I've created an app that counts the time you've spent on customers projects. I would now like to integrate this in Google Assistant, so when you say "Talk to MyTimeApp" and then say "Start counting time on Project A", the app should start the stopwatch.
So far this should be possible with Intents for Google Assistant and API.ai. But how can I manage to check which user is using my app (so who is logged in), in order to only access his account and his connected projects? In all the tutorial videos from Google, they provide only non-user-specific examples.
I've read about the possibility to provide also a login function. Can I therefore use my own registration-service or do I need to use the Google-Account? Or is there a way to access the installed TimeApp, where the user is already signed in?
The Actions on Google system, which is how you build Actions for the Assistant, gives you a few options for authentication depending on exactly what your needs are.
First, if you're assuming they will be doing this on their phones that already has the app installed, then you can see if App Actions will meet your need when they are available.
If you are looking to do this as a conversational Action that does not require the mobile app, and you already have an existing authentication system, then you would use Account Linking to link their Assistant account to the account that you have for them. This typically requires an OAuth2 server.
You can, if you wish, simplify this if your account is linked to their Google Account, in which case you'll be able to use Google Sign-In for the Assistant to handle the sign-in on all Assistant platforms.
Related
In my android application I want to let users to authenticate with google or facebook account.
I've implemented sign-in with google already.
I'll try to implement sign-in with facebook soon.
I've read about IAP in android:
https://developer.android.com/google/play/billing/billing_overview
https://droidmentor.com/inapppurchase-subscription/
at least what I understand it is about google account authentication.
So I wonder is it possible to make IAP in android application if the user is authenticated with facebook account ?
I cant find examples or explanations by now.
Any good examples/explanations about IAP with google is also very appreciated because I still don't have a clear vision on IAP.
fyi: In my app user will be able to buy "virtual tickets pack" (e.g.: 10, 15, 20 tickets) and to add them to their profile. and later they will "consume" tickets one by one.
Best Regards
My understanding is that you already have a user system that you are using to provide a Google login to your customers. When you add Facebook login, you'll probably want to match both Google and Facebook logins with your own custom user ID. It's always a good idea to have a custom ID of your own so that you can map it to different types of logins.
When purchasing through Google Play Billing, the purchase gets associated with the user's phone Google account and you can also provide an optional way of associating a purchase with your own user account system. In order to do that, when building the BillingFlowParams, call setAccountId and pass your account's system custom ID.
To provide the best experience persisting purchases during installs or across devices you should also be saving the purchases on your server's database. In order to do that in a secure manner, you will also have to implement server-side receipt validation. If you want to avoid most of these headaches, I recommend you to use a service like RevenueCat.
IAP can only be done through the user's google account, as that is what one needs to use any part of the Play Store. The user's google account is also where the credit card/other payment methods are stored for each user.
In spite of the above, the way users log into your app has nothing to do with them using the IAP system. When a user will choose to use an IAP, the google account data will be provided by the android device/Play Store, not by your app (Off subject:the process is similar on iOS if you ever get to try there).
What your app needs to do, is receive the confirmation of purchase from the IAP sdk and then mark on your server that this particular user has purchased this item. Basically for any purchases (no matter the payment provider) you would usually mark in your DB the following:
what the user has purchased
how much did he pay
when did he pay
provider's id of the purchase, so you can later match the accounting reports with the payment provider's report
where he payed from (IP can be a good indicator, although in the age of VPNs not necessarily 100% acurate)(this can be useful for your marketing decisions)
mark that this user now has access to the item he purchased and if it is a time limited item, mark when it expires, so you are able to later check if he still has the right to access it.
Disclaimer:
I have not used the android IAP system directly before. I have implemented mobile app payment systems before using iOS IAP and on android Braintree payments. But the process is most likely very similar with android IAPs as well.
I have a webservice that requiers accounts. As a complement I have built an app that can be used with the account on the website.
Do I have to provide the possibility to create an account through the app or is it enough to reference to the website?
If you have to be registered to use the application, you must allow:
users to register in the app
users to log in in the app
allow the users to use the application without any account (maybe with less functionnalities).
If not, the app may be rejected.
there's no Google enforced practices of banning app or anything like this. You can release your app however you prefer.
But be warned that apps with a Login button, but if you want to Sign up you have to go to the web are usually not very successful apps and have very poor ratings on the Google Play.
I'd like to use SSO (Single Sign-On) for users of my app, but I don't understand how to apply it to my case.
To summarize, we have:
a database
a website
an iPhone app / an Android App
Currently, it's possible to create an account on the site, and then use the same credentials to connect from the mobile apps. All communications between mobile apps and server work through http requests.
To put it simply, I would firstly
be able to use Google accounts to authenticate users
offering Android users to choose one of Google accounts associated with their smartphone
I found several sources of information:
Google - Using OAuth 2.0 for Login
Android - Remembering Users
Unlike what I saw in some examples, I don't need to make request to Google services like Google Calendar or Tasks, I just want to authenticate the user.
Does someone could tell me what I need to do on the website and on the mobile app. Should I store information in my database? How to ensure that after authentication, all http requests from the mobile application are really from authenticated user?
Do not hesitate to ask me to clarify some points.
