I sent this off to api#foursquare.com over a week ago, but haven't heard anything back so thought I'd try here as well.
The issue I seem to be having is that I have a user that should manage 600+ locations, but when I create an app for them, then an oauth token, that token doesn't actually allow access to all the venues managed by that user.
I have tried verifying this using the /venues/managed API, and can confirm that the tokens I'm creating manage different venues.
We've done this through Apigee, and using the same credentials the token we're getting back will not consistently give us access to the same number of venues.
Is there a way to ensure the token I create will manage the correct number of venues?
You can reset your tokens at https://foursquare.com/developers/app/CLIENT_ID/reset and try to logging in again with the correct credentials.
You shouldn't get different oauth tokens if you logged in the same user on multiple devices - be sure that you're using the same credentials across devices.
Related
I am building an application and I want users to be able to log in from multiple devices without logging out of other devices.
How should I implement this functionality?
I am using Jwt token for authentication and MySQL database for storing user details
JWT is primarily use for performing stateless authentication i.e. you don't need to perform lookup in the database for validating the token. Also, Token contain some user details which are enough for identifying the owner of the token so you don't need to store the token in the database.
I want users to be able to log in from multiple devices without
logging out of other devices.
You can issue multiple tokens to the same user requesting from different platforms. These token will have different expiration time, so user remain log-in irrespective of the platform they would try to use and log out process will entirely depend upon the expiration time of the token.
Here is a boilerplate on how to do that.
https://github.com/aichbauer/express-rest-api-boilerplate
Let's say we have a backend in ExpressJS. We are using simple BcryptJS to hash and store passwords and emails in the database.
Now I want to add the link social media accounts feature like this:
Now what I was wondering is what should I store in the database? Like lets say I registered using email and password, now I go in settings and add Google login, what should I store with the user's record in the database to use the Google identity in the future when needed? Like should I store the access token? the refresh token? Should I keep refreshing the token? Should I not even store the token?
Sorry if it might sound silly, but I googled around and didn't find the answer I wanted, and I have spent the last hour thinking about this. What do you guys think? And this answer might help a lost developer in the future too.
SOCIAL LOGINS
If this is your starting point, and assuming that the email used from Google or Facebook matches that used when logging in with passwords:
Field
Example Value
User ID
203
Email
john#company.com
Then when you receive the Google or Facebook response you would need to look for an email in it, either by inspecting the ID token or calling their user info endpoint. You can then match to the User ID that makes sense to your business data.
If you store anything from those providers it should be a linked record, something like this. You should only need to store access tokens from the third party provider if your app needs to access the user's Google or Facebook resources with it:
Field
Example Value
User Link ID
1039
User ID
203
Provider
Google
Subject
d2ee68ee-7853-11ec-90d6-0242ac120003
PROBLEM AREAS
The above mechanism is inherently unreliable and can easily result in duplicate users in your business data, eg if the social provider does not give you an email and the user exists already in your business data. A technique to solve this problem can be to involve the user - ask them if they exist already in your app and if so then ask them to authenticate with an existing method (password in your case) as part of onboarding to social logins.
Foreign access tokens, from Google and Facebook, are not designed to be used to secure your own APIs - you may not even be able to validate them in some cases, and you will not be able to control claims and scopes. This leads some people to write custom code to issue their own tokens.
AUTHORIZATION SERVER
For future reference, the preferred architecture is for your UIs and APIs to only talk to your own Authorization Server, which is hosted alongside APIs. This component will then manage the following aspects for you, all of which will keep the security plumbing out of your apps:
Login connections to social providers
Dealing with provider specific differences
Providing account linking capabilities
Storing linked records
Allowing you to return your own customized tokens to your own apps
In more advanced use cases the AS can also hold onto the third party access token for you via the embedded token approach.
For example if i have build a mobile application and using the nodejs REST api for accessing the backend.
I want to restrict the access of the application with same login credentials on a maximum of two devices.
For example me and my friend can have have access to the application with same login credentials but a third friend must not be allowed to have access to the account with same login credentials.
Can it be implemented with some kind of token. Can anyone please help me in understanding the concept to implement this.
Posting as an answer, since it does appear to be a solution.
It can be implemented with a token, but I think it's important here to maintain sessions. Also, you need to keep track of who is connected to what account, and from what device. You'll definitely need unique identifiers, and to know how many logins the account is already utilizing. If a user logs out, remove that device from the list until they login again. Read up on session management. I have had good success using PassportJS for stuff like this :)
I'm completely new to OAuth, and have a workflow question. I'm using node/express/passport, and have successfully set up the app to redirect when requesting my /auth/google endpoint.
However, I consistently get routed to the Google permissions page where I have to offer my application access to my information. What is the mechanism by which I could log in/out without providing that access every time? Essentially, how do I let users log in without requesting permissions again, but still let them log in through Google?
The typical flow is to have your users log in on Google, like you're doing. Once they confirm your application's requested scopes, Google can provide your server with an authorization code which can be traded for an access / refresh token to be stored and used in the future.
Passport should abstract a lot of the back and forth away from you, though. Are you utilizing this library? And if so, are you storing the access and refresh tokens in your own local database for re-use (or at least the refresh token, so you can get a new valid access token when you need it)?
The application I am designing needs consistent access to a user's inbox. Ideally it would know every time a user received an email to their Inbox, but as a proxy I am instead doing a check every five minutes.
When the user signs up, they grant me access to their account via the google gmail api using oauth. Because offline access is needed, I have it set up to also return a refresh token. As far as I can tell though, this means that I need to request a new access token every hour. That seems off to me. Is there a better way of doing this?
Thanks.
Yes, refresh tokens are the correct way to maintain a valid access token long-term. If you're using one of the Google API libraries, this should all be abstracted for you.
Regarding polling, you still need to poll but I suggest using history rather than constantly querying messages.list() or threads.list() with no parameters.