so here's my situation. I'm trying to build a very basic app on Android Studio that requires a sign in and a registration page. Both pages prompt the user to insert their username and password. What I want to happen next is that when a user goes to the registration page and inserts a username, I want the program to check if it's unique or not. If it is, I want the program to essentially store the registration data for future use. So when a user wants to sign in, they can only sign in using a registered username, and they can only access the account if it's accompanied by the right password. I tried looking up tutorials online, but I couldn't find anything that fits what I'm looking for. Any ideas?Tips? Tutorials? Pointers? All would be greatly appreciated.
Related
When using OAuth we are using a third party to take care of the authentication of a user.
E.g. when using Facebook we “register” our app with Facebook and when a user of our app tries to login instead of providing to the app his credentials he logs in using his Facebook account.
What I don’t understand is why does the app trust the user? All the app knows is that the user is trusted from Facebook as he has an account there. How can we trust that the user should really access the app?
In this case the "user" you are providing services to is the Facebook/Google/Instagram/etc. account. From your perspective, you do not care who the person typing the credentials in is.
Normally, all you know is that the person who logs into your app knows the user name and the password for the account. In the external validation case, you know what the person has this specific login for fb/google/inst and knows the password associated with it.
Please keep in mind than in most cases (local or external validation), you do not know the person associated with the account (unless you have some method of personal validation, like credit card or sending a traditional letter with some auth). All you know is that the person who logged in knows the credentials.
Technically, each of those accounts (fb, google, inst) is a separate "user", and your local credentials login is a different one yet.
The whole concept is about user convenience really, plus some additional benefits like having the user data stored and maintained by someone else, additional security and so on.
That said, it is still totally fine if you stick to the "local" credentials method, just make sure it is secure :-)
EDIT:
A simple example:
Your app has two login options - a simple login with password and login with Google.
You also have a user, John Smith.
John opens your app, which requires login and has some sensitive data connected with each account.
Scenario 1. John selects standard, "local" login option and logs in using his credentials JohnSmith1111 and password 12345. John is now able to display the data associated with the account JohnSmith1111.
Scenario 2. John selects log in with Google. He is redirected to the login page, authenticates there and returns to your app. Your app is notified that the user google_john_smith has successfully authenticated. John is now able to display the data associated with the account google_john_smith.
The point is that the account validated using those login options is not the same! There is no "trust" issue here.
I am new to authenticating through social networks on android so pardon me. I created activity with which i can login through facebook and google. I am planning to do this : user comes first time, ask him to login through Google or Facebook, once he does, let him go to other activities. How do i handle scenario when user closed and restart my app. I want my app to work both offline and online.
Method 1 : I am planning to store a bit in my sqlite DB which notes that whether user signed in through any social network, if he done then go ahead. Don't open login page multiple times and directly give user access to other pages. Problem with this approach is that if i want user to publish on his wall then i need to get him log in again before publishing (if session token expires). Rest seems fine. Also i will provide him a sign out button with which i will clear this bit for next time login.
What do you guys think about this approach? How other people does this in their apps with multiple activities. Assuming this approach works fine if we don't need to access facebook/google again and just need to get basic user data to let him login. Drawback, even he remove my app from his facebook/google account, i give him full access until he logout.
Method 2: Always on app start i check if facebook has session.isOpen() or myGoogleClient.isConnected(). If any of this gives true, i let user go in my app. Make sure with what network user logged in and show him log out button of that network. This check will only come when user restart his app. Once user login, does he always logged in or he see lot of login pages? I feel this approach is better.
Do i need to check for session open condition on each activity when transactioning through activities?
Any suggestions what approach is used by different apps. I want my app to be accessed for data in offline mode, but still let user access online feature when he is online.
Even when he is logged in with google, i want him to publish on his wall with facebook login, so will ask him to do so if he clicks on publish button, this way at times i have both logins and will chose any on them.
Please show me directions. I tried to find this on net and reached to above conclusions, but not able to finalize on right approach.
I'm trying to integrate an existing login system for a mobile application with some social media sign-in solutions. I successfully managed to integrate both facebook and google+ sign in with my app and I get to the point where the users are signed in and I can get their social information.
But now I was left wondering which would be the best approach in order to integrate users that decided to use a social media account with my native login system. Should I use their email accounts as login and maybe generate a password on the server side? Or maybe use an oauth token instead of a password?
I need to keep track of my users, even the ones that did not formally filled a registration form. So what should I place instead of email + password?
This can be tricky - the majority case is easy, but you need to think about the edges. I find it easer to consider email/password as just another authentication mechanism. You want
A user record with the core data about that user (perhaps name, email address, app specific profile data etc.)
A series of records for their connected auth methods, e.g. Google+, Facebook, user/pass.
The connected auth methods can store the relevant information for those methods - e.g. for Google it would likely be Google user Id and perhaps refresh token if using offline access. This makes it easy for you to offer connecting multiple social accounts.
Password may be a special case that you want to store against the original user record. In that case, if someone signs-up using a social login, then you can either generate a random password, or leave it null. Either way, as long as you request the email address for the user, you can always let them go through a Forgot Password flow (where you generate and email them a password) if they want to access their account but no longer have their 3p login.
