I need to send post request to get token from here https://developers.google.com/android-publisher/authorization
But on step 4 I don't have client_secret
I have code / client_id / redirect_uri the JSON does not have it
The most recommended mobile solution is to use AppAuth libraries, which involves these 2 steps:
Use Authorization Code Flow (PKCE)
Login via System Browser (Chrome Custom Tabs)
In this case the request to get a token uses a runtime code_verifier rather than a client_secret. My blog posts and code sample may give you something to compare against, but mobile OAuth can be quite intricate.
Google Mobile OAuth
Google generally recommend AppAuth for mobile logins. The playmarket API is just a scope value, so I see no reason why it wouldn't work.
References to client secrets in the Playmarket page may just be incomplete documentation. I haven't used this particular API but have used similar Google resources.
Quick Next Steps I'd Recommend
Try running the Google AppAuth sample - this blog post of mine makes this very easy.
Then repoint the sample to your Google Auth Server and add the Playmarket scope. You should then get a token and be able to successfully access Playmarket resources.
If there are no problems, integrate the solution into your own app. If you run into usability problems, have a read of my blog posts.
Coding Aspects
Not sure what language you're using, but my Kotlin sample code uses the libraries with a modern async await syntax.
Related
I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I'm trying to get OAuth2 working with Django to allow access to an API without having to log in with Django credentials. I'm using django-tastypie for the API and django-oauth2-provider for the OAuth2 authentication. It's all being tied together using this post as a guideline.
I've gotten the basic OAuth workflow to work (exactly the same as in the "Testing the Provider" section of the blog post above) but obviously with my own model and username/password. I now need to get this working on Android, but I've run into a snag with the client_secret.
The recommendation seems to be to not have the client_secret stored on or transmitted to the android device since it won't always be secure. I found this post suggesting that for mobile devices there is an OAuth flow allowing OAuth authentication without having to use the client_secret (under the section conveniently titled "Mobile Apps"). I can get the grant code using the url ending in "/oauth2/authorize?response_type=code&client_id=XXXXXXXXXXXXXXXX" but when I attempt to use get the authorization_token with the returned code, I still have to provide a client_id and client_secret. This seems to be because of django-oauth2-provider always requiring the client_id and client_secret.
My question, then, is how can I get the authorization_token without having to store the client_secret on the Android device or sending the client_secret as POST data? I've found this question, which seems similar and helped me figure out how to get the grant_code back, but I can't find anything about getting the authorization_token without the client_secret.
If that isn't possible, how can I automatically get the client_id/client_secret to the device and what are suggestions for securing it?
Users of my Rails app can authenticate in one of these 2 manners:
Using their Facebook account
Using our own authentication
I'm using Facebook SDK on Android and devise and omniauth on Rails.
How do I authenticate against my Rails app on Android so I can then fetch the information I need from the server?
NB: I've noticed this question is getting a fair amount of views recently. Please don't follow the advice given in this thread too closely -- the web moves fast and it dates from 3 years ago!
This can be done using the fb_graph gem (not fbgraph!).
You can just add it to your gemfile and do
user = FbGraph::User.me(token).fetch
where token is the oauth token you got by using, for example, the Facebook SDK on Android.
user.email will be the user's email address (if you set up the necessary permissions).
You can use this URL for testing:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token
That totally depends on how your authentication system works. You will need to create an API on your server to handle communication from the Android app and pass information between both using the API.
Niraj Shah is completely right, though the answer might not be detailed enough for you. For an in-depth answer to your question, have a look at Securing an API railscast by Ryan Bates that has been released only recently. It covers HTTP Basic Auth.
You might also want to have a look at the more advanced option to secure your API / provide registered users access to their data. There's a railscast about this one as well here: http://railscasts.com/episodes/353-oauth-with-doorkeeper - though it's a pro episode, so you need to sign up for it in order to watch it.
Francisco, I have the exact same need.
The devise scenario using token_authenticatable seems straightforward and shouldn't be a problem but I'm not sure the best way to handle the Facebook scenario. On the web side, for FB auth I'm using omniauth-facebook as documented here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. I think this uses OAuth with FB as a provider so it's a good possibility that the latest RailsCast about doorkeeper securing an API with OAuth should do the trick. I haven't tried it yet but will do so soon unless you beat me to it. Here is the link: http://railscasts.com/episodes/353-oauth-with-doorkeeper.
I have an Android / GAE application. We need to validate the Android user against GAE using OAuth.
We're currently using the Signpost library for this.
We've run through lots of the samples out there and we do seem to get a correct token.
Our problem is once we go to use that token to on our site - we get a 401 - Authorization Failed. The trace from GAE is below:
##TRACE## APIBase:: authenticate() InvalidOAuthParametersError!
The client provided OAuth parameters with the request, but they are invalid.
We've tripple checked our consumer keys, and the other information and we don't know really where to do from here.
Does anyone have any Android to GAE examples that they've used successfully?
Thanks
I learned a lot from the Android2Cloud guys
You can see how they do it at http://code.google.com/p/android2cloud/