There is somthing that i can't understood. I'm trying to writte a simple app in android to post twitt's into my account. I registered my app in dev.twitter. There i got an api(consumer) key/secret, and access token/access secret pairs. BUT, as in the example, i must use setOauthConsumer(cons key, cons secret) then, after that in the app I must use get getOAuthAccessToken to get oauth access token. But i'm alredy have this(!), so i can use acces token and secret directly, or what?
p. s. i know twitter4j.org examples, and i can use other resources, but i cant find the answer, so i'm posting here
i must use setOauthConsumer(cons key, cons secret) then, after that in
the app I must use get getOAuthAccessToken to get oauth access token.
But i'm alredy have this(!), so i can use acces token and secret
directly, or what?
We need the following 4 values for every request to twitter API:
Consumer key
Consumer Secret
Access Token
Access Token Secret
You already have the following values:
Consumer key
Consumer Secret
Access Token & Access Token Secret are fetched in following two ways:
Case 1: Configuration required for app-only auth, to fetch the twitter feeds even
without Logging in to twitter account.
As you have not logged in, the twitter4j gives the OAuth2Token (access token and token secret) using getOAuth2Token();
Then you use these values in your configuration of Twitter instance. No need to store these values. You can get them using getOAuth2Token() for every request.
Case 2: When you login using your credentials.
In this case, the request is sent to Twitter API to get access token and access token secret (values are generated at the time of registering your application on Twitter).
Once you get these values, store it in SharedPrefernces and use them in subsequent requests. No need to request them again and again.
I hope this helps you.
Related
In Google's OIDC guide, section Exchange code for access token and ID token states that I must provide a client_secret.
If I select the relevant client ID from the API console, I do indeed get a JSON file named client_secret_.... However, none of the fields of the JSON object are named secret or anything similar. (The fields are named client_id, project_id, auth_uri, token_uri, auth_provider_x509_cert_url, and redirect_uris.)
So, where do I get this client_secret?
I think the secrete used to be in the file but alternatively you can also find it by looking at the page were you downloaded your json file and you can also click the button to reset said secret.
I would make sure that the credentials are looking at are under OAuth 2.0 client IDs and not Service account keys or API keys only the first one needs a secret I believe.
Update from comments: Creating Oauth Client Id for android will not give you a secret because its not needed in android application should should probably be following Add google sign-in to your android App
I am trying to implement Google Sign in OAuth 2.0, but I have inquiry why the token returned from the method getIdToken() is very too long such as the following:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ1ZWViYzRjOWY5NGVkMzVhYWE5YTdiZTUyYzM0YTNmZDUwZGQ4ODkifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhdWQiOiI1NTc5ODE0OTE1NDItc3RkcGEwY3JmOWNvMXBvNW1pZW9pczEyZG1wcnJzcDQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDM2MjY1NDEwNDQxOTYxNTY5NjEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTU3OTgxNDkxNTQyLWoxdW5zZThhbmNtY2E2NzVnaW1hbWwzaDRpYzFwMnI2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtYWhtb3VkLmlicmFoaW0wMTZAZ21haWwuY29tIiwiaWF0IjoxNDY1MTQxNTMwLCJleHAiOjE0NjUxNDUxMzAsIm5hbWUiOiJNYWhtb3VkIElicmFoaW0iLCJwaWN0dXJlIjoiaHR0cHM6Ly9saDQuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1PTGZKM1JKazFjYy9BQUFBQUFBQUFBSS9BQUFBQUFBQUFCNC83anpkeTZnVkdwUS9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiTWFobW91ZCIsImZhbWlseV9uYW1lIjoiSWJyYWhpbSIsImxvY2FsZSI6ImVuIn0.FCsDYU7S8TEKrbm6VxBVXaJlLzrzPuXTP_z14RMIzMZohWNOpHwLYFQivkzy1mC6KJ67qECv0MI5Ap14R2vkxr7XtU9dyZH6oWBvDOgW6KYyBazEi5214Rp-uUeFXDEDFIY_mSOaS0mjlU8N9UxZfr4zIRY6R1p2JI4l1RWOb_rid8bT4gNpA6LFeop9BtmaOeSSuOfmLheqw5Uz3Ws2WCGdu857-rTZc3W5ywfbckvkZN72CRgrKUAeRbcHuGndX83NRpBFdHChXr4FIVT3tWWjiMRsCxLTvDNxXClV269IP9tXELhqNBACdPEX60hRX-DgXPSGl9SQ85IY090nuQ
Google Signin produces a compact serialized JSON Web Token (JWT, https://www.rfc-editor.org/rfc/rfc7519) to represent the authenticated user. That token is self-contained and contains information about the user in a verifiable way. You can verify that your token is a valid JWT at: http://jwt.io So yes, it is a valid token and it gets very large as more information is embedded in it.
