I am using parse.com for the data side of my app. I am new to parse and angular, I was wondering how do i access my rest api, when i put the url in it asks for a username and password but which one?
Also is there a specific way to use the rest api?
You are looking for the REST API docs, which can be found here:
http://docs.parseplatform.org/rest/guide/
Go through the 'Getting Started' section, it lays out in excellent detail how to address the API and gives good examples.
Regarding the login/pass, Parse requires you to create a User object in order to use the REST API; it's asking you for a User so the DB knows what level of access you have to various objects. (Parse uses ACLs, access control lists, for user security. ACLs are your friend, learn them.)
Good luck in your new endeavor!
Related
I've got AngularJS and Web.API WAAD authentication up and running. For client side I use great library ADAL.JS. For backend I use Microsoft.Owin.Security.OAuth. This part went quite smooth.
Now I want to implement authorization based on roles (which will be mapped to WAAD groups). Groups are not included in authentication token so I must ask Azure Graph API for them. I saw various ways to do it, using custom claims providers, adding web services to project, etc. Some examples already providing mapping between groups and roles to use in [Authorize] attribute.
But what is just the simplest example of how to get a list of group ids/names from WAAD providing User ID or username, when I'm already authenticated?
Also, is there any way to get this data in JS to use in Angular frontend, or should I create an API service which Angular should call for roles info?
In the non-JS case, the simplest way of getting groups in the token is by opting in. Download your application’s manifest, locate the “groupMembershipClaims” entry, change its value to “SecurityGroup” or “All”, upload back the manifest.
However note that this won't work for your scenario, because it uses the implicit grant - here the token is returned in an URI fragment, hence a big token would risk blowing past the URL length limits of the browser.
You can always request groups to the Graph and make it available to your frontend via custom action on your API, but from what you wrote you are already familiar with that. Let me discuss the matter here - if there's a simpler route to make this work in SPAs, I'll get back to this thread.
HTH
V.
Update: I verified and in the implicit grant case you will receive groups always via the overage claim. Please refer to https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - it will show you how to process the overage claim to retrieve groups. All you need to do is apply the same guidance to a web API instead, and if you need to make the info available to the client expose one or more actions doing so.
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/
I'm looking towards writing some applications with C and CGI, and now that I've implemented basic functions like URI encode/decode, HTML entities encode/decode, query/cookie parser, etc. I need to manage sessions. How should I do this? For example, how does PHP manage sessions?
Store the UserID and SessionID in a cookie, then store all other data on the server in a database. Do not encode user and session in the url as this leads to session-hijacking even if the user only wants to show some friend a link.
As HTTP is stateless, you have to maintain an id that can track your session. The two main ways are to use cookies to store the id or to embed the id in the URL, usually doing URL rewriting.
You can have a look at WT which is a web toolkit written in C++. see also this SO question for a list of c++ web framework. you will probably find how they handle sessions.
my2c
I was wondering if you could help me work through accessing the html behind a login page using C and libcurl.
Specific Example:
The website I'm trying to access is https://onlineservices.ubs.com/olsauth/ex/pbl/ubso/dl
Is it possible to do something like this?
The problem is that we have a lot of clients each of which has a separate login. We need to get data from each of their accounts every day. It would be really slick if we could write something in C to do this and save all the pertinent data into a file. (like the values of the accounts and positions which I can parse from the html)
What do you guys think? Is this possible and could you help point me in the right direction with some examples, etc...?
After a cursory glance at the login page, it is possible to do this with libcurl, by posting the username/password combo to their authenticating page, and assuming they use cookies to represent a login session. The first step is to make sure that you've got the following options set:
CURLOPT_FOLLOWLOCATION - The server may redirect after authenticating, this is quite common.
CURLOPT_POST - This tells libcurl to switch into post mode.
CURLOPT_POSTFIELDS - This tells libcurl the values to set for the post fields. Set this option to "userId=<insert username>&password=<insert password>". That value is derived from the source code for that page.
CURLOPT_USERAGENT - Set a simple user-agent, so that the web server won't throw it out (some strict ones will do this).
Then, once the post is complete, the libcurl instance should contain some sort of authorisation cookie used by the site to identify a logged-in user. Curl should keep track of cookies within a given instance. There are plenty of options for Curl if you want to tweak how cookies behave.
Make sure that once you are 'logged-in' that the same libcurl instance is used for each request under that account, otherwise it will see you as logged out.
As for parsing the resulting pages go, there are tonnes of HTML parsers for c - just google. The only thing I will say is do not try to write an HTML parser yourself. It is notoriously tricky, because a lot of sites don't produce good (or even working) HTML.
I'm looking at ways to secure the admin section of my (cakephp powered) Facebook application. To avoid duplicating functionality, I thought it'd be neat to allow access to people who have been flagged as developers in the app settings.
The question could then be: How do I determine whether a user of my Facebook application is a developer?
Alternatively: How do I obtain an array of developer user IDs for my Facebook app?
I tried looking for your answer myself, and the only thing I found that you could possibly do is to make a group private and invite-only to developers and then use the fb:if-is-group-member tag. http://wiki.developers.facebook.com/index.php/Fb:if-is-group-member
OK, so I found out how to do it by myself. Props to Samuel for giving me the idea.
Basically, the way to do it is to run an FQL query that establishes whether a user is an admin of the applications page (page_admin).
SELECT uid FROM page_admin WHERE uid = 286302657 AND page_id = 31290624157
In the PHP client, this returns an array for developers and an empty string for anyone else.
I decided to use the FQL rather than the API call because it is possible to preload the FQL to reduce calls to the Facebook servers.
Hope this is useful to somebody.