When using user-specific endpoints from the Lyft API, we are required to obtain a bearer token using the 3-Legged authentication flow.
When using the API on a mobile device, is there a way to redirect the user to the Lyft app (if it's installed) to trigger the authentication flow instead of redirecting them to the authorize endpoint?
In this scenario, if the user is already logged in to their Lyft app, they wouldn't need to log in again, making it easier for them to complete the authentication flow.
Unfortunately, Lyft currently (12-12-2018) does not support single sign on (aka SSO):
https://developer.lyft.com/docs/authentication
You can use an embedded WebView on mobile, we were able to quickly implement this with AppAuth on both iOS and Android.
Related
First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.
I have been developing an extension, which is using the chrome.identity API (chrome.identity.getAuthToken method) in order to receive the OAuth2 token for signing up extension users via Google+.
I would like to push this extension in a company via Google Admin Console, but when chrome.identity.getAuthToken method is being called, our extension users are present with the "Identity API Scope Approval" screen - the consent screen, where users have to authorize extension's access to scopes we want access to.
I am aware, how process of getting OAuth2 access tokens works in general, and that user's approval is normally required in order to receive the OAuth2 token.
However, is it possible to automatically skip & authorize this OAuth2 consent screen only for users, whose extension was deployed via Google Admin Console?
I've found an interesting on Chromium Bugs list, where OP states:
We are working on integrating Quickoffice for Chrome (which is a chrome extension) with the Drive Web UI. In order to handle OAuth we use chrome.identity, which works great.
and also the following:
since our extension is white listed as a first party app, we by pass the user content screen for the OAuth flow (which is what we want for the seamless integration with drive web ui).
I was not able to find any information, how to neither whitelist the extension as a first party app in order to prevent the consent screen from showing up, nor how to automatically authorize extension's access to those API scopes.
Any ideas?
If you include identity.email in the manifest permissions, and it is a force-installed extension or app through the admin console, then you will be able to get the user's identity and also the auth token without user oauth prompt approval.
However this only allows you to get the user's identity, no extended permissions. Any extended permissions (such as gdrive access, etc) need an oauth prompt.
EDIT: In case it helps others who find this, the fact that Gaia clears cookies after Chrome restart is known behavior. They recommend the use of Chrome login. See more here.
The core question: how do I fetch Google OAuth access tokens in the background from a Chrome extension without using the getAuthToken method in the chrome.identity API? This method forces users to login to Chrome, which isn't ideal for our app. There's also no way I can find to retrieve OpenID Connect ID tokens using the native methods exposed in the identity API.
Currently, I'm fetching tokens using the launchWebAuthFlow method from the chrome.identity API. This method launches an "Identity API Scope Approval UI" window in which the user makes the initial OAuth grant. This window (referred to as "gaia") has its own session / cookie data, separate from a browser session.
After the initial OAuth grant, the extension periodically retrieves access tokens in the background, and subsequently fetches data from Google APIs (e.g. Drive). This works well. When a user quits and re-opens Chrome, however, fetching access tokens fails - gaia loses its session cookies when Chrome restarts, so running the launchWebFlowAuth method doesn't complete because Google can't authenticate the user (unless we prompt the user to login in the Identity API Scope Approval UI again). Others seem to have had the same issue.
Google Sign-In would be ideal, but it doesn't work in Chrome extensions (I'm getting the same "Invalid cookiePolicy" error as the author of that issue).
Any advice on how to best handle this use case would be very much appreciated!
Does box.com support 'Autonomous Client' or client credentials grant?
I need to generate access_token programmatically and cannot do the web-server flow.
Can we obtain the access_token using the 'Autonomous Client' or 'client credentials grant' method for box.com APIs?
Box supports a client-credentials grant, but only for access to information that would be available for an anonymous user. It can be used to download openly shared content, or to get information about your application.
For machine-2-machine integrations with Box, Box recommends creating a system-account, and signing in with that account once through the user-flow. If you put the resulting Refresh token into a bootstrap location for your application (like a config file, or a database entry that's used only once) then you can bootstrap your application.
Is it possible get notification on application level on client side in iOS(and Android) whenever some changes happens like new file/folder added or removed on Box.net? Please confirm if SDK supports this behaviour, if not then is there any way to implement this behaviour on client side.
Thanks.
You should be able to get notifications about events happening in a user's account by using the /events endpoint:
http://developers.box.com/docs/#events
Essentially, you'll need to authenticate as the user via OAuth2 and issue an OPTIONS request to the /events endpoint to get a realtime server URL. You should set up a long poller to poll that realtime server, and when it issues a response that notifications are available, issue an authenticated GET request to /events?stream_type=....
Both the iOS SDK and the Java/Android SDKs should support this.
https://github.com/box/