to.
If you need anymore help, you are using Oauth2 so search for help with that. Nothing that you asked about here is specfic to groupme, so you should be able to use any OAuth2 library.
Related
I have an android and iPhone app, and the apps are getting data
from my website based on some conditions they select on the app.
I created a secured url that is not open to the public (can't be find on our website) and using a hash code that I thought was secure enough. Something like the following
http://test.com/data/get_data.php?key=akl;sd8234
The extra conditions they select in the app will be append as query parameters to the same url.
Base on the condition, the php file will then out data in json format.
However, I discovered recently someone else create the exact same app and actually getting data from my server, and from the secret url that I created. The reason I know is because I change something on that secret get_data.php page and it reflected on their app.
I don't know who they get a hold to my url, is there a way to create a more secure way to pass the data from my web server to the app so others can't steal my data?
You should create an API with Basic Auth or OAuth. You can't rely on your URL because it can be caught in logs.
Check this course out
In addition to shayegh's answer, you need to understand that every endpoint that you access within your application is public by nature. Everyone can access your server's endpoint just as well as your mobile application (created by you) can. However, you can make your server's endpoint protected by adding authorization requirements on your endpoint.
Authorization
There are many authorization protocols out there, OAuth, OAuth2.0, Basic Auth (credentials like email and password), etc. All of these are just ways to grant anyone access to resources in your endpoint. Think of it as a lock on your home door, only someone with a key can go into your house and make a mess.
Please keep in mind that this is a very simplified version of what authorization protocols actually look like, how it actually secures the distribution of access keys/tokens, etc.
Additional questions and answers
I tried to generate log files from my android phone, and I can't seem to find the .php file from the log files. Is that possible for someone to decode the android app or the iphone app so that they can view my source code?
Answer: I would always assume that everything that is happening on client's side (mobile app, WebApp's front end, etc) is beyond my control. That means anyone can access, read, tweak my client applications. With that said, I would assume that it is indeed possible for someone to unravel your android / iPhone app (get the source code) to get your client side keys.
How would this (OAuth/basic) help? Surely the person creating the other app would just add the OAuth/basic auth as well, wouldn't they?
In order for that other person to access the protected endpoint they would need to have access to your access tokens of the original app. On top of that, they would need to do it fast because usually access tokens only lasts for a short period of time.
Will using Basic Auth or OAuth key works if they are able to see my code?
Yes and no, depending on your implementation, attackers might be able to unravel your app and somehow fetch user's credentials or tokens from bad practices.
I'm working on an android application which logs into a website. Basically I have managed to login within Activity A. The user is then redirected to activity B, I want to maintain that logged in session while in activity B. In order to achieve this I have tried this:
Document postLogin = Jsoup.connect("http://forums.d2jsp.org/")
.cookie("sid", sidDetails.getSid())
.post();
As you can see i'm trying to POST the cookie SID. This obviously isn't working, so does anyone have any ideas on how to achieve this? It should be noted I am using JSOUP.
There's not really enough here to go on. You need to figure out what the site is using to maintain login state, and make sure you're setting up Jsoup to send that data.
What I would suggest is that you use Charles Proxy to trace the requests you make in a regular browser to this site, then make sure you're setting up Jsoup to send the right data. By watching the HTTP traffic over the wire, you'll get a better picture of what's happening, and hopefully spot what's missing.
If you can't see how to get Jsoup to add the right data to the request, just give an example of what you need.
I would like to map the gcm reg id to individual users on my site.
What is the best way to accomplish this?
I have a webview in android that loads my site where users are required to login, until login users are anonymous so i can only map the users after login.
some thoughts are,
Set the user agent string to the reg id if its not been registered, when logged in , if no id is mapped to the user then grab it from the user agent string.
^^ that seems the easiest way for me as i'm a beginner but i can think of some flaws straight away.
Monitor the page url, if this can be done. when the webview detects the url is "index.php"(user is logged in) then executes the function within the application to send the reg id to the server.
inject the code into a hidden field in the page before login and submit it with that?
I'm not sure if any of these methods are viable, any help would be much appreciated. I'm still pretty much beginner so laymans terms would be also appreciated.
You can pass data from the java code that receives the Registration ID (from Google) to your Web View by using javascript, as explained in the answer to this question.
Or you can load the Web View only after getting the Registration ID from Google. This way you can pass it as a parameter to the URL you are loading.
Ok by far the best way for me was to expose the javascript interface in the webview, i placed a check in my sessions.php after authentication, if the registration key wasn't in the database then it would call a java function in the application that is essentially an ajax call to another script on the website in which the reg key is passed to and saved in the database along with the user id.
My application has to login to a website by posting a form, and keep track of the cookie provided till the application is terminated.
I have achieved this using the "WebView" class. I have doubts on weather this is the most efficient way to achieve this as I do not wish to display any webpages but Simply submitting another form once logged in.
Is their any other solution/Classes that can handle this with less traffic (smaller footprint)?
You can submit data to the login form just as you can to any other.
Using the HTTP library you can add a payload (of type x-www-form-encoded) to a RequestEntity. The JavaDocs are fairly clear on how to do this.
I develop an android application which makes login to a php openid server by using webview.
My problem is that once closed the activity of this webview, I need to make requests to the server from other enforcement activities that use the session logged from the first activity with the webview.
How can I use from other activities (not webview) the generated session on the server from the first activity (web view)?
thank you very much
Your questions is very general, so at best all I can do is give you a very general response. If you need to do stuff in the background over a long period of time, please checkout the Service class. Also, with any mobile platform it's generally considered better practice to not use stateful web communication (i.e. communication that relies on sessions). Doing so is not very fault tolerant (and trust me, with any mobile platform your communication is going to need to be very fault tolerant). Instead you should look at making your communication RESTful. Here's a great video on developing RESTful applications for android.
I solved my problem as follows:
I left openid login activity, just for that.
I created a new activity with a webview hidden from the user.
Since the activity where I want to perform the operation on the server with the login with openid, step right url as a parameter to the login activity and this in turn if the user was already logged in login or before, passing the same url the activity with hidden webview, which simply executes the instruction and returns to the main activity (shown only a very small period the user).
In this way it works, because since the webview if you can control whether the user is logged or not openid.