How can I get a user's full name from Google when authenticating with yesod-auth's GoogleEmail backend? In my app, I'd like to require users enter as little redundant information as possible.
I'm not sure where to start. Will I need to modify yesod-auth?
Unfortunately, yesod-auth doesn't currently provide you with enough access to the underlying OpenID response to get that information. I'd be happy to accept a pull request to extend the API in that direction.
Related
I downloaded a jQuery plugin a while back that worked really well in displaying posts from a particular hashtag from instagram. Since the recent updates to instagram, the hashtag search returns an error
“This client has not been approved to access this resource.”
I have been told that I need to get permission to now access a specific hashtag, but since this is not an app and I am not the developer, how do I go about doing that specifically?
You have to have access to Instagram account otherwise you cannot do anything.
By the way, you have that jQuery plugin? Maybe I can take a look at it and help you with that.
To get this level of information you will need a developer account with Instagram and then get the appropriate token for accessing this information through the API. The scope will need to set correctly during the oauth2 generation of the token, it will probably need the "public_content" scope.
So I'm trying to add an actual Instagram feed to my wordpress site. I dont want to use a 3rd party site which doesnt drive traffic to the actual IG site. I've been on the IG developers site and to be honest kind of confusing. Any help would be greatly appreciated.
I would recommend using a plugin to do the hard work, since there are many out there, and integrating the instagram yourself could be a challenge. A quick google search gave me this one:
https://wordpress.org/plugins/instagram-feed/
If you don't want to use a plugin, you need to understand how the api works.
The instagram API requires OAuth authentication for most calls.
First, You will need to register an application on the https://instagram.com/developer/ site in order to obtain a client Id.
Once you have a client Id, you need to establish a flow for users who visit your site. There is no way around this for API calls requiring authentication.
First, the user needs to login and allow access from your account using the instagram api request url:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
CLIENT-ID is the id you obtained earlier, and REDIRECT-URL should be your wordpress site.
Calling this url will allow you to obtain an access token for the user on your site, and you can then make authenticated calls to the API using that token.
One way around this is to make simple calls that don't require authentication, using tags that are specific to your photos. That is described in this SO question:
Instagram API and importing photos without server side authentication
Cheers,
I agree with Felipe. If you or your client need an Instagram plugin, the easiest way would be to buy it at some marketplace. What’s more important, it is much cheaper than wasting your own time on developing one. Of course, that applies to commercial development, not something that you do for fun.
Here’s a list of plugins that I’ve installed to my clients and was happy about:
https:// wordpress.org/plugins/instashow-lite/ - lite version of the
premium plugin. The functionality is really limited, but it would be
enough to give you a simple display.
https://codecanyon.net/item/instagram-widget-wordpress-plugin-for-instagram/11170758 - a simple commercial widget to display your Instagram
account on a webpage.
https://elfsight.com/help/how-to-embed-instagram-feed-widget-on-html-website/ -
an interesting cloud solution for websites on any CMS. It’s got a demo and a
free plan.
Let me start by saying I really like Deployd. I want to use it in production, but I want to incorporate OAuth and social logins, so I installed the dpd-passport module. It works great, except for two little (big) problems:
When a user signs in via an OAuth provider (e.g. Facebook, Twitter, Github) a new user record is created...but if the same user clears their cookies or uses a different browser to log in, a new user record is created.
If I do something clever (read: hacky) and assign users with social logins an ID based on the socialAccount and socialAccountId (something unique but constant for each social account), someone could use the standard method of user creation to spoof a user by making a POST request to the /users endpoint if they knew that user's socialAccount and socialAccountId.
My question is: How can I A) prevent #1 from occurring, or B) disable the standard method of user creation without also preventing OAuth user creation?
Has anyone ever successfully used Deployd and dpd-passport in production? If so, I want to speak with you...
Thanks in advance!
First of all, I think you haven't added the custom fields per the docs.
https://www.npmjs.com/package/dpd-passport#requirements
I hadn't either, and observed the new user feature (because it couldn't lookup the response from the auth service to find the user from before). Adding these fields fixed it.
Also, there is a google group here:
https://groups.google.com/forum/#!forum/deployd-users
Hope that helps.
I want to get access token foursquare like this link `https://developer.foursquare.com/overview/auth#userless' and this is code
https://foursquare.com/oauth2/access_token
?client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&grant_type=authorization_code
&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
&code=CODE
I don't understand what YOUR_CLIENT_ID,YOUR_CLIENT_SECRET and YOUR_REGISTERED_REDIRECT_URI are. Can you explain and show some examples ? Thank you very much for helping.
"Before you get started, you should create an app on Foursquare. This will give you a client ID and client secret which are needed for using the API. The documentation in this guide is meant to give a high-level conceptual overview of the Foursquare platform, help you grok its different parts and capabilities, and get started using the API’s most popular features."
https://developer.foursquare.com/start
Go to the link: https://foursquare.com/developers/apps
Click the option: "Create a new app". Enter the name of the app and a valid url from where your app can be downloaded. These two fields are mandatory. You can provide the details for other fields also. If you don't have a download link, you can create a folder in dropbox (google drive, onedrive) and provide that link. Create your app and you will get your private CLIENT_ID and CLIENT_SECRET.
I have an Open ID based authentication system on my site.
Occasionally users will have an account registered under foo#gmail.com and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in.
When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id.
My question:
Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider?
For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate?
The spec is kind of tricky to understand
Yes and no. No you shouldn't trust anything you get over the wire, including openid.op_endpoint. But if you are using a secure OpenID library, this parameter is verified before the user is ever allowed to log into your site. The OpenID spec does, in fact must, provide a way for this and other parameters to be verified and without verification the authentication protocol is worse than useless.
So, make sure your library is decent. Then yes, trust the openid.op_endpoint parameter. But not the one you get from the query string yourself, since OpenID messages can be POSTed to you, and the parameter would not show up in the query string. Worse, if you were to check the query string in this case, you'd probably be opening yourself up to a security hole where an attacker could add that parameter to the querystring and fool you while complying with the library's requirements. So it's best to use the API the library exposes to find out what the OP endpoint is.
As far as linking the accounts in this way, this is a good approach since Google will only send email addresses it knows are truly controlled by the user. If you've already required your user to go through an email verification step, then linking the account is safe. But if the email address you have for the user wasn't ever verified, then you must not link the accounts based on this match or I can hijack someone else's account by creating an account that has someone else's email address, and then wait for them to log in using OpenID and now I can get into their account.