Foursquare Realtime API - UserId vs Authentication relation - foursquare

During connected app integration user is redirected to a callback url provided by application developer. At the last step of authentication it is written that "Save this access token for this user in your database." . But the problem is you do no get userId during this authentication process.
https://developer.foursquare.com/overview/auth#access
I get authentication code but can not access userId. How can get userId of authenticating user...
regards..

Once you have the access token, you can make a request to the users/self endpoint to get any information about the user associated with that token, including the user's id.

Related

Google Sign Flow for Website. IDToken vs Access Token. Which one do I need?

What I ideally want to achieve is to be able to Login with Google SignIn, and put authentication on my Nodejs server's endpoints.
What I have done till now is log in the user in the browser, and send the IdToken to the server, validate this TokenId using verifyIdToken() using this link.
https://www.google.com/search?q=verify+idToke&rlz=1C5CHFA_enIN936IN936&oq=verify+idToke&aqs=chrome..69i57j0i13l2j0i13i30l3j69i60l2.12008j0j7&sourceid=chrome&ie=UTF-8
Question:
Once verified, should I generate an access_token using some package, and use that to secure my server's API? Or Use Google SignIn's IdToken as an access token for it?
Or Is there some other flow I'm not getting?
The id_token contains information about the user i.e. email, name, and profile picture.
If that's all that your application needs then the access_token won't be of use to you.
If you're trying to access/modify data belonging to the user, (i.e. trying to add an event to their calendar using the calendar api) then you need the access_token. The access_token is what will give you access to the user's account. If your application requests offline access to the user data then you will also receive something called a refresh_token that will let you regenerate your access token once it expires. If you add the refresh token to your oAuthClient it should automatically renew the access token for you when you make an api call.
Based on what you described I don't think you need the access_token and the id_token might be all you need.
More information is available on this page: https://developers.google.com/identity/protocols/oauth2

Implemented JWT - The user ID of the user to be impersonated

We are developing application for e-signature on PDF for different users of oru system, which call many docusign APIs and we try use JWT to authenticate the APIs. I able to get token. But I have doubt on one parameter of JWT request body. I refer link https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken.
What do you mean by "The user ID of the user to be impersonated.", I used API account user id.
Please refer my previous query Signer URL for an envelope - calling docusign API and getting 400 bad request error. I think, this is not correct what I use to pass here. However I am getting token.
Please let me know if you want to know more details.
"The user ID of the user to be impersonated." means exactly this, you can impersonate a user or "act on behalf of the user" by providing his userId in the JWT call.
So the impersonated user will be the sender of the envelope.
If you use your account userId you will be acting as the sender

DocuSign JWT Grant how to get GUID userId of the user to impersonate?

I am doing service integration with DocuSign platform using JWT Grant auth type. DocuSign account has multiple users setup.
My service is SendEnvelopService and one of the important request param to the service is user email. SendEnvelopService need to impersonate user with given email-id when calling DocuSign and send envelope in behalf of that user. Note that every request to SendEnvelopService will have different value of email request param.
I have following questions around it -
Question#1) Since I need to impersonate different user every time (based on email id in my request), I assume I need to get new JWT auth token every time, before making actual api call. Is that right? Is it usual and ok to request new JWT auth token so frequently before every api call? Does it raise any integration concerns with DocuSign?
Question#2) In my request, I have email id of the user to impersonate. I don't have user's GUID which I need, to get JWT auth token and impersonate it. Is there any api that I can use to get user GUID by email id? I wonder what kind of authentication will be needed for such api because I don't have JWT auth token yet.
One idea I have is may be I need to setup one admin user in DocuSign and keep admin userId (GUID) in application config. Now I have 2 users, one is admin user and another is request user which I have email from the service request. I can following steps -
Do requestJWTUserToken impersonating admin user. We get
oAuthTokenAdmin
Using oAuthTokenAdmin make
https://developers.docusign.com/esign-rest-api/reference/Users/Users/list
api call to get userId (GUID) of request user email.
Now do another requestJWTUserToken impersonating request userId. We
get oAuthTokenUser
Now make actual api call using oAuthTokenUser and to send envelope
Go to:
https://admindemo.docusign.com/
Log in with your demo (sandbox) credentials.
Then you have two options:
If it is only for you, simple thing is to click "API and Keys" page under Integrations on the left nav.
You will see this:
You can also click on "Users" on the left and select the user you want, any user really, doesn't have to be you.
then you'll see it under this:
For your first question, no, you don't have to do that. You can use the same user for all API calls. Especially if this user is an admin, then you can do all API calls under that context.

How to authenticate each API for authorize user?

I would like to authorize users for each api call.
For example:
app.post('/user', isAuth('user.write'), controller);
Above api requires user.write role, so how to check everytime that user has this role or not? isAuth function validates that user.
As per me we can save all the users roles at the time of login into redis and in each api call we fetch it from redis.
But roles are more then 1500, won't it make it heavy? Or should I check database for each api?
Or any other better way so I can easily validate each api for user?
You could utilize JWT tokens.
Your API would then issue a JWT token to a user that has the roles.
The user then provides this token for every request, and you don't have to make calls to redis, because you just just decode the JWT token and check out the roles from there.
The JWT token is signed by the server, and can't be modified by the client so you know that the roles are the roles actually provided from the server.
Read more about JWT security in this article
A popular library for working with JWT tokens in node is node-jsonwebtoken which has over 10000 stars on GitHub.

how to get foursquare uid from token based authetication?

I'm using Token Flow as described here https://developer.foursquare.com/overview/auth
User authenticates foursquare and is sent to a callback page on my server from which I parse the access token for that user out of the url.
Once i have this access token, how do I look up the user so I can grab her uid?
thanks
Use the /users/USER_ID endpoint with user id "self" to get information about the acting user.

Resources