I have two facebook applications with their own access tokens.
I have followed this guide to create a business and associate the aforementioned apps to this business.
I now have a token for business from doing a graph api call -
/me?fields=token_for_business
When doing a regular api call without referencing this token for business, I can return app scoped user ids who have been invited to events for example like so -
https://graph.facebook.com/v2.3/{FaceBookGroupID}/invited?access_token={MyAppsAccessToken}
Where MyAppsAccessToken varies depending on the app, thus resulting in different app scoped user ids being returned depending on what access token is used.
After getting the token_for_business I updated my call to -
https://graph.facebook.com/v2.3/{FaceBookGroupID}/invited?token_for_business={MyTokenForBusiness}&access_token={MyAppsAccessToken}
My assumption was that now the applications are associated to the same business and have a link token, the calls would have brought back the same user ids in the JSON response, however this is not the case and regardless of appending the token_for_business parameter to the url, the same JSON responses are returned as the first call.
Is it possible to return the same user ids with two different access tokens?
No, different Access Token means different App, means different App Scoped ID. You can only use the Token for Business to match different App Scopes.
Btw, the call with token_for_business as parameter does not make any sense. The token is for one user.
Related
I am following the Row level filtering with Embedded dashboards tutorial to build a secure, multi-tenant dashboard using Data Studio as the reporting UI/backend (and Anvil as the front-end in Python), with the aim of filtering data from a BigQuery table based on specific user permisisons.
I have completed the initial connector tutorial successfully as recommended. So far I have also completed the following steps (1-4) successfully :
Build user authentication in Anvil and set permissions in user table (JSON containing specific field values each user is permitted to view)
Build mechanism to create access_token in Anvil, based on hex md5 hash of a combination of user and unix timestamp, with one hour expiry
Set and store app_secret securely in Anvil to authenticate inbound requests
Create API endpoint in Anvil which validates the app_secret and validates access_token and returns JSON containing user_email and permitted_accounts
Now I've got to the point of building the custom connector, with the aim of building the next part of the flow:
Pass access_token to Data Studio by encoding and including it in the embed URL (the report will be embedded via an iFrame) as per this section
Extract access_token from embed URL in App Script as per the statement "This will be used to capture a token from embed URL's parameters." from this section
Hit the API endpoint with the app_secret and access_token from App Script to validate and receive the user permissions associated with the access_token IF validation checks pass in Anvil, otherwise return appropriate error message
Construct query based on user permissions and get data from BigQuery using this approach
... then set schema etc...
However, upon reaching step 6 in this flow where I need to parse the access_token from the URL, the code included in the Write the Connector Code section takes the token as a user-inputted text field and does not take it from the embed URL's parameters (which to me makes no sense as making a user continually manually transpose a short-lived token seems to negate the point of this exercise).
I am also unable to find documentation in the API reference on how to achieve this.
PLEASE, does anybody know how to capture parameters from Report Embed URLs in an App Script Community Connector? I assumed it was possible from the documentation:
getConfig() should return at least one config item. This will be used to capture a token from embed URL's parameters.
Thank you for taking the time!
a. I'm assuming access_token is an overridable config parameter in your getConfig.
b. When you create the initial report, during the data source creation, you can put in any value in access_token config field. However, check the box to 'Allow "access_token" to be modified in reports'. That means, report viewers will be able to override this value even though they do not have edit access to the report or the data source.
c. Confirm that your setp #5 is following the instructions here to pass the override value for access_token.
d. That's it. Now it is irrelevant what value you put in for access_token during initial report creation. For user X, your portal was pass the value hash(user, timestamp) as the value for access_token. In your connector's getData function, request.configParams.access_token will return that specific value. You can then call your endpoint with that value to get back the user identity.
Currently I am developing a Chrome-GMAIL extension which requires me to get the logged in user's first and last names. For experimentation, I have used the following goggle API (userinfo) and have successfully obtained the names I wanted:
https://www.googleapis.com/auth/userinfo.profile
However, using the userinfo APIs will cause a change in the OAuth2 scopes in my manifest. This change will in turn cause a permission-prompt to my existing users (if a domain wide delegation is not setup in place). Point being the idea of having more prompts in front of my user, or additional oauth scope is not really something I desire.
