My requirement is as follows:
In my web application, users register their emailIds. I have a basic regex validation handled for that, but i also want to check if their mailIds are valid without sending a mail.
Verification should be such that when user clicks on verify-email-id in the web app, it should redirect to 2FA in gmail where the user should get a 2 digit number and the web app should also receive it, the user should then enter the number and then if it matches, add that to validated mailIds.
I have been looking up about this, but havent found much help online. Can this approach be implemented or is there any other way to programatically validate emailIds using Gmail API ?
To verify an email exists you should send an email to the account and have them click a verify email response.
Verification should be such that when user clicks on verify-email-id in the web app, it should redirect to 2FA in gmail where the user should get a 2 digit number and the web app should also receive it, the user should then enter the number and then if it matches, add that to validated mailIds.
That's not verifying an email that's verifying a google account exits. By asking the user to login to their account. What you want to do is not going to work. The login and authorization flow is handled on googles authorization server. This isn't something your going to see. Google will return to you an Id_token with claims to show you who the user is. That is all.
If you want to enable 2fa in your system your going to have to do it on your own authorization server.
programatically validate emailIds using Gmail API
This is out of scope for the gmail api. To get access to the gmail api your going to have to request authorization of the user, just to see that they have a valid email this is over kill. Even the read only gmail scope is restricted. The verification process for your app is going to be very complicated and expensive just to see if the email exits. Google probably wont approve the app anyway as this is not a valid use case for the gmail api.
Again The best way to verify an email account exists, is to send an email.
Related
I am trying to access a gmail account so I can read emails and save PDFs attached to those emails. I wrote the code and it works fine when I tested it on my personal gmail account (something#gmail.com), but now that I am trying to do it for this new address (reporting#company.com, which is a gmail business account) my code isn’t working to even connect.
I get an error message saying
Error: b’[AUTHENTICATIONFAILED] Invalid Credentials (Failure)’
I know the login email and the password are both correct. I have already downloaded the credentials.json file from the Google API page.
My code is as below:
Mail = imaplib.IMAP4_SSL(“imap.gmail.com”)
Mail.login(“reporting#company.com”,’password’)
If you're still using a password in your code, then you need to get your users to enable Less Secure Apps, or if they're using 2-Step Verification, create an App Password.
However, a better approach would be to use OAuth instead of a password. If you've downloaded the credentials.json file from the Google Developers Console, you already did the first step. :) Google has a guide to use OAuth with IMAP in Python, as well as a code sample (see the TestImapAuthentication method there).
All I had to do was enable 2-step authentication on the google account.
I am running a research project where we create the participant's Jawbone accounts. I am writing a piece of program that captures all of the participants' step counts. I am wondering how I can feed the username and password without having this page below pop up.
In essence, I want to streamline the process so that I can get the oauth access token without any user manual input. I am writing all of this in Python (Google App Engine).
The only way to avoid that page is to have already stored the OAuth tokens for the user. As part of the OAuth protocol, each user has to grant your application access to the data.
How are you planning to gather the users' accounts and credentials?
I would recommend that instead of gathering users' emails and passwords manually, you:
Build a simple sign up flow in your app according to the UP Authentication doc.
Have your users run that flow
Save their OAuth tokens for later use
I'm looking to set up Django to use OAuth2 to authenticate users for a service that I'm running, but I'm having a bit of difficulty understanding how the tokens are passed around.
I've been working my way through this tutorial: https://django-oauth-toolkit.readthedocs.org/en/0.7.0/tutorial/tutorial_01.html. I've been able to get a server up and running as the OAuth provider, and it seems to be working as it should. I'm able to log in to it and set up an application. The difficulty I'm having is figuring out how the various tokens are passed around.
Suppose that my OAuth provider is sitting on one server - let's call this Provider.com - and my service that I'm wanting authenticated is on service.com. When a user first tries to make a request to the service, they first need to authenticate against the Provider. So they click on a login button which directs them to Provider.com. They enter their credentials. If everything is set up correctly on the server, they should be presented with a prompt that gives them a chance to allow or deny Service.com from accessing their account on Provider.com. Supposing that they click Allow, they are then redirected to Service.com, and are given a token. On future calls to Service.com, they pass in the token, and are, in theory, able to make authenticated calls.
