I can't figure out how can I get email address from twitter. I've been using this as example - https://github.com/sahat/satellizer/tree/master/examples/server/node. I've also seen that it's possible to get email from twitter's oauth - https://dev.twitter.com/rest/reference/get/account/verify_credentials. Thanks
The example server doesn't appear to get the email in the twitter case.
And the documentation link explains how to request
Requesting a user’s email address requires your application to be
whitelisted by Twitter. To request access, please use this form.
Once whitelisted, the “Request email addresses from users” checkbox
will be available under your app permissions on apps.twitter.com.
Privacy Policy URL and Terms of Service URL fields will also be
available under settings which are required for email access. If
enabled, users will be informed via the oauth/authorize dialog that
your app can access their email address.
"Given that you have to go through all the hoops to get whitelisted by Twitter in order to access user's email, it is it not part of the example code. If you really need to get user's email, you may have to do that outside Satellizer's auth flow." - sahat (owner of satellizer)
Related
Does User.Read "contain" the permissions email openid and profile? I've found that apps that are requesting the 3x scopes, can instead accept just the User.Read permission and still function equivalently
At work I'll get requests from the business to help them setup SSO using OIDC, and I'm not actually sure what permissions I should be giving them. Seems like either option works but I'd like to better understand what's happening
See my observations below:
I've created a basic Function App, and configured it to use OpenID Connect Image
My App Registration already has the User.Read permission with admin consent, so when I log into my Function, there's no issue.
Image
However, after removing the User.Read permission and logging in, I now get a permissions request prompt Image
And after consenting to the permissions, I can now see that email openid and profile permissions were added Image
Even more interesting, the permissions in the request prompt correlate to openid and offline_access, but offline_access wasn't added, while email and profile weren't in the request
I did find a similar question, but the accepted answer doesn't seem to align with what I see here
Generally I would favour the OAuth standard design where fields like these are Personally Identifiable Information (PII). So each app should only use the smallest scope it needs, as an information disclosure best practice. See also this Curity article.
Name
Email
Phone
Address
The Graph API can also be used with standard scopes, as in step 11 of this blog post of mine, where I wanted to get hold of user info in an API. So if this works for you I would prefer it. Personally I also prefer standard scopes so that my application code is portable.
Microsoft's design is based on each API requiring a different access token, the resource indicators spec. It is interesting, though perhaps not always intuitive. I am no expert on Azure AD though, and there may be some intended usage I do not understand.
User.Read is a scope intended to be used when requesting an access token for the Microsoft Graph API. It grants privileges to read the profile of the signed-in user only. A separate call to the Microsoft Graph API is required to retrieve the profile.
openid, email, profile and offline_access are OpenID Connect scopes:
openid is used to request an id token.
offline_access is used to request a refresh token which can later be used to get a new access token.
email to request an email claim.
profile to request several user claims (Eg.preferred_username).
Both email and profile can be used to augment information available in the UserInfo endpoint, however, it is recommended to use the id token which is already a superset of the information available at the aforementioned endpoint.
I'm trying to read all domain users send-as mail using gmail settings api https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/list?authuser=1 but I'm unable to read others send-as mail. The api accepts only userid ='me'. I have service account and domain delegation enabled using the google documentation. I can read all email details using Directory API, which I'm not interested in. Could someone help me with this.
Thanks.
Users.settings.sendAs: list
userId string User's email address. The special value "me" can be used to indicate the authenticated user.
Assuming you have delegation set up properly you should be able to use the other users email address. Me is only used when you want to see the information for the currently authenticated user.
In angularfire seed project, there is an account registration process using email and password. But how can we verify that the email is not fake? I mean it is without server code, just client code.
Store a token in the database send the same token via e-mail to the client ask them to click a link in the e-mail that passes the token back to a page which marks their e-mail as verified.
You can angularjs-fire seed project at this link angularfire_seed_with_reg_confirmation. Some explanation of it here email verification using angularjs+firebase Below is the quote from its readme:
It is AngularJS seed with Firebase backend and a feature for account
registration confirmation via email. This feature can be used as an
alternative for account activation. It is a clone of AngularFire Seed
with additional feature above and also login feature vial social login
ie login with Facebook, Twitter, and Google.
The account registration differs significantly from the original seed.
We can register for an account just by supplying an email and then
we'll get a confirmation email about our temporary random password.
The password is recommended to be changed to a memorable one and at
the same time it must also be strong and secure.
We are attempting to be able to provide the ability for a Glass user to request an email to be sent to them from a Timeline Card. On the notify callback Servlet, we are attempting the following to retrieve a user's email address:
String userId = notification.getUserToken();
Credential credential = AuthUtil.getCredential(userId);
Mirror mirrorClient = MirrorClient.getMirror(credential);
Contact contact = MirrorClient.getContact(credential, userId);
We do not get a result back when retrieving an email off of the UserInfo object of a authenticated user. Our application has the following scopes available to the application server:
"https://www.googleapis.com/auth/glass.timeline "
"https://www.googleapis.com/auth/glass.location "
"https://www.googleapis.com/auth/userinfo.profile "
"https://www.googleapis.com/auth/userinfo.email "
"https://www.googleapis.com/auth/contacts"
Are we allowed to retrieve the authenticated user's email address, is there a permission I am missing or is there another means by which to request that data?
The getContact call you are making doesn't have anything to do with the user's email address. You can read up on what Contact is referring to here:
https://developers.google.com/glass/contacts
To get the user's email address, I've successfully used the same auth token used to authorize the Glass mirror API app with the added scope you mention to call this URL:
https://www.googleapis.com/userinfo/email?alt=json
This method seems to stop working after the initial authorization at some point, so be sure to do it when the user first authorizes the app and save off the email.
Although I've also just gotten the email off AppEngine's UserService before as well, which is easier if you happen to be running on AppEngine:
https://developers.google.com/appengine/docs/java/javadoc/com/google/appengine/api/users/UserService
So the question boils down to "Why am I not getting contact info for this userID that I am sending to the Google Mirror service?"
The Mirror service only provides contact information for Contacts that your Glassware has added. See https://developers.google.com/glass/contacts for more about Contacts in Glass and how to add Contacts. Unless you have already added a Mirror Contact with this userId, you won't get anything back.
The Mirror service does not provide direct access to the information from userinfo.info or userinfo.email. You will need to get it out using the OAuth2 libraries first if you want to add them as a Contact for Glass.
When performing authentication using the OpenID federated login on GAE, my user object has the following properties:
Nickname: http://wordfaire.com/openid?id=103539105724544727060
email: sudhir.j#wordfaire.com
From the docs,
email()
Returns the email address of
the user. If you use OpenID, you
should not rely on this email address
to be correct. Applications should use
nickname for displayable names.
Obviously, this advice isn't working out very well. So how then can I get an authoritative email handle to associate with a particular OpenID provided by any Google Apps or other domain? I really need the email ID because things like invitations and sharing / access control all function via email ids.
If you need a valid email for OpenID users, ask the user to supply one the first time they log in, and store it yourself along with their user object.
Since anyone can create an OpenID provider, it's not safe to assume that the provider has already gathered a valid address.