My flutter app currently uses OAuth to authenticate users. I am using the Resource Owner Password grant. I want to add biometric authentication to the app (finger/face id).
What is the approach when adding biometric authentication to an app which still needs to do OAuth in the background? Do I store the UID and PWD in a secure location and use it int he background to authenticate against OAuth? What is the most secure pattern for this scenario?
you usually store a session token returned from the OAuth system that you check every so often for expiry, you don't save the User/Password with OAuth systems
Related
I have an Android app that allows users to interact with a third-party service via their API. This API makes use of Basic Authentication, so I need the user's username and password for every API call. Ideally I don't want to store the user's credentials locally as this is very insecure. I don't know much about authentication but this is what I think my ideal solution would be:
The user provides their credentials to this service once for verification
Once verified, I send the user's credentials to a backend service to store them, which gives me an auth token. I store this token locally (is encryption important here?)
Whenever I want to make future calls to this service, I use this auth token to talk to the backend service, which provides me with the user's username/password for Basic Authentication to make API calls
Is this a good solution? If so, are there backend services in place that I can use to facilitate this process? I've looked at Firebase Authentication but I don't know if it fills my needs as I'm trying to store credentials for a third-party service, not specifically for my app. I've heard of Auth0 which may be what I'm looking for but appears to be overkill for a small app like mine.
You can easily use Firebase Auth and get all the functionality you need while keeping your users secure. It provides the features you need:
Firebase supports password authentication and properly stores hashed/salted password credentials according the industry standards. This would be one API to createUserWithEmailAndPassword or signInWithEmailAndPassword.
Firebase provides a mechanism to verify email addresses. It is also one API: user.sendEmailVerification()
On sign in, Firebase Auth returns an ID token (user.getIdToken()) which you can use to identify your users in all authenticated requests. They also provide an Admin SDK to parse and verify that token (auth.verifyIdToken(idToken)). A refresh token is also provided to continuously refresh ID tokens on expiration. This means the sessions are indefinite and the user should not need to sign in again on the device.
The ID token provides additional user data like email_verified which you can use to ensure the user is verified. The ID token is a JWT which can't be compromised without the Firebase Auth backend private key.
Is it secure to user the User Access Token to make Graph Api calls directly from the client (in my case Android app)? And as the SDK refreshes the access token for client, token hijacking won't be a major issue.
I am fetching the User access token using the method
AccessToken.getCurrentAccessToken()
It is secure to a a extent to use it, but as far as i am concerned it is better to use JWT for Authentication purpose, in JWT a unique id is generated for your token and we can use that id within the app for all the purposes.
I'm developing an Android app and I want users to sign-in to my app using Google+ Sign-In.
At the moment, I pass the user's name which I get from Google+ within a PHP login script. The script loads a new session with the user's ID.
Currently, the site is highly insecure: anyone who knows another user's username can potentially login as them.
What is a secure way to do this?
How do I authorize a user against my server?
It looks like to me, Google+ was purely a social networking API...
Google+ Sign-In uses OAuth 2.0 - which means the user does not authenticate directly with your server. Instead they authenticate with Google and obtain a token signed by Google. Your app gets that token (from Google Play services on Android) and can pass it to your servers as proof that the user authenticated with Google. You then associate the users Google+ ID with a new or existing user ID on your own servers. So whenever a user can prove that they authenticated with Google for a specific Google+ user ID, you treat them as authenticated on your own server.
To implement, you have a few options depending on how you architect your system:
When you simply want to authenticate your user to your own servers: On an Android device your user is very often already authenticated with Google because they have a Google account in the account manager. Your app can take advantage of this and obtain a token for a user in the account manager without them having to type any passwords. After the user clicks 'Sign in with Google' in your app, you can fetch an ID token for them using GoogleAuthUtils.getToken() and pass it to your server. Your server, after verifying the Google signature, can then safely associate the users session with the appropriate user account and permissions (ie. treat the session as authenticated). The process of getting the token and verifying it is discussed by Tim Bray here and by Ian Barber here.
