I've been using Tweepy for OAuth and twitter API calls. For a whole bunch of reasons, I'm switching to urllib and making HTTP requests directly.
It appears have two options:
I can do oAuth directly over HTTP, but the existing resources seem to either say "don't bother, just use a library," or they don't cover half of the process.
I can continue using Tweepy to get a key/secret pair, but from there I'm still not clear on how to use that pair to authenticate my queries. Specifically, what do I have to do before "https://api.twitter.com/1/statuses/home_timeline.json" to authenticate, supposing I've already completed the OAuth process and have a key/secret for the user I want.
Why don't you use a more generic oauth library (like oauth2), instead of throwing out the oauth authentication library idea entirely?
https://github.com/simplegeo/python-oauth2
Signing a request for OAuth means either implementing the signature function yourself for each request or using an existing library - and creating oauth signatures is pretty complicated and prone to breakage. As someone who's supported OAuth-based APIs for a couple of years I strongly encourage you to use a library.
The oauth2 library has an example for getting a token/secret for twitter.
Once you've gotten the token and secret, the oauth library is as simple as:
consumer = oauth.Consumer(consumer_key, consumer_secret)
token = oauth.Token(token,secret)
client = oauth.Client(consumer,token)
response = make_request(client,"https://api.twitter.com/1/statuses/home_timeline.json")
Related
I have been studying the DriveAPI for a while now and can't seem to find a simple way to get it to work just for MY needs only...
I would like to use the DriveAPI only with just the REST API (HTTPS).
There are many things like token, clientid, apikey, secrets, etc.
All I need, is to search MY OWN GDrive files (FULLTEXT CONTAINS) and get a result from the API but I can't get it to work.
Please remember, this is for my own needs only and I would like to bypass the verification (login) window and get some kind of token, that lasts forever, so I can implement this in my own tool.
So, how can I authenticate and use the DriveAPI with just plain HTTPS?
My efforts so far:
I have already made a client ID and a client KEY for a sample project in the dashboard. I have also an Google Drive API KEY. From this point, I don't really know where and what to send.
As I mentioned in my comment, there is no "bypass" for the OAuth 2.0 authentication (that's why there is authentication enforced in the first place). Have you done any coding for this that you can share? For most REST API's OAuth 2.0 authentication is required. Your application must be able to request the token and use it to make the requests.
Google API's use Google Identity service to provide the tokens. In the following document there are many examples of how this implementation should be done in different programming languages:
https://developers.google.com/identity/protocols/OAuth2WebServer
I've got a Paw project for an API that uses OAuth 2. Everything works great, on a per request basis, but every request manages its own token. Is there a way to have a single OAuth 2 "manager" for each project, where each request can grab the latest token from that manager, rather than grabbing new tokens for each request?
Environment variables are a nice way to handle this. We've described this in the docs:
As you may often switch between development and production environments, or between several users, you may need to have several OAuth credentials you may apply to your Requests. You can keep those credentials in Environments, and then use them in the OAuth Header Dynamic Value.
Read more about Environments and how to use Environments as Reusable Presets (this actually is the doc article that can help you the most for that).
Ok, so I'm struggling a little bit with trying to get a authentication process in my ASP.NET MVC5 (Web API 2) project. To start, here are some requirements:
I can't use Entity Framework (all access to the DB needs to be done through stored procedures)
Needs to target .NET Framework 4.5.2
I am not using ASP.NET Core
I would like to be able to use Bearer (or similar) tokens for authentication
I would like to invalidate tokens if a user logs out or automatically invalidate them after 24 hours
I would like to pass (and receive) XML when sending requests to the "login" (or "token") endpoint (note that ideally the solution should respect the "Content-Type" and "Accepts" headers, so if I send it JSON it should respond in JSON, and if I send it XML it should respond in XML)
I will not be using external providers (e.g. Google) anytime soon (maybe never)
I would like to use the <Authorize> attributes to help with protecting other endpoints
I am using VB.NET, although answers to this question can be in C# (I can convert them or rewrite them to suit)
I would like to store the tokens in the database so I can record which user is doing what within the API
(note that there are lots of reasons why I can't change the above)
I've tried to do this with Owin (OAuth) but I've found the following issues when comparing this to the requirements:
I can't seem to send the token endpoint any XML
Responses from the authentication endpoints (both successful and unsuccessful) are in JSON
I can't invalidate the tokens when logging out
I am happy to move away from OAuth if that is the best way to go for what I want. I would prefer to use Microsoft built nuget packages (ie no third party solutions) or I'm happy to partially roll my own solution (I would like to leverage as much of in-built or Microsoft built code, including Identity and Claims as possible so I can minimise testing efforts).
