I have an android application that can upload files to Sharepoint. It authenticates with AzureAD. It works fine if I manually create a refresh-token, but I can't figure out how to do this in code in Android.
FYI, we also have an external web application (MVC) in which we can generate refresh tokens. It does this by following the authorization flow here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
The application follows the authorization flow by generating an authorization code, using that code to generate an access/refresh token and then retrieving the refresh token.
This proces is already complex in our web application, but we now want to implement such thing in our Android application.
My question is, how can we implement this authorization flow in an android app? When the user requests an authorization code he is automatically redirected to an azure login page. Is this also possible with an http client library in Android? Any help would be appreciated.
Related
I am building an Android App that requires users to log-in by their Facebook (so we can get their profile picture and albums). It works great by using the Android Facebook API. After I get the access token from the API, I can get the information that I want and also post feeds/photos by the App.
However, I now need to build the remote function for this App as well, which means the App should talk to our server for managing his own information and fetch other information.
I plan to manage users in our server by also the Facebook API. Specifically, I am using .net + Facebook authentication:
.net Facebook authentication
It works ok. Basically, when people(or my App) visit the url on our server, a response from Facebook will ask user to log-in and then my server can get user's identity.
My problem is, in this case, the users seem to handle the log-in "twice" (one for Android Facebook API and one for remote server Facebook API). Is there any way that I can just do it once? For example, once I get the "access token" by the Android Facebook API, can I pass that "access token" to my remote server (maybe via the post header?), and then my server will be able to talk to Facebook via the same log-in identify. (I prefer using the Android SDK because it allows users to skip entering the password if the user has the Facebook app installed)
I am wondering if anyone can give me some suggestions to achieve this function. I notice there is something called "JWT Bearer Token" seems fit my need but I am still looking for tutorials of using this with Facebook API.
I have created an Android app that uses OAuth2 authorization code flow to get an authorization code from the Facebook authorization server. This works correctly, and I am able to retrieve the authorization code in my app after the user logs in and authorises it.
I would now like to pass that code to a .NET WebApi server to complete the flow on the server to retrieve the access token and, subsequently, the user's details from Facebook. I have scoured the web for examples of how to use this code, combined with the classes from Microsoft.Owin.Security.Facebook, to complete the signin process, but I cannot find anything. Is it possible to authenticate a user using an authorization code I have already retrieved rather than the standard Microsoft.Owin.Security process of redirecting the browser to the authorization url? Or will I have to write something custom?
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!