I need to make calls to services which are secured by OAuth2 resource owner password credentials. I tried all the libraries on oauth.net/code, but with no success. All of them seem not to provide this kind of authentication, but seem to be great with 3 legged authentication.
My user should login with username and password, but I do not want to store username and password. I want to get an access token and refresh this token from time to time.
My network communication is currently based on spring 4 android and the resttemplate you can find there.
Any suggestions, which library I could use? I think this is a common problem.
I couldn't find anything either, so I've put together a library myself, and I am releasing it to the public.
Usage:
import org.sdf.danielsz.OAuth2Client;
import org.sdf.danielsz.Token;
OAuth2Client client = new OAuth2Client(username, password, app-id, app-secret, site);
Token token = client.getAccessToken();
token.getResource(client, token, "/path/to/resource?name=value");
With this grant type, the client application doesn't need to store the username/password of the user. Those credentials are asked once and exchanged for an access token. This token can then be used to access protected resources.
To check if a token has expired:
token.isExpired();
To manually refresh a token:
Token newToken = token.refresh(client);
A more involved example can be found in the README on github.
Check out this url : https://temboo.com/library/Library/Fitbit/OAuth/ and https://temboo.com/library/Library/Fitbit/OAuth/InitializeOAuth/
In order to run java code to generate OAuth url, you will need temboo.jar file which you can download by clicking on java icon on right hand side link.
cheers.
I'd like to get an access token without user login.
Standard way is that the user logs in and gets an access token.
But I need the access token to view events of an official page. When I try without access token, the Graph API gives me the following error:
{
"error": {
"message": "An access token is required to request this resource.",
"type": "OAuthException",
"code": 104
}
}
So my question: Is there any way to get an access token without explicitly logging in or is there maybe another way to get event information without access token?
Thanks so far :)
You can get the never-expiring-access-token for your page and use that with your call. (without explicitly logging, since you are the admin of the page). Follow the 2 steps: get the extended user (admin) token and then the never expiring page token
Extending the user's access token
You can exchange the user's access token with the long-lived access token (2-months) validity. Go though the link to get the long-lived token.
Extending tokens
Extending the page's access token
Make the following call using the long-lived user's access token and permission: manage_pages you obtained in the above step-
$facebook->api("/PAGE_ID?fields=access_token");
You'll get the never-expiring-page-token with this.
(You can use Facebook's Debug Tool to check the validity of the token)
Have a look at this site this websites talks all about Acess Tokens
Is it possible to authenticate the user on server side using auth token retrieved by Android applicaton from Facebook?
In other words Android application uses SSO and obtain auth token. Then sends this token to backend application deployed on Google App Engine. Then backend application verifies the user against Facebook using the token.
I guess it's not feasible because retrieved token can be used only by Android application, but who knows? Maybe it may be reused somehow?
The Token you get from Android API can be sent to your server, who can check the validity of the token by querying the graph ( using /me?auth_token=.... for example).
The problem is that the same token can be used by any third party - it's not client specific - and so if you base server identification based on that, you have a problem (since a third app could use its user token and get authenticated by you). I am trying to find a way to solve this issue, but I don't have good ideas yet...
Facebook actually has an Android SDK that lets you do this. Information can be found here.
Yes you can. A valid access token is a valid access token. The Graph API does from where the token came, but only that the token has the appropriate permissions to access that portion of the graph api. Keep in mind, though, that the token is only valid for 24 hours from the time of its issuance. (is that really a word?) From the time it is issued?
When using facebook android sdk with SingleSignOn (SSO), the access token format actually changed.
Instead of getting traditional auth token which contains userid & session key as a part of authToken
now we get a different format of authToken
As Facebook Devs are still in process to support there rest apis with newly formated access token
meanwhile we can disable the SSO on android facebook sdk by changing DEFAULT_AUTH_ACTIVITY_CODE to -1 from 32665 (in Facebook.java)
This will invoke Traditional dialouge for granting acess token and in return you'll get access token which will contain session key in it.
Those who are looking for generating secure session key you need to add your own method in Facebook.java like
public String getSessionSecret(String accessToken) throws MalformedURLException, IOException
{
Bundle b = new Bundle();
b.putString("method", "auth.promoteSession");
b.putString("access_token", accessToken);
b.putString("session_key_only", "true");
String response = request(b);
return response;
}