I am using Azure mobile services to store data from my Android app. Users have to log in using Google and I've used Azure's Easy Auth to implement that.
However, I also need the display name and the email of the user. I have searched a lot and couldn't find a way how to get the info. I know that for other providers like Facebook or Microsoft you can just check attributes that should be included in the response (e.g. Microsoft as provider) but with Google, Azure doesn't provide any attributes.
I just followed How to configure your App Service application to use Google login to configure my App Service Authentication (Easy Auth) for Google login. I just leverage the Server-managed authentication and log with my mobile app backend via the browser as follows:
GET https://<your-app-name>.azurewebsites.net/.auth/login/google
Using fiddler to capture the network traces as follows:
Then, access the /.auth/me endpoint via the browser, I could retrieve the user email as follows:
Moreover, you could follow Obtaining user profile information. Also, you could access https://www.googleapis.com/oauth2/v1/userinfo?access_token=<access_token> to retrieve the user profile manually.
Additionally, if you want to modify the google OAuth Scopes (set googleOAuthScopes array property via https://resources.azure.com) or retrieve the refresh token (access_type=offline), you could follow this similar issue. And you could follow App Service Token Store for more details about App Service Authentication.
Related
There are mobile applications such as games where they allow the user to register and log in using Google, Facebook, or their own server. After logging in using third party provider, they seem to be able to store user information such as game progress to their server so it means that they can associate third party accounts to their user profile database. How do people typically do this?
I am using Identity Server as my main Identity Provider. It uses ASP.NET Identity to manage users. I have an android application which uses resource owner grant to get authorization token from the Identity Server. A new user can register a new account by going to the site where identity server is hosted.
Now I want to add a button to login via Google or Facebook within my Android Application. When a user logs in via Google or Facebook, the user information should be retrieved and then a registration form within the Android app will show with fields automatically filled up based on user information from third party providers. User can then register using that detail and save the user to the Identity Server with an identifier that that is a Google or Facebook account. Just like an asp.net identity site does it but for mobile.
Resource owner grant is a dead end here. You need to switch to a logon workflow using a browser. This will give you the external logins for "free".
https://vimeo.com/171942749
This is also encouraged for security reasons - see the spec I link to from the presentation.
I believe you can have a button that allows user to Log in using third party Identity server such as Facebook, Google. The only thing I am wondering is I am not sure if you will be able to make them register using those username and password.
The flow you can think of is:
Give the user an option of logging in as Facebook, Google etc.
User will get redirected to the login page for those third party services.
When they log in you will receive a token from Facebook that will have claims for the user and then you can do claims transformation and assign the token to your user.
Using the same token you can have the data stored in your database related to the user.
So in your database you will have 2 tokens, 1 from the Facebook and the other one that you will have for your own app.
The only option we can give is log in using Facebook. But by maintaining the information that the Identity server provides you can register the user on the back end directly so user don't have to register by himself.
I have an andorid app and i am trying to implement linkedIn login in it.
LinkedIn SDK has been successfully integrated and i am getting user information as well along with the email address.
Here is how my application works for google login :
1) get access token on mobile
2) send email address with access token to server
3) fetch details of users with access token i received via webapi of google.
4) if the response email matches with the email received from mobile device then check for account exists or not of that email address . If not create account and login other wise login.
Problem with linkedIn :
The access token i have received belongs to mobile sdk and i cannot use the same token to make REST API request. (as per documentation)
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only useable with the Mobile SDK, and cannot be used to
make server-side REST API calls.
Similarly, access tokens that you already have stored from your users
that authenticated using a server-side REST API call will not work
with the Mobile SDK.
So how to verify details in step 3) i mentioned above on my webserver ?
Is It a disaster ?
I am sure there has to be a way to do what i am trying to do, as there are many applications which let their users login through linkedin on their mobile apps.
Because if its not possible then anyone can easily change the email address the mobile app is sending to webserver after receiving from linkedin and i can login with any email address i want by doing that.
Like you said, you can't do it.
Instead you have to use a different approach, get the required info on the device, returned by LinkedIn and send it to your server. Use HTTPs connections to avoid MITM attacks.
If you app is downloaded from official information shouldn't be modified on device.
ANOTHER SECURITY MECHANISMS:
If you want more security, you could for example encrypt data on server, send HASH to mobile, use your LinkedIn token to consult information and with another algorithm compare that data received is the same.
But I think that this a too expensive mechanism that should be resolved only using HTTPS connections and not downloading the APK from non official stores.
The docs state clearly that you can't use the AccessToken obtained from the Android SDK to make your own REST API calls.
However there's a way to make REST API calls with the mobile SDK, check the Making
Authenticated REST API calls
from here: https://developer.linkedin.com/docs/android-sdk
If you want to retrieve the user profile info, you'll have to do it using the mobile SDK.
I want to add an authentication with email and password in android app with back end on Azure(use Node.js). I read an article about custom user authentication, but there is no anything about how to do it in android app. I try to use this tutorial, but maby it is too old becouse code from it is not compiled. So, who knows how to do it?
For Authenticating users, you can refer to the section How to: Authenticate users of the offical doc How to use the Android client library for Mobile Services, and the doc Add authentication to your Mobile Services Android app (JavaScript backend) shows more details.
The two topics show you how to authenticate users in Azure Mobile Services from your app with one or more of the following authentication providers: Google, Facebook, Twitter, Microsoft & Azure AD. I recommend you can try to do these authentication with OAuth.
If you have to authenticate with email and password, I think you can try to create a user table store for user email & password.
For example, creating a Mobile Service table and using the tables object & table object to retrieve users for authenticating users.
I am building a android application that requires Sign in. For this, I have used the Facebook and Google+ sdk for android. I use Facebook and Google+ sign in instead create my own sign in.
This app will connect with a Spring service to access a storage data. This data is private for each user, therefore I need a log in system. The data will be stored in a database in the server.
My question is, how I can link the data with the user?
I have thought obtain the access token in the android app and pass it to the service. With this access token, can the server obtain, for example, the user id to link the data with the user? or are there other ways to do this?
You can follow either of below mentioned approaches:
You can pass the access token from the app to the server and using the graph API, get the user details including user id, email ,etc. Once you get this information you can link it to your data.
Using the access token in the app itself and calling the graph API from the app, get the user details and then pass the user id from the app to the spring service.
This is the simplest approach you can follow.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….