I am trying to add the "Microsoft" sign in method to my Firebase project, with the hope of allowing users to login to my Android app using their Azure AD credentials. I already have everything set up to use the "Email/Password" provider, which is working well.
I don't plan on accessing any Azure APIs, I just need to authenticate a given user so that when an organization terminates said users account, he is no longer able to login to my app.
I am following https://firebase.google.com/docs/auth/android/microsoft-oauth this guide. I have registered an app on my Azure AD, set it to allow accounts from any organization as well as personal accounts, and added the client ID and secret to my Firebase project. I have also added the redirect url from the Firebase project to the App registration on Azure.
I start the login process using startActivityForSignInWithProvider like in the example. The chrome tab loads and takes me through the entire authentication process. The problem is this always returns a failure with the exception Error: (invalid_client) AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented'
This is confusing, since, in order to enable this sign-in provider on Firebase, you are required to enter the client ID and client secret.
I've tried with the app registration setting "Treat application as public client" set to Yes and No. I've also tried with a blank scopes collection and adding 'openId' to the scopes as a stab in the dark.
I'm a bit out of my depth with this Microsoft Authentication stuff, so any nudge in the right direction would be greatly appreciated.
Register the app in Azure as web app instead of Native App. Because the URL provided by Firebase is for Web App. Hope this helps.
Related
I am trying to add the "Microsoft" sign in method to my Firebase project, with the hope of allowing users to login to my Android app using their Azure AD credentials. I already have everything set up to use the "Email/Password" provider, which is working well.
I don't plan on accessing any Azure APIs, I just need to authenticate a given user so that when an organization terminates said users account, he is no longer able to login to my app.
I am following https://firebase.google.com/docs/auth/android/microsoft-oauth this guide. I have registered an app on my Azure AD, set it to allow accounts from any organization as well as personal accounts, and added the client ID and secret to my Firebase project. I have also added the redirect url from the Firebase project to the App registration on Azure.
I start the login process using startActivityForSignInWithProvider like in the example. The chrome tab loads and takes me through the entire authentication process. The problem is this always returns a failure with the exception Error: (invalid_client) AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented'
This is confusing, since, in order to enable this sign-in provider on Firebase, you are required to enter the client ID and client secret.
I've tried with the app registration setting "Treat application as public client" set to Yes and No. I've also tried with a blank scopes collection and adding 'openId' to the scopes as a stab in the dark.
I'm a bit out of my depth with this Microsoft Authentication stuff, so any nudge in the right direction would be greatly appreciated.
Register the app in Azure as web app instead of Native App. Because the URL provided by Firebase is for Web App. Hope this helps.
We built two native apps (1 Android and 1 iOS) that use AADB2C. When users need to login/register, they go through a series of AADB2C webviews. We also enabled social login through Facebook by configuring a Facebook App in AADB2C. This works, as in, users can login with Facebook, but this is also done in the webview, meaning they need to type login and password explicitly here.
Is there some way to leverage the native Facebook Login? This would make logging in and registering a lot more user-friendly?
By the way: Firebase Auth achieved this by triggering the Facebook App from the webview - so it should be possible.
You can use ROPC flow with AD B2C to achieve the same.
The resource owner password credentials (ROPC) flow is an OAuth standard authentication flow where the application, also known as the relying party, exchanges valid credentials such as userid and password for an ID token, access token, and a refresh token.
Here is the announcement for the same:
https://twitter.com/codemillmatt/status/994927109503160320?s=21
In Azure Active Directory (Azure AD) B2C, the following options are supported:
Native Client: User interaction during authentication happens when code runs on a user-side device. The device can be a mobile application that's running in a native operating system, such as Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc#implement-with-your-preferred-native-sdk-or-use-app-auth
Hope it helps.
I am using Firebase SDK for authorising user on the Android app for a project which is on App Engine and already using many of the GCP and`G-Suite functionalities.
The web application relies on getting offline access to the user's Google Account.
The Android app is trying to use the same backend APIs that web front end is using. For this, I am sending the ID token of the user to backend.
The problem is that this ID token expires after some time and I am forced to re-authenticate the user to get the new ID token. Initially, I wanted it to not expire or generate a new ID token automatically on the Android app itself, but then I checked the OAuth2 documentation for this, which mentions the following statement -
It is important that the Android app never attempt to exchange the
code for a refresh token on its own. This would require that the app
store the server's client ID and client secret. Including these in
your Android app is insecure, because apps can be easily decomposed.
The recommended flow is mentioned there, but I couldn't find anything which can help me do the same using the Firebase Android SDK.
Is it possible to get the authorization code using Firebase which can be later exchanged for refresh token by the backend? If yes, then can you point me to correct documentation or code example for the same?
I want to add an authentication with email and password in android app with back end on Azure(use Node.js). I read an article about custom user authentication, but there is no anything about how to do it in android app. I try to use this tutorial, but maby it is too old becouse code from it is not compiled. So, who knows how to do it?
For Authenticating users, you can refer to the section How to: Authenticate users of the offical doc How to use the Android client library for Mobile Services, and the doc Add authentication to your Mobile Services Android app (JavaScript backend) shows more details.
The two topics show you how to authenticate users in Azure Mobile Services from your app with one or more of the following authentication providers: Google, Facebook, Twitter, Microsoft & Azure AD. I recommend you can try to do these authentication with OAuth.
If you have to authenticate with email and password, I think you can try to create a user table store for user email & password.
For example, creating a Mobile Service table and using the tables object & table object to retrieve users for authenticating users.
I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.