Currently our extensions use the following OAuth scopes and API :
Chrome's Identity API
Chrome's Storage API
GMAIL.modify
GMAIL.send
My question is, is it possible to get the first and last names using an API that is defined/allowed/provided for by any of the above scopes/permissions I listed? or is userinfo the only way to go?
Thank you very much.
Profile data like first name and last name is private data. You are corect that some Google apis give you access to some data that would normally require an extra scope. For email normally you would need to to request the email scope to get this back however the Gmail api does have an endpoint getprofile which will return the current users email address without you requesting the email scope.
However i am not aware of any apis that will give you access to the users first and last name without you requesting the profile or user.profile scope.
If you do decide to add the scope, I do recommend going though the people api rather then the userinfo endpoint as the data returned by the user info endpoint is not guaranteed to always return the name.
Im trying to create an applet in IFTTT however i need to obtain an auth token to allow the lights to call the service each time.
Im trying to obtain an auth token via the below:
Account information
GET Request auth token
https://environexus-us-oem-autha1.mios.com/autha/auth/username/{{user}}?SHA1Password={{sha1-password}}&PK_Oem=6&TokenVersion=2
The Nero API is RESTful and stateless and therefore requires authentication tokens to accompany every request. Once these tokens are requested they can be stored in a database for quick reuse.
This is the intial request to the API servers that collects the tokens and various IDs required for all subsequent calls. Tokens are valid 24 hours but should always be checked against the response in case this changes.
Request
{{user}} is the portal login
{{sha1-password}} is the hash of:
sha1(lowercase({username}).{password}.oZ7QE6LcLJp6fiWzdqZc)
(concatenated together - no additional characters should be inserted,
salt at end is static for all accounts)
PK_Oem and TokenVersion are static and provided above.
However im not sure what to put in for the "sha1-password"section.
Any help would be appreciated?
You need to calculate the SHA1 hash for the information above, which is the username, password and 'static salt' concatenated together with each value separated by a period.
Don't know what language you are using but most languages have libraries that will do this for you (e.g. Apache Commons library for Java)
This API is not particularly well designed in this respect, as client side hashing does not bring any benefits (when transmitting over HTTPS) and the 'static salt' as they call it is utterly pointless, as it's public.
Here is what I am planning to to for keeping separate tokens for web and mobile
1.When user is logged in from web JWT token is issued and it is stored in DB table with created time stamp.
The above step is repeated for the mobile client ,so the table contains separate tokens for each client.
2.At the time of validation search for the token in table and validate if exists then it will try to verify with JWT.verify
Is it right method to do keeping separate logins using JWT??
Maybe there are other ways to do it, but your approach is totally correct. By fact I would recommend it exactly your way. What you doing, is scoping issued token for specific service, platform. It is useful not only for your use case, but also when you have multiple APIs. You can issue different tokens for each service separately.
We are planning on migrating our Box v1 integration to v2.
Our integration implementation includes API calls accessing user box account and files from different servers at the same time.
With v2, and the introduction of refresh token, we would like to know whether multiple refresh token requests can be made concurrently from multiple servers over the same user account.
Moreover, and as a consequence of multiple refresh calls, we would also like to know whether it is possible to have more than one access key per user at any given time.
Thanks for the help
Assaf
We recommend that you use some sort of coordination between your servers to manage auth tokens and refresh tokens. While a user can have multiple access tokens for the same service, they will have to authenticate multiple times in order to get them. You can't mint extra auth tokens off a single auth-token/refresh-token pair.
Here's what we recommend.
Create a pair of encrypted columns in your database to store the auth token, the refresh token, a datetime for "token_expires", and a flag for "token_refresh_in_progress". Identify it by userID.
Write your code so that when you are about to make a call, if you are close (say, within a minute) of the token-expires datetime, instead of making your call, you check to see if the refresh-flag has been set, or if there's already a new token pair. If the flag hasn't been by some other server in the cluster, set the flag that you are doing the refresh. Make the refresh-grant call, and update the database with the new pair, and of course reset the flag.