The problem I'm having understanding is this: At what point do the Provider and the Service communicate? If a call comes in to the Service, how does it know that the authentication token passed in with the call is valid? There's know way it could know that a particular token is valid unless: A) it recognizes that same token from a previous call which was also authenticated or B) it talks to the OAuth 2 provider and verifies the authenticity of the token.
A diagram like the one found here shows the process in the browser:
At the end of this, it has the Client App sending the authentication code, client id, and client secret to the OAuth2 provider. In the previously mentioned tutorial, it isn't really clear how this is actually done. In the tutorial, the provider and the service are on the same machine, and it would appear that they also share the same database.
This this brings about my question: How does one host a Django-based OAuth provider on a separate server than the resource/service being accessed? Is this possible?
From this other post, it indicates that this might not be possible: https://stackoverflow.com/a/26656538/1096385 Is that indeed the case, at least with the existing Django OAuth2 provider framework?
It depends on the oauth2 flow you're using. It seems like you're using authentication code.
In that case:
service.com sends the browser to provider.com for user authentication (uri contains service.com client_id and redirect_uri)
User authenticates on provider.com, then the browser is redirected to service.com's redirect_uri with a ?code parameter.
On your server side, handle this code parameter and ask for a token with it.
See https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps
I migrated away from Google App Engine several months ago. But I am still relying on it for authentication, because my users are identified by their user_id attribute on GAE.
For this purpose my (now external) applications redirect the user to a Google App Engine application using a encrypted, signed and timestamped login request. The GAE application then performs the login using GAE's "Users" service. After successfully being logged-in on GAE, the user is again redirected using a encrypted, signed and timestamped response to my external application.
The rudimentary implementation can be found here and here. As you can see, this is very basic and relies on heavy crypto that leads to bad performance.
My external applications, in this case Django applications, are storing the user_id inside the password field of the user table. Besides the user_id, I only get the email address from GAE to store username and email in Django.
Now I would like to remove the dependency on the GAE service. The first approach which comes to mind would probably be to send an email to each user requesting him to set a new password and then perform my own authentication using Django.
I would prefer a solution which relies on Google's OpenID service so that there is actually no difference for the user. This is also preferred, because I need to send the user to Google anyway to get AuthSub tokens for the Google Calendar API.
The problem is that I couldn't find a way to get the GAE user_id attribute of a given Google Account without using GAE. OpenID and all the other authentication protocols use different identifiers.
So now the question is: Does Google provide any API I could use for this purpose which I haven't seen yet? Are there any other possible solutions or ideas on how to migrate the user accounts?
Thanks in advance!
The best way to do this is to show users a 'migration' interstital, which redirects them to the Google OpenID provider and prompts them to sign in there. Once they're signed in at both locations, you can match the two accounts, and let them log in over OpenID in future.
AFAIK, the only common identifier between Google Accounts and Google OpenID is the email.
Get email when user logs into Google Account via your current gae setup. Use User.email(). Save this email along with the user data.
When you have emails of all (most) users, switch to Google OpenID. When user logs in, get the email address and find this user in the database.
Why don't you try a hybrid approach:
Switch to OpenId
If your application already knows the userId, you are done
If not ask the user, if he has an account to migrate
If yes, log him in with the old mechansim and ttransfer the acount
If not create a new account
Google has a unique identifier that's returned as a parameter with a successful OpenID authentication request - *openid.claimed_id* . If you switch to using OpenID you could essentially exchange the user_id for this parameter the first time a user logs in using the new method without the user noticing anything different about their login experience.
Documentation for the authentication process is outlined here. I'd recommend using the hybrid OpenID+OAuth approach so that you can associate your request token with a given id, then, upon return, verify that the openid.claimed_id matches your original request token.
I using the Python SDK (http://github.com/facebook/python-sdk/) with Google app engine.
I can post message on user wall with the self.graph.put_object function while the user is online.
How do post a message to user wall directly from the server even the user is offline?
I am assuming you know how to kick the work off and just need the calls to authenticate for the user.
Your facebook app must request extended permissions from the user.
http://developers.facebook.com/docs/authentication/permissions
offline_access
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived. NOTE: If you have
requested the publish_stream
permission, you can publish content to
a user's feed at any time, without
requiring offline_access.
Once you have done this the oauth_access_token returned from Facebook is an offline_access token and can be used anytime until the user revokes your app access or extended permission.