Good afternoon, I am creating an application in Cordova and wanted to use linkedin, but when I run my application, it says I need to set my domain javascript API in my Application linkedin. I've tried with the domain "file: ///" but gives the same error.
Does anyone have an idea or a solution to this problem?
Best Regards
LinkedIn (or any OAuth provider) requires your Web domain for security purposes (to know the right URL for authentication callbacks, and to help prevent random sites from trying to impersonate your application).
You must supply a domain such as www.yourdomainname.com or even your external IPv4 address will work, such as 55.55.12.12.
Related
I have a Chrome extension that uses the Gmail REST API to send emails on behalf of the user. This API requires an Oauth2 token, which I'm retrieving using chrome.identity.getAuthToken.
The Problem
However, I am running into some issues with the Chrome Identity API. In particular, if the user authenticates with chrome.identity with a different Gmail account then the one they're signed into Chrome with, then they are prompted to re-login every hour or so (which doesn't happen if the accounts are the same). In addition, I'd like to minimize the number of permissions my extension asks for as a general principle (permissions sometimes introduce warning messages on install and risk disabling existing users on update), so I'd like to not have to ask for the "identity" permission if I can avoid it.
My Question
How can I authenticate the Gmail API in Chrome Extensions without using the Identity API?
Current Progress
I initially tried using Google's Javascript Client for auth, but that seems to be incompatible with Chrome extensions. After having searched other SO issues and some Google materials, it seems that the Identity API is indeed the recommended auth solution in Chrome Extensions. However, for the UX reasons mentioned above, I'm finding this solution problematic. And I do think an alternative should be possible -- for example, the MixMax Chrome extension, which uses the Gmail API, does not ask for the Identity permission.
Any help would be much appreciated! Thanks!
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps
This is for doing OAuth with the Pocket API, it specifically states that using an embedded webview is a violation of the terms of use, all OAuth examples I can find on WP8 seem to rely on the embedded webbrowser to do the authentication.
Is it not possible to use the default browser in WP8 to do the authentication and then redirect back into the App? I have done this in Android before. Thanks.
Well, if you read their documentation, it says that you need to provide a redirect URL. I am not sure if it will work, but you could try adding URI association to your application and specify callback URL that will return back to your app.
Then, when your application is reactivated from the default browser, you should know that the user has authorized it.
Thus you could use WebBrowserTask for that, but I am unaware if you can call local app-URI from browser.
Is there any way to authenticate the application to use the Google Drive API without a native browser in an embedded system?
I'm looking for a solution to the user accepts and put your password and username using the OAuth2.0 without browser interactions... Is it possible?
My applications is build in Java Code.
Thanks in advance.
I am presently trying to do just this and I don't think it is possible because:
To authenticate in embedded device you need to use this process:
https://developers.google.com/accounts/docs/OAuth2ForDevices
the problem with this, is that it only accept limited range of scopes like:
--https://www.googleapis.com/auth/userinfo.profile
which works OK
but when you try with scope like:
--https://www.googleapis.com/auth/drive.*
you get invalid_scope.
If you find a solution please let me know, I have the same problem my device is embedded, has no screen, and is not available with remote desktop of the like.
thanks for any feed back.
Use the OAuth 2 device flow which is designed for cases where a browser isn't available on the device. It allows the user to complete the login & authorization on a separate, more capable device (phone/tablet/laptop) where a browser is available.
i know that the index.html page (the PhoneGap startup page) needs to reside on the device. but if we want to create an app who uses third party user authentication before proceeding to core application, so then what we have to do?
Thanks in advance
On android you can change the starting page in the main activity or you can make a redirect in index.html
Well, you don't say if you are platform specific..
And there are lots of third party auth options..
But I can offer two solutions (admittedly my own code etc),
both of them use PhoneGap for Android and PhoneGap Plugins. The key piece of code for me has been the onLocationChange callback feature of the ChildBrowser plugin. Your app can take the user to other sites for auth or whatever, but still get control back.
Tutorial on Using Twitter REST API (OAuth 1, ChildBrowser, jsOAuth plugin)
Free Android App + Source on github : AppLaud App (OpenID, ChildBrowser, custom server)
For authentication, you can have a form in your index.html (maybe under login div) to do a post to an actual webserver.
Then, fetch the data returned from the webserver to let your user access the functionality of your native phonegap application.
You can have the functionality disabled until you receive the successful login from the webserver. If you post via ajax, the webview won't even blink, but you will still get the successful login response from webserver and simply enable functionality on your app after this.
Let me know if this is confusing and I'll try to explain more clearly and
I hope this helps.