I am working on an Ionic mobile app and have a django backend. We currently use JWT authentication in order to access the django backend (multiple applications use this backend including a react frontend). So the current auth method needs to stay in tact.
Now that we are working on an app we want the user to stay logged in after entering his credentials once on the app. I've been researching a good way to do this all day but can't seem to find a clear answer.
What is the best option to keep the user authenticated? Should I set a high expiration on the refresh token? (Not sure if that is secure..)
Should I use session auth? I found it that Django mostly supports this on services on the same domain. Seems like you have to relax quite a few security settings which doesn't seem to be the right solution.
I am not sure where to go from here. Do you guys have any suggestions?
I have not tried using ionic but generally what you want to do is to use a HTTP Client on you application which has an interceptor that will be watching for response with 401 Unauthorized response and you can check if the Authorization Header used was of the JWT if so, the HTTP client could send a request to your jwt refresh point with the refresh token and can re-update the jwt access token on the
moble application and retry the request again.
You could store the JWT refresh token on the users device.
Related
I am working on the mobile application for android which is written in Android Studio in Java language. I would like to implement Facebook authentication firstly and then Google and I will see which else.
A lot of backout action will be carry out by backend server. I spent a lot of time to figure out the solution but I didn’t find the response which straight explant me how should I proceed with facebook Authentication and tokens.
I have already implemented facebook API (https://developers.facebook.com/docs/android ) in my mobile application. I can get access token and so on. After that I stuck and could you tell me is there any way to connect this access token which I have got on my phone which backend server? Or should start everything from the beginning and Manually Build a Login Flow?
Second question. Could you tell me if what is correct and the easiest way to connect Mobile App, Backend Server and Facebook authentication?
I would like to have something like that I know that comparing access token is not acceptable but can you tell me how to do it?
Facebook API with application server
Make a Login flow as below
Send token-to-inspect(access token), user facebookID and remaining user data to your server
On server side check the response for access_token from the Step 1
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as a separator and must be there after filling the other fields.
Also don't send app_id, app_secret from the app, keep them on the server side only.
If in response you get the same user_id, is_valid, application then it is a valid user else not.
After verifying in Step 3 give user your own auth_token for accessing app resources
Also, check out Firebase Authentication and Firebase ADMIN to make this flow safe/secure and developer friendly.
Hope this helps
For a quick project for a hack week me and my team implemented Google Sign-In as registration/authentication for users. The way it works:
User signs in with SDK on client (Android + iOS) and requests access_token
Client receives acces_token and uses that token for each network request to the backend as a query parameter
Our backend does not interact with google services on users behalf
The problem I'm facing is that the provided access_token returned by the google SDK is short-lived (60 minutes). That basically leads me to two questions/problems:
Is the short-living access_token even meant to be used that way?
I am used to another flow where you just use that returned token by google or any other auth provider to authenticate with your backend and then use your own authentication mechanism (probably token based as well).
If I am wrong about 1. then what is a good practise to refresh the token on the client side as it expires every 60 minutes. The way I understand it is that Google SDK starts an activity for result to sign in and I would rather want to handle all the networking in my data layer without context. Do I check the validity of that token before I request the backend every time or do I start some kind of refreshing after I get a 401 response back or something similar?
I am somewhat new in that space and I had quite some discussion about what is right and wrong with the backend guy in our team. I'm thinking number one is right, he says number two. I might be terribly wrong here. Some nice input or resources would be awesome as all the documentation online just don't answer both of those questions.
Do one thing use your google provided access token to generate a new access token in your backend and send this token on login/signup to client. Now your every request will use this token to identify users and keep track of everything.
This will not expire too. I used this in my app and it works flawlessly.
I am getting into Android development for the first time and am having a blast, of course. I do have a question, though, about the general approach to authentication (for dealing with a backend).
To begin, here is, in a nut shell, what I have worked out.
Using google's documentation (link), I authenticate the user using the google sign in api. I have put the logic mentioned in the reference in my app's main activity. After the onConnected method fires, I have a successfully connected GoogleApiClient.
With the now connected GoogleApiClient, I use a call to GoogleAuthUtil.getToken to get an oath2 token that I use to authenticate requests to my backend. Basically, any time I make an HTTP request to my backend, I include this token as a header. My backend reads this token and uses the Python API google provides for verifying this token. In the backend, I use the email that is embedded in the (now parsed) token to make sure the user to whom that oauth2 token was issued is, in fact, a user of my system.
Now, here are the questions. First, does this sound like a reasonable approach to authentication on the Android platform? What might I be missing? What could go wrong?
The second question is a bit more direct. When I get the oauth2 token from the client app, I store it and use the same token each time an HTTP request to a secured resource is made. Eventually, of course, the token will expire. From some limited testing using the Android emulator, it seems that if I shut down the application and restart it, I am getting the same, expired token back using the GoogleAuthUtil.getToken, rather than getting a fresh token with a new expiration in the future. In my tests, I have had to restart the emulator in order to get a token with a correct expiry. Am I mistaken here? Is there something special I need to do to tell the Google API to issue me a new token? Do I need to disconnect the GoogleApiClient and reconnect it? I hope to avoid doing this in order to limit the number of activities that need to carry the callbacks required to complete this process.
Any words of wisdom here will be greatly appreciated!
after you have got your token you can use Validate Token, and if it responses with an error: 'invalid_token', you can use GoogleAuth.clearToken(Context context, String token) to clear the token and get a new token with the method you are using to get auth token.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I'm writing an Android application that I want to be able to send requests to a Google App Engine application. In order to do this, the Android app needs to authenticate the user (should be able to just use their Google Account). I'm not sure I'm doing it right, but this is the only way I've found so far:
Post email, password, etc. to https://www.google.com/accounts/ClientLogin
Obtain an authorization token from the aforementioned address
Use the authorization token in the header of the requests to the AppEngine application
But this isn't working (users.get_current_user() still returns None). Is there a right way to do it?
The approach you describe is almost correct. Instead, you need to:
Submit the credentials to ClientLogin and get back the authorization token.
Submit the authorization token to /_ah/login and get back a cookie (and 302 redirect).
Use the returned cookie on all subsequent requests.
This is the process appcfg uses - see appengine_rpc.py for an example of how to use it (and a module you can use, if you're using Python) - specifically, the _Authorize function.