Firstly any news on the V2 SDKs for iOS and Android?
The normal flow is:
In app: click authorize button.
browser opens box.com/api/oauth2/authorize?....
User inputs their details.
User is taken to an allow/deny page.
User taps allow or deny.
User is taken back to app via the redirect_uri scheme.
My problem is once the user has put their details (3) in once and arrived at the allow/deny page, any future attempts to authorize full on skip the allow/deny page and go straight to the box home page without ever calling the redirect_uri along with the auth codes.
This can be 'fixed' if the user clears their browsing history/cookies before trying again, which is a long way from ideal. Any ideas?
For a potential short term fix until the v2 sdk is released, a web view can be used which will give you full control over things like the cache (we are using one in the sdk).
Related
Issue: appears to be that banno framework is "remembering" the urls. This is happening in a mobile browser when the user does not close the tab or browser. When the user opens the page, banno is remembering the url from last time and trying to load the same url.
What needs to happen is that banno needs to fully reload the page so that we can go retrieve a new url and log the user in again.
Could it be how they treat plugins when a browser is left open. A url that is loaded is not good forever.
Odds are good that the situation you're encountering is described in https://stackoverflow.com/a/71267143/6680761
Essential info from that link is:
Part of keeping state of the page is keeping authentication data. The OAuth flow used to initially authenticate the user is not intended to be used on every page refresh. It's expected that the embedded web application will keep its own authentication state. How this is done is usually very specific to the language and platform used for the embedded web application. However all strategies almost exclusively use a cookie which is destroyed when the application closes.
The Oauth callback URL with an authentication code should be redirected away from once the code is exchanged for an access token. From that point forward your app should be using its own authentication mechanism.
I have a google form that I am having pushed out through a Kiosk App and that google form is going to be used for the foreseeable future. Since I am not a Network Engineer or Systems Administrator in my network, the only way of getting the webview element in my App to display the Google form is to hard code it's URL because I have nowhere from which to dynamically update the URL in my App at the moment.
I am also not the Chrome Administrator and because of this I need to send my packaged Kiosk App off site to have it pushed out to my building's Chromebooks which means that for every update that I do, I need to re-package it and have the Chrome guy update it manually.
Since I and many others would prefer to not perform the task noted above on a frequent basis, I am trying to find out how long the Google Form's url will last and/or how often we can expect it to change if it does ever change.
Surely if you have any concerns over the link changing, you can just set up a redirect from a domain you control.
That way even if the kiosk form gets upgraded from Google to something else, you can just change your redirect without recompiling and redistributing your application.
Chrome is auto-filling the credentials, but not log me in until I click login. How to automate? (windows, non-google websites).
Using the Chrome Identity API you can have Chrome (on desktop and Android) automatically attempt to log in the user when they hit your page, even if their session has expired.
Following is a workflow diagram of how it works, but the details can be found in the Google Authentication API: Let the user automatically sign back in section:
It is not the browser's responsibility to auto-login to websites. This is the responsibility of the website you are accessing. The browser can remember form data and auto-fill for you, as can various extensions like LastPass.
However, in order to actually auto-login, you must first login to the website you are trying to access and enable the option they provide, often called 'Remember me?'. The website would typically use a cookie to store the credentials (securely with a hash + salt), and if the cookie still exists (not cleared from the browser or expired), and the hash of real password in database matches the one in the cookie, the website will auto-login.
You could force the browser to try and auto-login with extensions, which are essentially macros. You could try Auto Login or iMacros extensions for this. I would generally avoid this though.
Anyone else stumbling into this thread from a google search.... you can do this with autohotkey. If you browse to yourbankhere.com and chrome fills in the user/pass, you can have autohotkey perform a mousemove then a mouseclick to click the login button.
I am new to Magento and I have just setup Magento 1.8.1 with the sample data. I was going through the user guide of Magento CE 1.8.1 and came to know that Cookie restriction mode should be set to Yes because of European Union Privacy and Electronic Communications Directive and its amendment. But i am facing a issue now which I am unable to resolve. After changing the settings to Yes, I refreshed my site and I got the Allow Cookie Alert Box. I clicked Allow and I was directed to the Enable Cookies page. I again clicked allow on that page and was directed back to the same page as if it just refreshed. I am embedding screenshots for clear understanding:
the first one is the home page and the second one is the enable cookie page.
Few changes what I did was, I changed System -> Config -> General -> Web -> use http only to No. I did this because I was getting errorless Login page when I was trying to login on the backend in Google chrome and this was one of the solutions available on stack overflow. But I reverted this back to yes when I came to know that this makes the site vulnerable to attacks. That's why I did some changes in the varien.php file as described in the second solution of Why I can not login to magento backend using google chrome by a user named AKT. Also, I had set the Cookie Restriction Mode to YES. Does anyone have a solution to this? This is only happening in Google Chrome.
I'm adding Box support to an iPad app. I tried the official SDK and I don't want to use it for the following reasons:
Login page is too wide for a modal controller with UIModalPresentationFormSheet style on iPad. The SDK hosts UIWebView which loads content of https://m.box.net/api/1.0/auth/, which perhaps returns HTML with min width set to 768px (although I didn't check the HTML, speculating here).
HTML in login page doesn't show Google Apps authentication option. The full desktop version of the page does.
Because the login page is hosted in UIWebView the user cannot be sure that he's supplying the credentials to Box, and not to an app author.
I don't need the whole SDK functionality, just authentication, folder/file listing and content download. Since my app also uses other cloud storage providers I'd prefer to provide uniform file browsing experience.
Here's what I'm going to do:
Add a custom URL scheme for my app, let's say "myapp".
In Box's Application settings for my app set Redirect URL to myapp://RedirFromBoxAuth.
When the user chooses to browse Box from inside my app, I'm going to:
Get a ticket by calling GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={API_KEY}
Extract the ticket, then call openUrl with https://www.box.com/api/1.0/auth/{TICKET} This will open Safari and let the user enter his credentials. This is the full, desktop version of the login page.
On successful login Box's server will tell Safari to redirect to myapp://RedirFromBoxAuth?ticket={TICKET}&auth_token={TOKEN}, which in turn will tell iOS to yield control to my app.
My app receives handleOpenURL notification and I can extract the authentication token and use REST API from now on.
Please comment, is it a good plan? I created a quick prototype and it seems to work, but maybe I'm missing something?
Box team, could you please tell us will an app using this authentication model be eligible for inclusion in OneCloud?
This seems like a good strategy and will probably make for a better UX/easier implementation than the normal redirect. Please let us know if you run into any weird edge cases by implementing it this way.