I miss being able to just use an API with `curl`.

Remember that? Remember how nice that was?

You just typed/pasted the URL, typed/piped any other content, and then it just prompted you to type your password. Done. That's it.

Now you need to log in with a browser, find some obscure settings page with API keys and generate a key. Paternalism demands that since some people insecurely store their password for automatic reuse, no one can ever API with a password.

Fine-grained permissions for the key? Hope you got it right the first time. You don't mind having a blocking decision point sprung on you, do ya? Of course not, you're a champ. Here's some docs to comb through.

That is, if the service actually offers API keys. If it requires OAuth, then haha, did you really think you can just make a key and use it? you fool, you unwashed barbarian simpleton.

No, first you'll need to file this form to register an App, and that will give you two keys, okay, and then you're going to take those keys, and - no, stop, stop trying to use the keys, imbecile - now you're going to write a tiny little program, nothing much, just spin up a web server and open a browser and make several API calls to handle the OAuth flow.

Okay, got all that? Excellent, now just run that program with the two keys you have, switch back to the browser, approve the authorization, and now you have two more keys, ain't that just great? You can tell it's more secure because the number of keys and manual steps is bigger.

And now, finally, you can use all four keys to make that API call you wanted. For now. That second pair of keys might expire later.

Happy International Bluescreen Day

Ce matin vendredi 19 juillet 2024 les entreprises, compagnies aériennes, banques et des médias sont hors fonctions suite à une mise à jour de CrowdStrike, un antivirus utilisé par Microsoft est à l'origine de la panne.

En 2023

Fin septembre c'est OAuth qui sera appliqué pour les @mail

同意リソースの状態が、ATやRTを発行可能かどうか決める

In addition to the requirements outlined in Open Finance Brasil security provisions the Authorization Server

shall only issue refresh_tokens when linked to an active and valid consent;

Must not issue refresh_token when consent status is "CONSUMED" (for phase 3);

Must issue an access_token through the grant_type client credentials when consent status is "CONSUMED"(for phase 3).

shall only share access to resources when presented access_token linked to an active consent and with the status "AUTHORISED“. For tokens generated with the scope: payments, the status of the consent will not be validated.

In the scenario of receiving an invalid token, status code 401 should be returned.

shall revoke refresh tokens and, access tokens where aplicable, when the linked Consent Resource is deleted;

shall ensure access tokens are issued with sufficient scope necessary for access to data specified in the Permission element of a linked Consent Resource object;

shall not reject an authorisation request requesting scopes broader than those necessary to access data specified in the Permissions element of a linked Consent Resource object;

may reduce requested scope to a level sufficient to enable access to data resources specified in the Permissions element of a linked Consent Resource object;

shall retain a complete audit history of the consent resource in accordance with current Central Bank brazilian regulation;

shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749) if the CPF of the authenticated user is not the same as indicated in the loggedUser element of the Consent Resource Object;

shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749) if the businessEntity element has not been populated in the related Consent Resource Object and the user has selected or authenticated by using a credential related to a business account;

an autenticated or selected business account's CNPJ must match the value present in the businessEntity element of the Consent Resource Object. In case of divergence authorization server shall return authentication failure and return code _accessdenied in the error parameter (as specified in section 4.1.2.1 of RFC6749);

shall ensure _refreshtokens expiration time is at least equal to the linked consent resource expiration time.

i luv gouache… and i luv tigers…. so here’s a gouache tiger!!

Atacantes Usan Aplicaciones OAuth Falsas para Vulnerar Cuentas de Microsoft 365

Ciberdelincuentes están empleando una nueva táctica para infiltrarse en cuentas de Microsoft 365. Utilizan aplicaciones OAuth falsas, que imitan servicios conocidos, para robar credenciales y códigos de autenticación multifactor (MFA), evadiendo las defensas de seguridad. Investigadores de ciberseguridad han detectado una nueva campaña donde actores maliciosos se hacen pasar por empresas…

OAuth: the nightmare where you chase tokens like a raccoon after trash. Just when you think you’ve got it, it slaps you with a 401. But hey, at least now I’m officially authorized to lose my mind.

PHP 如何使用Google API相關功能

有別於其他的API，使用google的API時，需要使用Google Client Library，除了使用composer載入以外，也可以透過此連結直接下載，要記得選擇與當前 PHP 框架對應的檔案才能正常使用，本篇文章會說明如何使用Google Client Library，包含前置設定，引用功能到實際使用google drive的API上傳檔案。

前置作業

1.首先到google專案頁面建立一個專案，建立完成後點選左側的API和服務

2.左側跳轉到憑證頁面，建立OAuth用戶端ID

3.應用程式類型選取網頁應用程式，授權的JavaScript 來源以及授權的重新導向 URI，分別對應送出OAuth以及接受OAuth結果的網址，這個網址是可以使用localhost的

4.點選左側選單程式庫，並搜尋要啟用的API點選啟用

5.點選剛剛申請好的OAuth 用戶端ID，點選用戶端密鑰旁的下載，會得到一個json檔

6.至此設定就完成了，接下來是程式面的開發，我們需要建立一個送出請求的 php 頁面

建立一個google client物件 →$client = new Google\Client();

