When a user authorizes with my Glassware they provide these permissions to my software:
Although it isn't lining up in the image, the more info is from the top "basic information about your account" permission. It mentions timezone which I would like to access to customize global event time stamps for display to people who don't grok GMT.
I am surprised I can't find the endpoint for this anywhere in the docs.
Anyone know where this might be, or is this a UI bug in the permissions dialog and really we can't see that information? Or perhaps is this only available to trusted partners like NYT and CNN, etc, and not to mere explorers.
I already tried variations on the timeline GET endpoint:
https://www.googleapis.com/mirror/v1/timeline
But substituting in various version of user/users and account/accounts and adding in the user id for a registered user, which I can get through this bit of Java code:
String userId = AuthUtil.getUserId(req);
Any help appreciated!
(Note: I won't give credit to anyone suggesting I get the user's location and use a Google API to reverse look up their location's timezone--see the issue tracker for problems with that approach not to mention I want the timezone the user set in their account not where they are)
The more information screen is coming from the https://www.googleapis.com/auth/userinfo.profile scope: with a token approved for this scope, you can send authorized requests to the userinfo endpoint:
GET https://www.googleapis.com/oauth2/v2/userinfo
Authorization: Bearer <OAUTH_2_TOKEN>
However, you will only be able to retrieve the timezone information if the user set it in their profile and allowed sharing.
In Java, retrieving this information is done with the OAuth2 API.
Related
I am working on a integration with Salesforce using REST APIs and, as part of the project, I need to send updates to Salesforce and these updates are not user triggered, they are system triggered.
Because of that, what I expect to see on Salesforce Field History is not a user name but the name of our Connected App (the app that made the update).
What I see today is the user name because the way the integration was made initially using OAuth Authorization Code flow.
To change that part of the project, I followed the link (OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration): https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_flows.htm&type=5
Making that, I was expeting to generate a token for a System, not for a User, but that's not what happened: when I used the token generate from the JWT Bearer Flow and ran the update, the Field History still shows the user name.
What could I do then?
Which are the options in Salesforce to achieve the behavior I'm expecting?
The most important, in my opinion, is to have a Token for our system, not for a user.
Thanks!
Everybody is an user in Salesforce. Even if you access unauthenticated pages (some contact us form? case or lead capture) - it gets tracked under special Guest User.
It sounds stupid but gives you unified interface to control permissions (Profiles/Permission sets). You want guests to access only FAQ articles and make cases? Sure thing, do it in profile, don't get paranoid about people trying to guess right URLs. You think an app was hacked? You can terminate the session just like any other "user". Want to allow login only in certain hours and from certain IP? Sure.
An app connecting with JWT will still need username (main difference being it's "just" certificate for signing the request instead of password).
Your best bet is to create dedicated "Mr System", "SystemX integration" account. It sounds like waste of license but in the long run saves you questions "why did you edit my account at 1 am" and you could even use it as backup account if you use SSO and it ever fails...
I am building a react site where users can purchase a "day", "weekly" or "monthly" pass for the content on the page. I only want to allow them access for a day if they purchase a day pass. Same for weekly and monthly. I am using JWT to keep users logged in. I have no idea how to create the functionality to verify if they should still have access or not. Would love some help. I am also using redux if that helps.
You need to start thinking about Authentication and Authorization separately. Your JWTs are (hopefully) performing the Authentication duty. The "limited access" you're asking about are the concern of Authorization. In other words: now that you know who this user is, what are they allowed to do?
You need to map your JWTs to some form of internal user id, and then determine if they can or cannot access the requested resource/endpoint/etc.
For example, you might allow all users to GET from /jobs to view the listing of job postings, but if they try to POST to /apply for a job, you verify that they are a "premium" user, with time remaining on their paid subscription.
I've got a small review system built in AngularJS and Firebase and the only way to identify which review is made by which user is via the uid of the user. The idea is when you then click on the user's name, you should be taken to the profile of that user.
So I would then create a route looking like /profile/{{review.author.uid}} which could translate into /profile/facebook:123234243 for example.
My question is, does it pose a security threat showing the uid in the url like this? Can it be used for any malicious actions against a user's third party account etc?
I've tried looking through their website but I can't find anything on this subject.
EDIT: Note that I need a Firebase specific answer, not a generic one about database id:s.
I am trying to get all the friends of the user currently signed in. I tried /me/friends but that didn't work as it returns only the users using my app already. I then tried https://graph.facebook.com/me/taggable_friends?access_token=somecodehere
In the browser it says
"To use taggable_friends on behalf of people who are not admins,
developers and testers of your app, your use of this endpoint must be
reviewed and approved by Facebook. To submit this feature for review
please read our documentation on reviewable features:
https://developers.facebook.com/docs/apps/review"
But when I do a GET (using Angular.js) on this URL with a valid access token using my application, it returns me a list of my friends, with their id, name, picture. Why is this happening? How can my app get the data if my browser cannot?
Also, the picture currently returned is too small. How can I get the email and larger picture of all my friends in this response?
Any help is highly appreciated.
PS: I am building a cordova app and getting access_token via CordovaOAuth.
taggable_friends works for you because it works without review for everyone with a role in the App (Admin/Developer/Tester). You only need to go through the review process if you want to go public with your App.
That beind said, taggable_friends is for tagging only, a larger picture is not neccessary for that and you definitely canĀ“t get their email. What would you do with the email of friends who did not even authorized your App? You would not be allowed to use those emails anyway. You can ONLY get the email of a Facebook user by authorizing that user with the email permission.
More information about getting access to friends: Facebook Graph Api v2.0+ - /me/friends returns empty, or only friends who also use my app
I would like to access a user's Google Plus One history
With +1 enabled, the history is saved in your Google profile and optionally can be displayed:
http://www.google.com/+1/button/
It is possible to access this programatically (once the user has given permission via normal Google Authentication and Authorization?)
I have only been able to find information for the API to add the button to sites.
You can allways try to parse the data used by G+ itself.
The G+ user profile has a tab with all public +1, that can be fetched with
https://plus.google.com/_/plusone/get?oid=<google-plus-id>
It seems to be related to JSON, but with some differences.
Check this out....
https://developers.google.com/+/history/
Dave,
I'm not sure about a user's history, but the count for particular URL is available via a JSON-RPC service (https://clients6.google.com/rpc). Here's a little post on how to:
http://www.johndyer.name/post/Getting-Counts-Twitter-Links-Facebook-Likes-Shares-and-Google-Plus-One-Buttons.aspx
I'm guessing that same service can get additional data, but I can't find any public documentation either.