I own a WordPress based website and trying to write an Android app for it.
I already tried to check out WordPress's open source Android app, but couldn't figure it out.
I want to implement oAuth-2.0 login for the app. Does WordPress have build-in support for oAuth-2.0? How can I implement it on client and server side? Do I need to use a 3rd-party plugin, and is it safe to use plugins?
Is WordPress has build-in support for oAuth-2.0?
Yes, please refer this link: https://wordpress.org/plugins/oauth2-provider/
how can i implement it on client and server side?
For server side, please refer to: https://developer.wordpress.com/docs/oauth2/
For client side, you can use a well-known library like Retrofit to connect to your server. The link above also provided an examples what client sides should do.
do i need to use 3rd-party plugin and is it safe to use plugins?
Yes, Wordpress needs a plugin for this. Just pick a well-known plugin and you would be safe.
Your WordPress website needs an OAuth2 server plugin. This is our premium product: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
The OAuth2 server plugin provides the authentication server that is connected to the WordPress user system. It also provides the /authorize, /token and /resource endpoints, to which the client can connect and generate a token, and then use the token to access user data. The Android app will need to connect to these endpoints.
Basically, the Authorization Code grant type should be used for this purpose, because it also provides the WordPress login interface if you are not logged in and need to identify yourself. This is the most user-friendly and most popular grant type.
But it is possible that in the case of an Android app it is more beneficial to use the User Credentials grant type.
It is completely safe to use. We pay a lot of attention to security.
However, we also found serious vulnerabilities in several other OAuth plugins:
https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/ (CVE-2022-2083)
https://lana.codes/lanavdb/12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc/ (CVE-2022-2133)
https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c/ (CVE-2022-34149)
Related
We are using a framework called LibGdx, which allows you to write cross-platform code using only Java. We are developing for Android and iOS.
We have a datastore in Google cloud, as well as an Google app engine api we made to communicate with this datastore.
Now we want to secure this API, but cannot find good guidance on how to approach this for cross-platform. Since we have a mix of fb-login and email-login we need to use client credentials (i.e only our app is allowed to communicate with our API).
Using .NET you would send client credentials (Client ID/Cleint secret), then get an access token, not sure how to approach that in this scenario. We do not have any scopes or anything like that, we just want to secure our API so it can't just be called by anyone. So a simple Bearer-token would solve our issues. Just not sure where to begin.
you should have a look at Firebase Authentication
https://firebase.google.com/docs/auth/
Firebase supports several login providers like Google and Facebook. You will receive a token from Firebase Authentication which you have to forward to your API at Google App Engine.
You can use the Firebase Admin SDK at Google App Engine to validate the Token again
https://firebase.google.com/docs/admin/setup
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I don't know whether i am asking a stupid question here.
I am just starting to learn and program android applications.
I wondered :
How is the mechanism of an application and its back-end server works?
How to have a user login and only the contents related to that user is shown?
Which is something like when we login a Facebook account, we will have access to our information only.
Had a looked at SQL server and Data store and it seems like the database is shared for everyone using the application.
Android supports client apps, AppEngine supports server apps, communication between them is HTTP(S).
Endpoints are libraries of client code generated from server projects. Endpoints perform authentication by passing client credentials to the AppEngine server. Client app developers use Endpoint libraries instead of developing networking software themselves.
One of the AppEngine services is the optional Users Service to look up information related to the client credentials. If a server app needs to implement access control, it can be programmed to accept or reject requests per request detail and per user. The application author is responsible for implementing such security.
I just started to learn GAE and noticed that there can be access to my servlets from anywhere.
My GAE is only used by an Android app to store user data and to keep track of users and GCM regId's.
The expensive GAE SSL implementation in this stage is overkill for me so I need advice on alternative solutions. I read many answers about this and and they all using some form of HTTP login page or other browser related access. I use com.android.volley in my Android app.
Any advice would be grate.
For *.appspot.com domains, SSL is available. Please refer to the following for configuring your application : https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
You could also look at Google Cloud Endpoints to expose your APIs and ensure that you enable security for the different methods that you expose. You can also specify the Client Ids that the Android Application will be using to authenticate itself to your Endpoints implementation. https://developers.google.com/appengine/docs/java/endpoints/ '
Check out Android Endpoints client too : https://developers.google.com/appengine/docs/java/endpoints/consume_android
I'm developing an app which will allow me to post on Facebook.
But I want a native application to post without any external SDK's. How can I do it?
See the Facebook Authentication docs: http://developers.facebook.com/docs/authentication/
If you need to authenticate your mobile app against Facebook, then follow the Client-side Flow (further down the page). If you also have a server, then use Server-side flow.
For server-side implementation see LeanEngine classes FacebookAuth and FacebookLoginServlet: https://github.com/leanengine/LeanEngine-Server/tree/master/lean-server-lib/src/main/java/com/leanengine/server/auth
On the client side you can use it via a WebView: https://github.com/leanengine/LeanEngine-Android/blob/master/lean-android-lib/src/main/java/com/leanengine/LoginDialog.java