將上一步的json檔案載入 →$client ->setAuthConfig(“json檔的相對或絕對路徑”);

加入這次要使用的API範圍，這個步驟要跟上面的第4步開啟API相呼應，只設定這邊還是會無法使用該API →$client ->addScope(Google_Service_Drive::DRIVE_FILE);

加入這兩個設定，讓之後其可以自動刷新憑證，不加的話每隔一段時間就得重複開啟OAuth頁面做授權 →$client->setAccessType('offline'); →$client->setApprovalPrompt('force');

設定用戶給予權限後要重導向回我們系統的處理頁面 →$redirect_uri ="處理頁面url"; →$client ->setRedirectUri($redirect_uri);

取得要給客戶同意授權的頁面url，並用js或其他方式將用戶導向到這個頁面 →$auth_url = $client ->createAuthUrl(); →echo("location.href = '".$auth_url."'");

7.接下來要建立授權接收端的頁面

經過實測後證實用同一個$client物件做授權行不通，所以得另外宣告一次 →$client = new Google\Client();

加上client端的設定 →$client ->setAuthConfig(“json檔的相對或絕對路徑”);

範圍跟重導向的設定也要加上

用得到的code獲得token，並設定給client物件，這個token最好另外存放，資料庫或實體檔案皆可，用來權限過期刷新 →$token = $client -> fetchAccessTokenWithAuthCode($_GET['code']); →$client -> setAccessToken($token);

使用前確保物件沒過期 →if(!$client->isAccessTokenExpired()) 

如果過期的刷新方式 →$client = new Google\Client(); →$client ->setAuthConfig("json檔的相對或絕對路徑"); →$client->setAccessToken("前一次認證儲存的token"); →$refresh_token = $client->getRefreshToken(); →$token = $client->fetchAccessTokenWithRefreshToken($refresh_token);

若確認沒過期即可使用我們授權範圍的API物件 →$service = new Google_Service_Drive($client);

上傳檔案到指定的資料夾範例 →$file = new Google_Service_Drive_DriveFile(); →$file->setName('test.jpg'); // 這裡你可以設定你想要的文件名稱 →$file->setParents(array('google資料夾的ID')); →資料夾的ID=點進資料夾的網址，最後面的那串18~tP

→$result = $service->files->create($file, array( 　　'data' => file_get_contents("要上傳的檔案路徑"), 　　'mimeType' => mime_content_type("要上傳的檔案路徑"), 　　'uploadType' => 'multipart' 　)); → $file_id = $result->id; 　　$permission = new Google_Service_Drive_Permission(array( 　　　'type' => 'anyone', 　　　'role' => 'reader', 　　)); 　　$service->permissions->create($file_id, $permission);

結論

在現代的網頁開發中，Google提供的API無疑是不可或缺的工具。雖然Google將API相關的套件模組化，極大地簡化了實際使用時所需的開發時間，但這也使得開發前的準備和設定變得更加複雜。Google的OAuth認證作為使用所有API模組的前置作業，稍有不慎的設定錯誤就可能導致認證失效，進而中斷自動化程式的運行。為了幫助開發者更好地應對這些挑戰，撰寫此篇文章記錄了使用 PHP 與Google Client Library的步驟。本文將詳細介紹從開發環境的設置、Google API的啟用、OAuth 2.0認證的配置到實際範例程式碼的編寫，讓讀者能夠全方位掌握整個流程。這篇文章的目的不僅僅是提供一個指南，更是為了建立一個開發過程中的參考，讓未來在使用Google API進行開發時，能夠更加順利和高效。希望此文能為大家帶來幫助，讓相關開發工作變得更順利。

X восстановился после масштабного отключения

После сообщения о пожаре, произошедшем раннее на этой неделе в штате Орегон не загружалась лента на X.

https://tefida.com/x-is-back-after-an-apparent-widespread-outage/

Google developers OAuth 2.0 playground And OpenID Connect

Google Auth Platform usability and security updates

Millions of developers authenticate users and access hundreds of APIs using Google's identity platform. One of the largest implementations of the Google developers OAuth 2.0 playground protocol and OpenID Connect standard in the world provides developers with a reliable, secure, and easy method to interact. Google is pleased to announce significant platform usability and security improvements.

Google engineers' OAuth 2.0 playground

Simple OAuth setting in Google Cloud Console

Developers that use Google Sign-in for authentication or user consent to use Google APIs must register their applications and websites to generate client credentials. Developers utilising Google Cloud Console previously found OAuth setup pages under APIs & Services. Separate navigation for Google Auth Platform is added to these sites.

This version speeds up app configuration updates, simplifies project registration, and improves developer advice. Upcoming improvements include an improved onboarding wizard, simpler OAuth scope management, and faster, more transparent app verification.

Developers using other consoles for OAuth have the same Firebase or Apps Script experience.

