Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development


Thank you for visiting the BlackBerry Support Community Forums.

BlackBerry will be closing the BlackBerry Support Community Forums Device Forums on April 1st (Developers, see below)

BlackBerry remains committed to providing excellent customer support to our customers. We are delighted to direct you to the CrackBerry Forums, a well-established and thorough support channel, for continued BlackBerry support. Please visit http://forums.crackberry.com or http://crackberry.com/ask. You can also continue to visit BlackBerry Support or the BlackBerry Knowledge Base for official support options available for your BlackBerry Smartphone.

"When we launched CrackBerry.com 10 years ago, we set out to make it a fun and useful destination where BlackBerry Smartphone owners could share their excitement and learn to unleash the full potential of their BlackBerry. A decade later, the CrackBerry community is as active and passionate as ever and I know our knowledgeable members and volunteers will be excited to welcome and assist more BlackBerry owners with their questions."

- Kevin Michaluk, Founder, CrackBerry.com

Developers, for more information about the BlackBerry Developer Community please review Join the Conversation on the BlackBerry Developer Community Forums found on Inside BlackBerry.


Reply
Highlighted
New Developer
Posts: 70
Registered: ‎01-13-2011
My Device: Torch 9800 and Playbook
My Carrier: Rogers

Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

Hello,

 

One of the features that was pointed out by the development team in the webcast series as being highly desired was the ability to integrate your application with a social network.

 

Seeing as how most social networks APIs require OAUth, I was wondering if this was even possible. I have some experience with OAuth doing desktop applications and I've found OAuth simply isn't designed for the installed-applicaiton scenario. You typically need to launch a browser and somehow monitor traffic, or use a kludgy mechanism to make your user copy and paste a code into your app after going online to authorize.

 

Because we can't open a browser, I'm curious if people have found a way to do OAuth. 

Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

This auth mechanism is used so often by online APIs that it should be provided by RIM, or they could at least provide a documented example.

 

I think the best approach would be to use a PIN when possible, but I haven't tested yet if the callback approach works or not from a Webworks app.

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 669
Registered: ‎02-19-2011
My Device: BlackBerry PlayBook 32GB
My Carrier: Sprint

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

I'd give 100.000 kudo's to whoever posts a tutorial / explanation on this. I looked into it for a while for Twitter and all I got was a HUGE headache.

 

Also with the current insecure implementation of PlayBook apps things are NOT safe. People would easily be able to get the private API key from your app. NOT a good thing.

Staff UI Prototyper (read: full-time hacker)


My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

I had forgotten about that... Which means that RIM can't provide an implementation because each dev house needs to use a proxy of some sort for authentication.

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 57
Registered: ‎06-15-2011
My Device: PlayBook
My Carrier: Rogers

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

How would someone get a hold of the private API key from a WebWorks app?

Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

Just like they would from any app available on Appworld right now which connects to social networks and 'hides' the key in the code.

1) Make a backup of the app

2) Read the source files

3) Become the app and do what you want to users that 'trusted' the app...

 

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 57
Registered: ‎06-15-2011
My Device: PlayBook
My Carrier: Rogers

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

That's a shame, isn't it? I was trying to think up a workaround along the lines of:

 

  1. App is downloaded and run for the first time.
  2. App contacts remote server and requests private API key.
  3. App saves private API key to memory, which can't be downloaded and misused.

 

Problem is anyone could then contact the remote server and obtain that private API key. Has anyone talked to someone at RIM for a fix to this?

Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

Yep, it's a shame..., but apparently some users don't care as long as you state the problem in your EULA. Not sure Twitter would agree Smiley Very Happy.

The best way to deal with this is to use a proxy for your requests. That way the token and secret stay on the server.

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

[ Edited ]

Before I forget... I've tested various methods and it's not that difficult to do anymore (if you don't mind hiding the keys in your code).

The PIN methods has always been fairly easy to implement, but the user experience isn't great :/

But now, thanks to Polar mobile, there is an easy way to use the callback method.

 

Install their extension: https://github.com/polarmobile/blackberry.polarmobile.childbrowser

and then do this in your code:

1) Get the request token

2) Use the request token to send the user to the child browser window (it will cover your app)

3) Monitor for a change of location

4) If it matches your callback URL, request access token

5) Make sure that your callback URL displays a message to the user, inviting him to close the child browser window

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Contributor
Posts: 17
Registered: ‎07-27-2011
My Device: Torch 9810
My Carrier: Virgin Mobile (Canada)

Re: Has Anyone Implemented an OAuth Flow in a Playbook WebWorks Application

This is what I use,  jsOauth by @ByteSpider via GitHub https://github.com/bytespider/jsOAuth

 

Lots of documentation/examples.  I tried many other libraries, and found them to be extremely bloated, and often had very little information to help you along the way.

 

<!--

A simple example of PIN-based oauth flow with Twitter and jsOAuth.
This is mostly based on/copied from <http://log.coffeesounds.com/oauth-and-pin-based-authorization-in-javascri>.
Get jsOAuth at <https://github.com/bytespider/jsOAuth/downloads>

-->

	$(document).ready(function() {
		var options = {
			consumerKey: 'YOUR_CONSUMER_KEY',
			consumerSecret: 'YOUR_CONSUMER_SECRET'
		};
		var requestParams;
		var accessParams;

		var oauth = OAuth(options);

		oauth.get('https://twitter.com/oauth/request_token',

			function(data) {
				console.dir(data);
				window.open('https://twitter.com/oauth/authorize?'+data.text);
				requestParams = data.text
			},

			function(data) { alert('darn'); console.dir(data) }
		);


		$('#pinbutton').click(function() {
			if ($('#pin').val()) {
				oauth.get('https://twitter.com/oauth/access_token?oauth_verifier='+$('#pin').val()+'&'+requestParams,

					function(data) {
						console.dir(data);

						// split the query string as needed						
						var accessParams = {};
						var qvars_tmp = data.text.split('&');
						for (var i = 0; i < qvars_tmp.length; i++) {;
							var y = qvars_tmp[i].split('=');
							accessParams[y[0]] = decodeURIComponent(y[1]);
						};

						oauth.setAccessToken([accessParams.oauth_token, accessParams.oauth_token_secret]);
						getHomeTimeline();
					},

					function(data) { alert('poop'); console.dir(data); }
				);				
			}
		});


		function getHomeTimeline() {
			oauth.get('https://api.twitter.com/1/statuses/home_timeline.json',

				function(data) {
					entries = JSON.parse(data.text);
					var html = [];
					for (var i = 0; i < entries.length; i++) {
						html.push(JSON.stringify(entries[i]));
					};
					$('#timeline').html(html.join('<hr>'));
				},

				function(data) { alert('lame'); console.dir(data); }
			);			
		}


	});