If you want to authenticate the user to your own servers and make Google+ API calls from your servers: Then you should take a look at the server side flow documentation on developers.google.com. This takes the same approach as option one, but in addition, when the users signs in for the very first time the Android app requests an authorization code instead of an ID token. This can be exchanged by the server for an access token and refresh token - which, in turn, can be used by your server to make API calls on behalf of the user, for example, by using the PHP client library.
If you want to authenticate the user to your own servers, but also make Google API calls from the Android device: Then you should use the PlusClient provided by Google Play services to make Google API calls in addition to the steps you take to authenticate the user with your own server.
You probably want to make Google API calls in your client or on your server so that you can pre-populate your registration form with data from the users Google+ profile, for example.
Google Plus uses OAuth 2.0
https://developers.google.com/+/api/oauth
It has auth token. You can use auth token to access Google Plus from Android or server.
On server you can verify token by accessing Google with that token.
I'd like to use users' Google accounts to authenticate (not authorize) them from a web application and to uniquely identify their Android device[s] that run a companion app. Communications between the platforms will be done via Google Cloud Messaging.
The web service can obtain an auth token when users authenticate their Google accounts via the Google OAuth 2.0 implementation. The Android app obtains an auth token via the AccountManager.
Is the token returned by each platform identical such that it can be used as a reliable ID? If not, am I forced to ask permission to view the user's email address just to accomplish this?
I don't want to access the user's email address for identification--it's an extra permission and responsibility to secure it.
All tokens are unique -- that way, you can withdraw authentication for one device/platform while retaining it for another. Utilize the user_id, which is intended exactly to associate the same user across platforms.
The auth token expires every hour so it will never be a good id.
user_id is what you want
We're currently in the process of implementing OAuth2 to secure our new API and not sure how to securely provide required functionality. We need to allow the following from a mobile device:
Immediately after downloading the app the user is able to take a picture and submit it without having to first log in.
While we want to allow anonymous user access, where a user does not need to log in or register to use certain functionality, we do not want to allow unauthenticated access to the API. This would normally be accomplished using the client credentials authorization flow to obtain and app access token, however this requires knowing the client secret. From what I've read, a mobile device is not considered a trusted client and should not contain the client secret, and hence should not be able to generate an app access token on its own.
We've come up with a few options to accomplish this requirement, but would like some input on them:
Embed the client secret in the app. Doesn't seem ideal from a security standpoint, but maybe we're missing an obvious way to secure it? We're targeting at least iOS and Android.
Generate an app access token offline and embed that in the app. Still not very secure, but at least the secret isn't exposed.
Allow access to certain functionality using only the client ID instead of an access token. This may be the simplest, but it introduces an inconsistency and requires multiple ways of authenticating the client.
Build and use a companion web app to generate app access tokens for the mobile app. On the surface seems like a winner, but now you have to secure access to the companion app!
How would you securely authenticate access to an API using OAuth2 from a mobile device without requiring the user to first log in?
Agree with the comments on the Q. Either:
1.) Use Client Credentials grant type in OAuth 2 - with an embedded secret in your App. Understand that this isn't super secure and someone will reverse engineer it eventually. Ideally each client would get a unique secret - so you could revoke a client if they're abusing its use.
2.) Live with that API being open - thereby not requiring an OAuth 2 access token at all. Maybe that API would be known only to your app - but again, it would only be a matter of time before someone reverse engineers it.
My group is having a similar discussion. Users can get the app and browse a catalog without having to sign-in. The catalog and other data is accessed via an API and we would like to force users to have an access_token for all calls.
Our current thinking is to
Always force the App to exchange a common clientId/secret for an access_token. So the app would get an access_token even for anonymous users. This would be via the client_credentials oAuth flow.
If the user signs in, use the oAuth password flow. They would pass in clientId, secret, username, and password. We would additionally allow them to pass in their anonymous token so that we could transfer any history from their anonymous session.
So for example...
access_token = api.oAuth.client_credentials(clientId, secret)
catalog = api.getCatalog(access_token)
authenticated_access_token = api.oAuth.password(clientId, secret, username, password, access_token)