OAuth client secret presentation change

Some OAuth clients require a “secret” for authorisation and authentication. Since the client secret operates like a website or application password, protecting these strings is crucial to user account and data security.

Developers could previously download client secrets from Google Cloud Console, Firebase Console, and other Google developer tools. OAuth secrets will be hidden in Google Cloud Console client administrative pages in June. Developer consoles will show the last few characters to help identify them.

OAuth client secrets must be downloaded and handled securely by developers. For this, most developers utilise Google Cloud Platform's Secret Manager. The client secret won't appear when the creation screen closes.

Never reveal OAuth client secrets that provide access to user data or other production systems online or in version control systems. If secrets leak, change them immediately and cycle them often.

Automatic deactivation of unused OAuth clients

Starting in June, OAuth clients inactive for six months will be automatically terminated to prevent credential theft and misuse. When token exchanges end, the six-month period begins.

When inactive clients are erased, developers will be notified and can recover them for 30 days.

A great experience for you and your customers

These upgrades and more planned for later this year make your experience smoother and safer, giving you more time to build great applications and websites for your consumers.

Accessing Google APIs with OAuth 2.0

Simple acts

Every Google API-accessing app utilising OAuth 2.0 follows a pattern. You take five stages typically:

The Google API Console gives OAuth 2.0 credentials.

Get an access token from Google Authorisation Server.

Review user-granted access scopes.

Give an API the access token.

Update the access token if needed.

Google APIs authorise and authenticate using OAuth 2.0. Google supports OAuth 2.0 applications for web servers, client-side, installation, and limited-input devices.

Get OAuth 2.0 client credentials from Google API Console to begin. After that, your client app requests an access token from the Google Authorisation Server, extracts it, and sends it to the Google API you want to use. Check out the OAuth 2.0 Playground for an interactive Google OAuth 2.0 demonstration using your own client credentials.

The MERN stack (MongoDB, Express.js, React.js, Node.js) is a powerful combination of technologies for building modern, full-stack web applications using JavaScript. A CRUD (Create, Read, Update, Delete) app is a basic yet essential application structure for handling data in web development. In this guide, we will walk through the process of building a simple CRUD app using the MERN stack, where users can create, read, update, and delete records in a database.

By the end of this tutorial, you'll understand how to set up the backend and frontend of a MERN stack application, create API endpoints, connect the app to a MongoDB database, and build an interactive user interface with React

It really is very frustrating to try to use Tumblr through the API, because:

First you have to Register An App, even though I am a user, I am trying to just automate some workflows, I am not an App Developer making a third-party integration for others.

Then you must use OAuth. Having an API where the only authentication mechanism is OAuth should be a crime. OAuth is an okay solution for letting third-party code get credentials on behalf of users with user consent. But I am not third-party code!!! I am me, the user; my code is an extension of me, it is me, alkfsdafklsdalfsalf!

Randomly things will just fail to post. You will be told the profoundly helpful status 400, code 8001, which if we go by observation alone are the only possible numbers, and mean any possible error. "Posting failed. Please try again." Incidentally, if you are ever responsible for a "Please try again" error message for something that is not a transient error but will persistently reliably fail, we need to break out the medieval corporal punishments. Flogging. Stocks. Those little cages on street posts. And responsibility goes up the chain of command - the higher the position, the longer the punishment.

This. This will be the thing that finally drives me off Tumblr. No amount of adoring Tumblr fans will keep me if I can't reliably publish posts from the comfort of my text editor.

Fixed – MisMatchingOAuthClaims - One or more claims either missing or does not match with the open authentication access control policy error - OAuth Authentication for HTTP Request trigger (Power Automate)ismatch

Recently while trying to invoke the HTTP Request trigger, on passing the token we got the below error from the Postman {     "error": {         "code": "MisMatchingOAuthClaims",         "message": "One or more claims either missing or does not match with the open authentication access control policy."     } } Turned out that we missed the trailing slash for the resource’s value while generating…

code id_token で fragment

The main modifications related to the new security profile (private_key + PAR) are:

Mandatory of encryption of id_token;

Mandatory of use of the Proof Key for Code Exchange (PKCE);

Removal of CPF claims and CNPJ;

Prohibition of registration rotation_access_token in DCR/DCM;

Restriction of response_type for only "code id_token";

Restriction of the response_mode to only "fragment";

Restriction of subject_type to only "public ".

Security Vulnerabilities in OAuth | OAuth Intro and Risks

OAuth is an open authorization protocol that allows applications to access user resources on behalf of the user, without requiring the user to share their credentials with the application. While OAuth is widely used and provides a secure way of sharing user information, there are some security vulnerabilities that can arise if not implemented correctly.

Django - OAuth Test Sample

An OAuth sample code base on Django. Django Commands pip3 install django djangorestframework django-oauth-toolkit django-admin startproject oauth_test cd oauth_test python3 manage.py startapp test_app python3 manage.py makemigrations python3 manage.py migrate python3 manage.py createsuperuser python3 manage.py runserver We can test by using Postman application. Setup OAuth in project’s…

View On WordPress