For an experiment I'd like to make it as convenient for the users as possible to submit their data. I figured a good way of doing this would be to create a dedicated dropbox account which is hardcoded into the app and allows the user to submit data without any account required for himself.
My question: Is there a way to obtain an access token from the dropbox API with just having username + password at hand (which would be hard coded into the app)?
What you are looking for is "service account" or two-legged Oauth. Unfortunately according to Dropbox they do not have it: https://www.dropboxforum.com/hc/en-us/community/posts/201943685-OAuth-2-0-Server-to-server-authentication
Related
I am designing an app that works with instagram API so i should ask the user for his username and password
what should i do to explain it to the user that his data is safe and not sent to anyone other than instagram server
Should i make my app partly open source or what is the best way?
You need to make a privacy policy for the app so you tell your users all the information of how you collect, store and use their data also you must give them the option to delete their data if they want to go out of your app.
I remember Facebook is already asking the developer about the privacy policy to give them access for using social user's data.
I am designing an app that works with instagram API so i should ask the user for his username and password
Should you really though? A quick google search shows that the Instragram API provides a flow for authenticating users so you can get an access token without the user having to provide your app specifically with a username or password.
https://developers.facebook.com/docs/instagram-basic-display-api/overview#authorization-window
I'm trying to consume a rest services from android.
I want the username and password is entered only once. Then the system can work without having to reapply username and password.
I do not know what would be the right way to do this.
Save the password on the phone seems a bit insecure, maybe it's just my paranoia. applications like facebook, store the password in the phone?
What I'm trying to do is generate a token, store the token on the phone, and send the token in the header in each request.
I do not know if it is the right solution. I can not find how to do this without the token lose the session.
I have also read about OAuth2, but I have not got any example of a small application That Demonstrates the use, not that of Facebook, Google, Twitter.
I used a Spring Server to communicate with my Android app.
I think you need to use OAuth2.0.
for more information refer to this.
In the widely known If This Then That app (IFTTT) you can create workflows such as:
If I get an email with an attachment, add that attachment to Evernote.
For this to work you can authorize so called "channels" such as Gmail and Evernote. In practice this means that you need to enter your username and password for for example Gmail, after which the IFTTT app can freely scan the incoming email within.
I now wonder how this system works? Is there a specific API within iOS/Android to allow such interaction between apps with specific triggers upon receiving email, or does IFTTT store the usernames and passwords in cleartext and regularly poll the email boxes (which I cannot imagine)?
Could anybody shed some more light on the inner workings of this process? Any information or tips would be welcome (a description, names of API-endpoints, code examples, FLOSS alternatives that implement this, anything else)..?
It'll vary per provider, but many of them, including the Gmail flow, use OAuth for the authentication part. After authentication, they'll use whatever APIs are provided by each individual service.
The clue with Gmail is the way you're redirected to Google themselves for authentication, and the URL has "OAuth" in it. When I just tried it, the authentication URL was:
https://accounts.google.com/o/oauth1/auth?oauth_callback=http%3A%2F%2Fifttt.com%2Fchannels%2Fgoogle_callback&oauth_token=[REDACTED]&btmpl=mobile
What'll happen is that Google will authenticate your credentials, so they're never given to a third party like IFTTT. Instead, on successful authentication, Google will "call back" ifttt on the "oath_callback" URL provided, and effectively give them a token that will allow access. At any point, you can go and revoke that token (somewhere in Gmail's preferences) to prevent IFTTT accessing your account, so control of your account is always in your and Google's hands, and IFTTT only get the access they're granted as long as the token lasts. (Here are Gmail's auth scopes). Your username and password are only ever authenticated with Google's servers, and never stored by the third party.
As with authentication, how IFTTT monitor and respond to events once that authentication has taken place is up to the specific service's API. In some cases they'll poll, where possible they'll probably register for event callbacks. According to this Quora answer from Linden Tibbets, one of IFTTT's creators, for Gmail they use OAuth for obtaining an IMAP login, then use that for polling.
On my android application I use the dropbox API. I hardcode the app key and secret. But to authenticate I need to log in using the dropbox account.
But whats the point of using a app key and secret if you have to enter a username and password.
Also what if you would like other people to be able to upload to your dropbox without using the accounts username and password. Can they use the app key and secret to just upload to the account without entering the accounts username/password?
You are a bit confused with what are app key/secret used to do. In briefly, a pair of app key/secret is used to identify an app. Is it a valid app? Is it authorized by user? And is it out of API call limit/throttling? Therefore, only with key/secret, app has no right to access an unauthorized user's private data. I'm sorry but I have to say allowing people upload data to your own cloud is not a good idea. At least, dropbox is not for that purpose. Instead, why not try some other cloud storage service, like Amazon S3?
We are developing an app that has the option of user registration. Now we want to make this process as easy as possible for the user (to encourage registration), so we basically want the user to login with his google account and our server will simply store his google username (not his password). We are not accessing any google services with the app, but simply want to give an easy option to register and login. Is this something that other apps are doing? Does Google have a problem with that?
I really recommend you to use the AccountManager from Android you don't have any problems with storing the password on your severs if you use the Auth Token. And the biggest benefit is, that the user don't have to enter his email or password
http://developer.android.com/reference/android/accounts/AccountManager.html
Look at the steps in the documentation
Get all available accounts
View them in a List
Request a Auth Token
One more option would be to use some kind of unique ID, like Android_id or some other Id, which is unique for each device or installation. I guess, you just need to get hold of a unique ID for your app so that our server can recognize from which installation the request is coming.