Thanks in advance
As OAuth is a standard for authorization and not for authentication, it doesn't support any direct method for this. However, most providers allow you to call an endpoint that returns the id of the logged in user. Google returns the id as part of the basic profile information. This step is described in the first article you already mentioned. There are multiple libraries available to simplify this step for you.
So for identifying a user you acquire his Google user id and store/match it in your database.
To get the user's id on an Android device, there's an even more simple way. Just use Google Play Services as described in its documentation. You can find the user id in the response to the call in the last section of the documentation.
Now there's still the problem that you have to send the user id from the device to your web server and verify that this call was issued by your app. Fortunately, Google has also built a method into Google Play Services for exactly this scenario. There's a blog post by Tim Bray at the Android Developers Blog about this.
The Story: I am making an Android app that allows a user to purchase a subscription, and does not require the user to have an account or login. I want to check whether or not a user has purchased a subscription, and the Google Play Android Developer API seems to provide this service.
The Problem (TL;DR): Should I use OAuth as a "web application", "installed application", "service application", or none of the above?
The Problem: To get started with this, I am told:
Access to the Google Play Android Developer API is authenticated using
the OAuth 2.0 Web Server flow. Before you can use the API, you will
need to set up an APIs Console project, create a client ID and
generate a refresh token. -source
Fair enough. There are then setup instructions that go on to say:
On the second page, select web application and set the redirect URI
and Javascript origins.
My application does access the Internet, but it is an installed Android app, not a web application, so I don't have a "redirect URI" or "Javascript origins" to link it to. Additionally, this would require a user to log in, which I do not want and is not necessary in my case (I just want to check whether or not the user has purchased a subscription).
So if instead of a "web application" I try to create an "installed application (Android)", this still requires a user login, to be able to manage the user's resources.
I do not want this. There is a third alternative called a "service account" that does not require a user login:
A Service Account is used when you have a service that wants to handle
its "own" resources (e.g., an App Engine app that manages Compute
Engine resources), as opposed to the resources of an external user
(e.g., the standard OAuth flow). Using a Service Account the app will
be the owner of the resources... If you use a Service Account, you will only get data about the service's purchases. -source
I'm not sure if that is what I want in my case...
Finally, there is also this option:
The simplest flow is one where no end-user authorization is needed.
You still need to identify your client application using the API key. -source
This seems perfect! However, I was told initially that to use the Google Play Android Developer API I need to authenticate with OAuth 2.0, and this does not use a client ID which I was initially told that I specifically need.
There are at least 2 problems with what you are trying to achieve here:
As you would be handling the server response in your Android application, you would have something like this in your code:
if (isSubscriptionValid())
Somebody could tamper with your application's APK on his device (which is very easy) and simply replace that check with:
if (true)
The attacker would then have access to your content without ever being subscribed.
As calls to the API have to be authorized by your developer account and being personally logged in on each users device is obviously no option, you would have to go for Service Accounts, as you've already figured out correctly.
These however are only meant for server-to-server interactions, as otherwise it would require you to store your private key on everybodys device and as it is not possible to store data securely on an Android device, you wouldn't meet this requirement:
The private key must be stored and managed securely.
Google recommends you to have a backend server to do this kind of checks. So you can decide if a subscription is valid before handing over content to the client and other things:
The API is designed to be used from your backend servers as a way of securely managing subscriptions, as well as extending and integrating subscriptions with other services.
If you do not have a backend server available, you have to rely on In-app Billing Notifications.
I'm creating an app that will need users to create an account. (Like Facebook or Twitter would require you to.)
BUT, since it's an Android app, should/can I let them sign in with their Google Account using AccountManager or some other service? It'd be very helpful if they could just sign in to their Google account and their settings and other options would be saved to that account.
Main questions summed up:
Is it possible to let a user just use their Google account in my app?
If so, do I use AccountManager to have them sign in and save account information/settings?
What are other options?
Yes, you can get users to log into their Google Services using their Google credentials, for example, I have an app on Google Tasks and I use the Android AccountManager to let users authenticate themselves using their Google account on the android device (No need for users to enter their password!)
There are some really good examples to get you started:
This is an in-depth look into how you can authenticate based on the users Android credentials, has an example of how things work and how the UI should be: http://www.finalconcept.com.au/article/view/android-account-manager-step-by-step-2
This is an example of getting AccountManager to work with a Google service like Google Tasks: https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android
The last example is using the same concept for accessing the Google Picasa service: http://code.google.com/p/google-api-java-client/wiki/AndroidAccountManager
The other options you have is to have users manually enter their username/password. For that you have to use a third party authentication API (like signpost for OAuth) for them to log in.
In my tasks/todo application I provide users both options to sign in, using their android credentials or using third party authentication for users that want to log in using some other account (an account which is not enabled on that device)
Let me know if you have more questions
Although it is a new development, Google Plus Sign-in introduced as part of Google Play Services can also be used. More info can be found at Android developers blog. See example implementation from Banjo app
There seems to be a big limitation - The user need to have Google+ app installed on the device to use this.
Also this is a pretty good blog if someone is interested in implementing the solution.
#Soham gave you some very useful links but he didn't correct one major error: AccountManager is the entity that manages the accounts on your Android device - it has nothing to do with your google account! you can use google account and create a NEW account on your device using the AccountManager.
The rest you can learn from the links Soham gave you.