What you don't want to do if avoidable is to force the users to give you a new password just after they sign in. However, it you are allowing multiple login methods to be associated with one account, you might want to allow associating them. So, your flow might be:
User signs in (with 3p or email/pass)
If you have a record for that login method (e.g. matching Google or Facebook user id, matching email/pass combination), sign the user in, and you are done.
If you have no matching record for that sign in method:
See if you have a matching email address with an existing user account. If you do, some sites automatically merge the new login method to this account. If privacy/security is more of a concern you might want to confirm the user wants to login to that account, or make them go through a 1-time validation (e.g. "it looks like you've signed in with a password before, please enter your password now to link your account and your Google account" etc.). Then link the accounts and continue as if signed in.
See if you have an account which may be that person. E.g, perhaps you have an account with a matching name. In that case, you might want to hint the user to connect their accounts (e.g. a prompt somewhere that says "have you connected before with Facebook? Click here to link these accounts" which then takes the user through a sign in process for the login method you suspect they might have).
If they look totally new, create a new user record, and treat them as newly signed up.
Its significantly easier if you can treat email address as a unique field. That means if someone signs in with a 3p account associated with an email address you already have a user for you might have to force them to link their account before continuing. If they didn't want to and you required an email address, you could prompt them to enter one manually and then validate it as normal by sending them an email and having them confirm it.
ChrLipp's links are good, also take a look at the guide for using FB and G+ together on the Google Developers site: https://developers.google.com/+/best-practices/facebook
How did you implement the social media sign-in's? For example Facebook: did you use Login for Android? In this case the docs say under Checking login status:
Apps using our SDKs can check whether someone has already logged in using built-in functions. All other apps must create their own way of storing when a person has logged in, and when that indicator is not there, proceed on the assumption that they are logged out.
And if you follow the link to Storing access tokens and login status you can read:
The token should be stored so it's available to all parts of the app when it makes API calls. ... If you're building a ... mobile app, then you should use the datastore available to your app. Also, the app should store the token in a database along with the user_id to identify it.
Have an enumeration (NativeLogin, Facebook, GooglePlus) and depending on this enumeration the following information:
NativeLogin
UserName, Password
Facebook and GooglePlus
Facebook or GooglePlus ID and their User Access Token
In all cases you should store the email adress you get in an additional field.
I am working on a Android App project in which user have two option, Sign In and Sign Up.
I have got few question:
1- In Sign Up Activity, how can I store the data of the user?
2- In Sign Activity, How can I check that the entries enter by the user are correct and the user already have a account by us.
3- In Sign Up Activity, the Data entered by the user should come to me, So that I will able to contact the user of my app.
I searched over the internet, and the outcome is that I have to use SQLite Database.
Kindly guide me about this process.
Thanks in Advance.
p.s like Facebook, we have to sign up for creating new account and sign in, I want to create this type of app.
1- In Sign Up Activity, how can I store the data of the user?
You need to maintain a database for this. Read this tutorial data - storage tutorial
2- In Sign Activity, How can I check that the entries enter by the user are correct and the user already have a account by us
Now, you need to check with your server and do the authentication part. You need to incoporate webservices and use android network modules. network operations
3- In Sign Up Activity, the Data entered by the user should come to me, So that I will able to contact the user of my app
Just keep track of the textview where the user types the uname and pwrd. check the textview apis
I have a question about the Login with Facebook feature that some apps have. Here's my scenario:
I currently have an Android social networking application that has its own user database and login system and users have their own username, bio, etc, and I would like to include the option for Facebook login. Currently, when a user wishes to sign up to use the app, they have to enter a new unique username/password/email and that username is then used for further requests to the database from the app and is required. So basically I have a few questions:
I know I can get the FB email for a user and use it in the sign up process but what about the username/password combination - should I ask for them separately?
Assuming that the sign up with FB is complete, when the user logs in with facebook how would I know the username? (I am guessing that I could use the email address to verify this, right?)
So I guess my main problem is how to get a username/password combination upon signup/login from facebook. Any help/suggestions are much appreciated :) Thanks
(I know that this has probably been asked a million times before but I couldn't find a good explanation/resolution to the problem and since I have a username, instead of an email address, as the user identifier, I think this complicates things a bit)
Answering to the question 1, I'd say that the Facebook password, will be the password you are talking. Just that Facebook will store it, so you must allow to the Facebook users, to not have a password on your database.
The question about the username, it's more complicated to answer, and I guess that should be you who has to answer it. But I'll use his/her Facebook name, as I saw on many applications I use Facebook login.
So, as a resum:
The email, will be the one which is related to the Facebook account
The username, will be the name related to the Facebook account
The password, will be the password related to the Facebook account
So, you have a problem right now at your database, because you wanted a unique username, password and email. Right now, you could have duplicateds, since it could be possible that a user uses his email and his Facebook account(with same email). So, I'll use either 2 tables, "FacebookUsers" and "Users" either a unique table with a new field, that will distinguish the Facebook users, and the regular users.