Logging people in with their Facebook accounts is quite easy with the Spotify API's auth methods. However, I couldn't find any procedure on the API docs for logging people out of Facebook.
Do I have to do this manually, utilizing the Facebook API, or does Spotify provide a way of doing this?
There is no method to log the user out in the Spotify Apps API. In order to do achieve it, you need to make a request to https://www.facebook.com/logout.php?access_token=<access_token>&next=<next>
where:
access_token is the same token you use to log a user in
next is a URL that belongs to the same domain as the registered one on Facebook for your app
Related
I'm building a mobile app (and possibly a website) that uses a REST API to handle all the logic.
That being said, the REST api itself should call a 3rd party REST API (the Spotify one) to handle the logic for the app/website.
So basically the user should sign in to my app/website using its Spotify account and my API should make calls to the Spotify Web Api to retrieve user data using its access token, and then send them back to the app/website.
Now I've spent quite some time studying Spotify guidelines about authentication here and it looks like the Authorization Code Flow should fit my use case.
I definitely need to call the /authorize endpoint to retrieve the code from my app since I need user interaction for that. After that, I do get back the **code** that I should exchange for an access_token and refresh_token.
But as I said, it's not the app itself the makes the calls to the Spotify API, but my API. So theoretically I should send the received code to my API and let him handled retrieving and refreshing the access_token and refresh_token.
So my question is if this makes sense? Is it ok to send the code from the app to my api?
Not sure if it's clear so I'll attach a diagram of what I'm intending of doing.
Also probably after receiving the code, I would send back my own token to the app to be used with each future request (somehow similar with what you would do when you handle authorization with Facebook or other socials)
Hmm - some assumptions below, but I would aim to use standard flows. Some solutions are not possible in a good way though.
BUSINESS SOLUTION
Are you trying to build an app that combines the user's Spotify data with your own data for the user?
ARCHITECTURE TO AIM FOR
Your own UIs and APIs should use tokens issued by you and not Spotify. Only use Spotify tokens when you need to access Spotify resources. This leads to simple and reliable code.
STANDARD OPTION 1
This is based on you being in control of data from multiple sources:
You should have your own login and token issuing system. UI first logs into your app, which enables it to call your API with a token.
When you want to access Spotify you need to redirect the user again. The user can then consent to you using Spotify resources in your app, after which your web / mobile UIs get a Spotify token and can call Spotify APIs.
STANDARD OPTION 2
This is based on allowing the user to sign in with a familiar credential, which works via a federated login:
User needs to login
Your app redirects to your Authorization Server
There is a second redirect to Spotify
User logs in at Spotify
Spotify posts a token to your Authorization Server
Your Authorization Server posts its own token to your mobile app
Meanwhile your Web API has its own connection to Spotify that uses the Client Credentials Flow.
DOUBLE HOPPING CODES / TOKENS
This is not insecure, but it will add a lot of complexity and is not standard. You would need to maintain some kind of API session with 2 types of token per user and access token expiry would be a horrible area.
MOBILE FLOW
For mobile apps you should use Authorization Code Flow (PKCE) - my blog posts have some stuff on messages and user experience.
I have a web app where people can log in through Twitter and by doing so authenticate the app to tweet on their behalf, I want to do this.
But the problem is that I cannot find any endpoints in the twitter API that would facilitate this,
I'm able to tweet from my own app using the Twitter npm package but I can't find a parameter to pass something like a user ID to tweet from a different twitter account using my App.
Do you maybe need the OAUTH token and secret to do this?
The solution is to have people sign in on your web page and get their tokenSecret and token from the login, put those in the place where the access_token_key and access_token_secret usually go when tweeting and send a regular statuses/update/ POST request.
I am coding my app/website to work with Instagram, along with Twitter and Facebook. I saw that a video screencast is required to show:
Please make sure that the video clearly shows how your application works, including any Instagram login experience and the usage of every permission you are requesting.
Does this mean it needs to have an Instagram login? We only offer login with Facebook, Twitter, or email accounts.
Thanks!
The Instagram API requires authentication - specifically requests made on behalf of a user. Authenticated requests require an access_token. These tokens are unique to a user and should be stored securely."
https://www.instagram.com/developer/authentication/
I don't think you can make any Instagram API calls without supporting Instagram login.
I just wanted to use webapi to play with the metadata like playlist, artists on my own account. Is it possible to do that by REST API without using /callback to web application which receives authorization code then can get the oauth token ?
I have researched here:
https://developer.spotify.com/web-api/authorization-guide/
Then I found:
https://developer.spotify.com/web-api/authorization-guide/#client-credentials-flow
That's it! You just need to get oauth token by giving your regular login and password credentials.
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.