I am working on the mobile application for android which is written in Android Studio in Java language. I would like to implement Facebook authentication firstly and then Google and I will see which else.
A lot of backout action will be carry out by backend server. I spent a lot of time to figure out the solution but I didn’t find the response which straight explant me how should I proceed with facebook Authentication and tokens.
I have already implemented facebook API (https://developers.facebook.com/docs/android ) in my mobile application. I can get access token and so on. After that I stuck and could you tell me is there any way to connect this access token which I have got on my phone which backend server? Or should start everything from the beginning and Manually Build a Login Flow?
Second question. Could you tell me if what is correct and the easiest way to connect Mobile App, Backend Server and Facebook authentication?
I would like to have something like that I know that comparing access token is not acceptable but can you tell me how to do it?
Facebook API with application server
Make a Login flow as below
Send token-to-inspect(access token), user facebookID and remaining user data to your server
On server side check the response for access_token from the Step 1
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as a separator and must be there after filling the other fields.
Also don't send app_id, app_secret from the app, keep them on the server side only.
If in response you get the same user_id, is_valid, application then it is a valid user else not.
After verifying in Step 3 give user your own auth_token for accessing app resources
Also, check out Firebase Authentication and Firebase ADMIN to make this flow safe/secure and developer friendly.
Hope this helps
Related
If users switch their phone from ios to android and vice versa they can't log in to my app using their email and password.
There is no option to log in with FB or any social media account.
Could you please tell me how to allow users to login into both devices into the same app?
Also what happens if the user is still logged in into the iOS app but wants to use the app on Android?
Thank you
You need some kind of backend server. It remains same for iOS and android. usually you will make an async request to server, with username and password, and server will reply if user is authenticated or not. (server will check username and password and reply with true or false). This mechanism applies to iOS as well as android.
You can use
Firebase Authentication Check Here
Custom Backend Server(using PHP or Node etc)
There are so many other options to choose from for your backend
Regarding your question
Also what happens if the user is still logged in into the iOS app but
wants to use the app on Android?
You should allow user to be logged Into ONE device AT A time. For this, there is a concept of Session Management.
When you send a request to your backend server. It can generate an auth token. Then you will need to send auth token with each API request.
Now imagine user logged into your app on android. server generated a token and sent it back to android. Android app saved the token. Now when user logs into iOS, a new token will be generated. previous token will be invalidated and when android app sends a request with expired token, server will not send response.
See this answer for a general concept of session management.
Hope it helps. Let me know if you need further clarifications
Now
Well in your case its not fault of frontend developers.
You are or your backend developer only in need to enable multisession work on your backend.
You are not required to do any work in actually But your backend developer is in need to do so. the backend developer needs to maintain multiple login session for a single account, just ask backend developer to do so.
I am using Rails 5 application as a backend for my Android app. On my rails, I am using Devise to authenticate users and I have implemented the JWT gem with rack-cors to pass token https://www.youtube.com/watch?v=EF5Cm2jZHk0.
I am struggling with my Android app and I am not able to authenticate users. I am using Retrofit2 with Android and I have passed credentials with the header but I am getting the response code 401 (Not Authorized).
I am open for any kind of suggestions that can lead me to solve this problem.
Okay, this appears to be a really old question, but will answer anyway, for the sake of someone who will come across the same issue, if a model has device installed on it,then we can access a particular object and have the method valid_password?
For example user = User.find_by_email("doe#example.com"), to find if the password is right, then we use user.valid_password?("password"), this will return true if it's the password for that user.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I need to create a login/register system for my game but I have no clue on how this is commonly done. I already have setup a working client/server system with Kryonet where I can push data over the network. Any user can log in but once he disconnects everything is lost. Eventually I want this to be compatible with a Facebook login but that is not necessary at the moment.
You have few options to do this, some of them:
Use facebook login, just implement Facebook SDK and follow facebook developer guides to create login button and login/logout flow.
On your server create simple php script which will get username and password as parameters and will save it to mySql database. Then create other script which will also get username and password as parameters and will return OK if user logged in successfully. You will need to send POST requests from your libgdx game to your php scripts on server. You will also need to save user password and username if he already logged in in previous game launches. In this cases you should send automatic login request to your server, other option is to handle the session.
It is very basic description, I think if you don't have experience on client-server application try to work with facebook, their SDK is not the best one, but they do most job for you.
I sugget you create a login and register php form.
People will have to connect to the page, register, receive a link to confirm email, and after you end the code.
It is the most simple I see.
Regards,
I'm trying Google Plus sign-in in an Android app (with backend support).
I could get access token and email from the user, but know I don't know how should I recognise this user from the server. I'm sending this to the server (email and oauth token) with a POST throught SSL
Of course I could recognise them with their email, but that would open the doors for everyone how knows another email that's on the database.
How could I verify that the user's correctly authenticated and has sent me the correct oauth token for this email?
Thanks!
Two thoughts:
1) Generally, you shouldn't be sending the auth token over the wire if you can help it. Instead you should be using a hybrid flow where the client gets a one time code when it authenticates, passes you this one time code, and you can redeem this for an auth token and a refresh token. Using this method, your server also has offline access on behalf of the user. See https://developers.google.com/+/web/signin/server-side-flow for details. However, I'm not entirely sure how this works with the Android library.
2) Regardless of (1), generally what you can do is to use the plus.people.get method on the server with the userID of "me" to get the user's userID and verify this against what you're expecting. See https://developers.google.com/+/api/latest/people/get for more details.
Yours is a perfect case to use the Authorization code flow.
See this link. It has some workflow diagrams that you might want to see. In your case the user should authenticate and receive an authorization code (and not a token!).
He would then send the authorization code to your server, you can exchange this code for access + refresh tokens. Have your client registered for the scope and have the client credentials.
The access token flow (called the implicit grant flow) is generally used when requests need to be sent directly from the user's browser.
And, as #Prisoner already mentioned, you will have offline access too. That would be a much better design.
EDIT - you might also want to take a look at What is the difference between the 2 workflows? When to use Authorization Code flow?