I have read numerous StackOverflow questions about this and search heaps on the internet, but most articles stick with OAuth despite the above issues or they rely on EntityFramework. My current solution uses the code from here (pretty much copy/pasted with some custom code in ApplicationOAuthProvider.GrantResourceOwnerCredentials()): https://www.codeproject.com/Articles/1187872/Token-Based-Authentication-for-Web-API-where-Legac
Thanks for the help!
I did some more extensive research and it looks like OAuth is not applicable for my specific situation. Although it seems like a nice authentication method, I really need to invalidate tokens via the DB, and I need the API to always send/receive XML (these are apparently not applicable when using OAuth).
To solve these problems, I have rolled my own token-based solution that creates a hashed token on the client side, so I never send passwords over the wire (which is a little bit nicer) because the token is generated on the client side (note that I am controlling what happens on the client side - these are all in house clients and I am writing the libraries these clients will use). This involved me creating my own filter which inherits System.Web.Http.AuthorizeAttribute.
If anyone stumbles across this question and provides a really good answer, I'm more than happy to mark theirs as accepted.
I have built a Restful Web API for my (android) mobile application, and now i am trying to secure the access to the API. I was reading for about a week on this topic and i got the whole spectrum - from those who say that is is impossible to secure a Restful API to those who say that Https (SSL) is enough.
Here I don't want to start a discussion about that.I have settled with OAuth or OAuth2 it doesn't matter(as far as I have read OAuth seems to be the better choice, but in the Microsoft tutorials they use OAuth 2, so here i am quite confused), and yes i know that they are completely different, but I am so frustrated of searching that I would accept either (I must admit that I expceted this to be much easier). As I said, I was searching for about a week, and all I got are concepts(a lot of them). You send some data -magic start - usually username/password to the server, your data is being processed and you get a token back - magic stop-. On SO there are a lot of questions on this topic but most of the answers are unprecise (and unfortunately unusuable). For example I got this one How to secure WEB API, nice answers, but not really use of them, or this one Implement Web API with OAuth and a Single Page Application. I also got the examples from the Microsoft tutorials but there is a lot of overhead in the code and the part about OAuth isn't quite clear(which is unfortunate because the whole example should be about OAuth). I could post tons of links which claim to talk about this topic, but actually they are of no help.
What I am looking for is an simple, very very simple, example of an ASP.NET OAuth(2) implementation. It would be great if I just could use it with fiddler, provide an username/password in the header and with use of grant_type: xxx I get the token back(the permitted username/password can be hard coded inside the project, so no need for Entity framework implementation or any database on the backend). And it would also be great if someone could explain me how to use this token to authorize the user (I got it that I have to provide the Controller functions with the [Authorize] attribute, but how and where is this token-check being done ?). But please, don't post any theory about OAuth, I don't need that, here I am looking for the actual implementation of OAuth inside of Asp.Net Web Api
thanks
Here is detailed post about adding the resource owner password credentials flow for your Web API project.
The most simple implementation of OAuth2 in Web API project you can find here:
WebApiOAuth2 on GitHub
There are just two important files:
Startup.cs (with settings)
AuthorizationServerProvider.cs (authorization of users using oauth2)
I am creating a client program that calls various APIs, one of which is the Evernote API, through purely HTTP calls, without the use of any SDKs provided by Evernote. I realize that this makes my life harder, but it makes the lives of the users of my product much easier.
So far I have been able to authenticate with oauth 1.0 to the Evernote server. However, it's not immediately clear how to make the HTTP call after I have the oauth_token.
Where is the endpoint to make API calls to create a note on an oauth-authenticated Evernote user account? What are the url parameters for such a call? Or, what are the requirements to include in such an HTTP request?
Does Evernote use HTTP to make such calls anyway? If not, what do they use?
Do I have to format the note in XML format, or does it accept JSON as well?
Evernote does not have a RESTful API. According to the CTO, it's due to a requirement to shuttle very large amounts of data and HTTP is not efficient. There is a project on github aiming to implement a RESTful API for Evernote.
https://github.com/ttddyy/evernote-rest-webapp
CTO's Reasoning:
http://blog.programmableweb.com/2013/10/03/is-evernotes-restless-api-approach-a-model-for-other-api-designs/
I haven't used Evernote in years and never used the API.
Evernote uses thrift which can be a bit tricky to deal with. This choice is explained in this blog post. I really advise you to use the SDK as it hides all the thrift complexity.
As mentioned above, a rest wrapper is available on github. It seems very cool but it's new and not official. Use it at your own risk.