I have following details : asana personal access token, asana client-id, asana client secret. I have installed requests. I dont know how to use these details and access my asana user details, projects etc.
If you provide more detail and clarity around what you are trying to accomplish accompanied by code snippets where relevant I may be able to help more specifically.
Generally, however, you will not need a Personal Access Token and your OAuth App credentials in the same application. They are mostly mutually exclusive.
The Personal Access Token is good for a personal app that only you will use and OAuth well suited for an app which will support many users authenticating on.
When writing applications against the Asana API in Node JS you should consider using the official Node JS client library for simple & easy support of the API.
Related
I am trying to create a REST API (via Firebase cloud functions) and release it to my clients to allow them creating their mobile apps. The mobile apps they will be creating are used by public users. However, users are not supposed to deal with our APIs and thus authentication. So I don't need end user authentication. It's up to our clients (app makers) to use a "client id" and an "api key".
Based on what I have researched, Firebase Admin SDK might not be a good solution for this end since we're concerned about client level authentication.
I am looking for a standard solution to generate api-keys for the 3rd party clients. This key generation is not a manual process but rather a service that clients will use to obtain a key. Something like google map api for 3rd party developers. We want to keep track of whitelisted clients without needing their app users to deal with authentication.
I'd appreciate suggestions and guidelines to find the best solution for our REST APIs.
The first solution that comes to my mind is thew new Firebas App Check. It would restrict any access beside the Apps and Web pages you have whitelisted for your project. I don't know if that is possible in your usecase (how the cooperation with the other apps look like) but I would deffinitely try this first.
I have been studying the DriveAPI for a while now and can't seem to find a simple way to get it to work just for MY needs only...
I would like to use the DriveAPI only with just the REST API (HTTPS).
There are many things like token, clientid, apikey, secrets, etc.
All I need, is to search MY OWN GDrive files (FULLTEXT CONTAINS) and get a result from the API but I can't get it to work.
Please remember, this is for my own needs only and I would like to bypass the verification (login) window and get some kind of token, that lasts forever, so I can implement this in my own tool.
So, how can I authenticate and use the DriveAPI with just plain HTTPS?
My efforts so far:
I have already made a client ID and a client KEY for a sample project in the dashboard. I have also an Google Drive API KEY. From this point, I don't really know where and what to send.
As I mentioned in my comment, there is no "bypass" for the OAuth 2.0 authentication (that's why there is authentication enforced in the first place). Have you done any coding for this that you can share? For most REST API's OAuth 2.0 authentication is required. Your application must be able to request the token and use it to make the requests.
Google API's use Google Identity service to provide the tokens. In the following document there are many examples of how this implementation should be done in different programming languages:
https://developers.google.com/identity/protocols/OAuth2WebServer
I'm setting up a personal page, and I would like to display my past work experiences and other data I have on linked-in so it is automatically updated when I update my linked-in profile. Is this possible without having to do oauth? I just want my own data.
No.
As the company says on their REST API page:
In order for your applications to access LinkedIn member data and/or act on their behalf, they must be authenticated. LinkedIn relies on the industry standard OAuth 2.0 protocol for granting access, due to its simplicity and ease of implementation.
See also this previous SO question.
This doesn't mean, however, that OAuth can't be handled for you:
As a convenience, if you are developing a front-end JavaScript or
Android application, we provide SDKs to handle the authentication
process for you.
Additionally, there are several 3rd party libraries available in the
open source community that abstract the OAuth 2.0 authentication
process for you in every major programming language.
As for the major languages they support, LinkedIn provides walkthroughs in PHP, Python, and Java on their API Get Started page.
I have built a Restful Web API for my (android) mobile application, and now i am trying to secure the access to the API. I was reading for about a week on this topic and i got the whole spectrum - from those who say that is is impossible to secure a Restful API to those who say that Https (SSL) is enough.
Here I don't want to start a discussion about that.I have settled with OAuth or OAuth2 it doesn't matter(as far as I have read OAuth seems to be the better choice, but in the Microsoft tutorials they use OAuth 2, so here i am quite confused), and yes i know that they are completely different, but I am so frustrated of searching that I would accept either (I must admit that I expceted this to be much easier). As I said, I was searching for about a week, and all I got are concepts(a lot of them). You send some data -magic start - usually username/password to the server, your data is being processed and you get a token back - magic stop-. On SO there are a lot of questions on this topic but most of the answers are unprecise (and unfortunately unusuable). For example I got this one How to secure WEB API, nice answers, but not really use of them, or this one Implement Web API with OAuth and a Single Page Application. I also got the examples from the Microsoft tutorials but there is a lot of overhead in the code and the part about OAuth isn't quite clear(which is unfortunate because the whole example should be about OAuth). I could post tons of links which claim to talk about this topic, but actually they are of no help.
What I am looking for is an simple, very very simple, example of an ASP.NET OAuth(2) implementation. It would be great if I just could use it with fiddler, provide an username/password in the header and with use of grant_type: xxx I get the token back(the permitted username/password can be hard coded inside the project, so no need for Entity framework implementation or any database on the backend). And it would also be great if someone could explain me how to use this token to authorize the user (I got it that I have to provide the Controller functions with the [Authorize] attribute, but how and where is this token-check being done ?). But please, don't post any theory about OAuth, I don't need that, here I am looking for the actual implementation of OAuth inside of Asp.Net Web Api
thanks
Here is detailed post about adding the resource owner password credentials flow for your Web API project.
The most simple implementation of OAuth2 in Web API project you can find here:
WebApiOAuth2 on GitHub
There are just two important files:
Startup.cs (with settings)
AuthorizationServerProvider.cs (authorization of users using oauth2)
I'm developing an API for a project I'm involved in. The API will be consumed by an Android app, an iOS app, and a desktop website. Almost all of the API is accessible only to registered users. The API allows authentication via WSSE which is great for the mobile apps, but not so great for the website. However, I'm using Symfony2 to develop the API, and I have configured it to allow access to the API by both WSSE and/or session/cookie authentication (multiple firewalls with common security context, if you're interested).
With an API-first approach like this, I'm concerned about things being abused. Take my signup method for example. I only want it to be used by the apps or the website. However, there's nothing to stop someone writing a simple script to hammer the API with bogus signups. Then there's the concern about CSRF. Because the API is can be accessed by a logged in user, then there's a risk that this can be exploited.
I don't want the API to be public, but I don't know if this is possible given that it will be used by the website. Is there anything I can do remove (or reduce) the risks and the vulnerability exposure?
Kind regards.
For the signup brut force problem you could enable a "rate limit" for your API calls.
This blog post introduces this concept and how to use it in a Symfony2 application thanks to the RateLimitBundle.