Looking at: http://developers.box.com/get-started/#authenticating on step #2 I'm trying to use curl to enter the credentials (user/email/password) to get the auth_token. I'd rather do it this way instead of directing the user to their browser because I'm making a script for syncing.
Anyone have an idea how I can do this? can I just do a POST with curl? I'm using v2 of the API.
You must send the user through the web page, unfortunately. However, since you are writing a script, you should also be aware that auth_tokens under the current system, so you can manually retrieve one and include it in your script.
Just one thing to note. If you don't use the standard authentication flow that goes through the Box web ui, then Box's large customers that have all their users sign-on with SSO (Active Directory and similar) logins, won't be your customers.
So, basically, if you want your app to be picked up by enterprise-level customers, then follow the building guidelines that Box provides.
Related
I'm working on a an application where my back-end server will push and pull data over the google drive sdk. So, the back-end will only ever need a authorization via a single admin user's set of credentials.
Is the best way to do the authorization for this use-case to do what's described here?
https://developers.google.com/drive/web/auth/web-server
It looks like I would manually authorize my back-end's user once and store the refresh token for later offline access, thereby not needing manual/human interaction ever again.
But is that actually the best way for this use case? Is there another authorization workflow that I've overlooked?
The method described at the link you sent is appropriate when you are authing several end users. I find it's overkill if you only ever need to auth a single user. Too much code and faffing around for something that will only be used once.
Check out How do I authorise an app (web or installed) without user intervention? (canonical ?) which is a one-time procedure which gets you the same result, without writing any code.
Having worked on it some, I think the best way for my application is this:
https://developers.google.com/api-client-library/python/auth/service-accounts
You create a Service Account through the admin console. There's no messing around with a manual authorization step that could later break the app.
I want to create a script that runs on a Google site. The script would perform a specialized calculation for a given user and then display the answer for the user. The script would depend upon user input, but the code itself should not be viewable by the user. I want the code to exist in a "black box" so that the calculation formula can be kept secret. Is this possible?
I searched the documentation, but only found this, which does not address this question:
https://developers.google.com/apps-script/guides/services/authorization#permissions_and_types_of_scripts
Whether your App script is embedded in a site or written as a standalone script does not change a lot of things... the only difference will be the way you include it on a page as a gadget.
If it is embedded it will be available from a list of scripts in the page editing, if not you'll have to use the .exec url of the deployed webapp.
Anyway, that does not change the way people will have access to the app.
You can define these parameter when you deploy the app (which is mandatory in both cases), allowing for anonymous access or requiring to be logged in.
If I understood you correctly, you would like to restrict the access to some people but not share the code.
Depending on how you defined the access mode above and wether you are using a Google Apps inside a domain or not, you will be able to do it using 2 ways :
in a domain you can get the logged user identity and use that to accept/deny showing the app.
in a "normal" gmail account you will have to implement some sort of logging feature to request a user name and password to give access to the active part of the app.
In both case you never need to share the script itself, this sharing parameter is independent from the webapp access.
I hope I understood your question correctly... if not, feel free to comment.
You might check out the Private Functions section of the following page.....the example is similar to what you're referring to, I think.
https://developers.google.com/apps-script/guides/html/communication?hl=ru
I don't fully understand how they work and haven't used them myself, but I bookmarked it to figure out later. Maybe another user who understands Private Functions better can explain...
First I apologize if I'm a dolt and am missing something obvious, but I've spent a few hours scouring documentation and am lost.
I'm trying to write a python script that will upload a bunch of images to a single user's Google Drive. The user already exists and will never change. I am not writing a web app and don't plan to use any user interface whatsoever. Everything will be done through code.
As best I can understand from the Google documentation, I have two choices:
1) Write a web app and register it to use the Drive DSK. This of course requires having urls and such for the web app.
2) Create a service account, which ties my "app" to a new service account email.
Neither of these options works for me. Is there any way to simply log in to a single user account and access their drive through python scripting?
There is a deprecated API called ClientLogin that would enable you to use the username and password for a login to access that Drive data.
But the basic idea is that you should be using something more secure -- from your users' point of view -- that allows them to authorize you without giving you their password.
For your use case it is possible that the user is you or someone you know and that you are accessing their account through a more personal kind of authorization. In that case, ClientLogin may be your best choice. If this is an application designed to be used by arbitrary users, the deprecation of ClientLogin is for a good reason and I would urge you to bite the bullet and choose one of the supported options.
The correct solution is to separate the authorization phase from the access phase. The authorization process needs to be run one time only, and can be done from a simple web site. The result of this is a refresh token which is analogous to a username/password. You will need to be aware of the security implications. Make sure you only grant drive.file scope to minimise the impact of a security breach.
Since you are uploading images, you might also want to look at the picassa api.
Is there any way for going around the login page required after getting a BOX token.
I need to use the BOX account as an admin so is there any workaround so that it can be done programatically.
If by the login page you're referring to the credentials page at:
https://www.box.com/api/1.0/auth/{your ticket}
that you redirect the user to after getting a ticket from:
GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={your api key}
Then the answer is currently no. As far as I know there's no plans to support an authentication method involving directly supplying credentials.
You can easily fill out the form and submit it without ever opening a browser. If you are using Python, you can do this with Mechanize or Clientform. I suppose you can do the same thing with other languages as well. But I'm not sure what the point is, since you need to authenticate your user, and the Box login page does the job nicely. If you don't want to make the user sign in every time, then serialize the token with a timestamp denoting how long you want it to be good for and use that token until it expires.
good luck,
Mike
there has been new developments since this question was posted, and now it's possible to use JWT (JSON Web Token) and Box Developers Edition to access Box.
If you create a developer account you will be able to create App users and login using an enterprise token and a private key file. Check out the docs for more information: Box Developer Edition
Additonally, boxsdk comes with support for Box Developer Edition
I am looking at creating a good google chrome extension for tumblr.
Now tumblr uses Oauth as it's authentication method.
So my question becomes.
Do I:
Distribute a single key with the application and hope people are nice enough to not use it for illegitimate purposes.
Put in the options the ability for a user to enter their own key, hence asking each user to register an application.
Create an intermediary on my server that makes the actual request.
Something else?
I also had to consider this for my Template extension when using OAuth to communicate with the goo.gl URL shortener service on the user's behalf.
After reading Chrome's OAuth tutorial I managed to implement this simply using the following;
ChromeExOAuth.initBackgroundPage({
access_url: 'https://www.google.com/accounts/OAuthGetAccessToken',
app_name: chrome.i18n.getMessage('app_name'),
authorize_url: 'https://www.google.com/accounts/OAuthAuthorizeToken',
consumer_key: 'anonymous',
consumer_secret: 'anonymous',
request_url: 'https://www.google.com/accounts/OAuthGetRequestToken',
scope: 'https://www.googleapis.com/auth/urlshortener'
});
This is surrounded by quite a bit of logic due to the complexity of the extension but this results in the user simply being shown a page (on a new tab) the first time they attempt to shorten a URL using my goo.gl implementation. Here the user can decide to allow/deny the authentication. Since this is only done once (unless the user later removes it from their list of authorized applications) I thought this was fine and my users seem to agree.
I did also provide an option to toggle OAuth on/off but I'm guessing this will always be required for the tumblr API. On that note I must admit I'm not familiar with that particular API so I'm afraid I can't help you further.