I have an Android app that allows users to interact with a third-party service via their API. This API makes use of Basic Authentication, so I need the user's username and password for every API call. Ideally I don't want to store the user's credentials locally as this is very insecure. I don't know much about authentication but this is what I think my ideal solution would be:
The user provides their credentials to this service once for verification
Once verified, I send the user's credentials to a backend service to store them, which gives me an auth token. I store this token locally (is encryption important here?)
Whenever I want to make future calls to this service, I use this auth token to talk to the backend service, which provides me with the user's username/password for Basic Authentication to make API calls
Is this a good solution? If so, are there backend services in place that I can use to facilitate this process? I've looked at Firebase Authentication but I don't know if it fills my needs as I'm trying to store credentials for a third-party service, not specifically for my app. I've heard of Auth0 which may be what I'm looking for but appears to be overkill for a small app like mine.
You can easily use Firebase Auth and get all the functionality you need while keeping your users secure. It provides the features you need:
Firebase supports password authentication and properly stores hashed/salted password credentials according the industry standards. This would be one API to createUserWithEmailAndPassword or signInWithEmailAndPassword.
Firebase provides a mechanism to verify email addresses. It is also one API: user.sendEmailVerification()
On sign in, Firebase Auth returns an ID token (user.getIdToken()) which you can use to identify your users in all authenticated requests. They also provide an Admin SDK to parse and verify that token (auth.verifyIdToken(idToken)). A refresh token is also provided to continuously refresh ID tokens on expiration. This means the sessions are indefinite and the user should not need to sign in again on the device.
The ID token provides additional user data like email_verified which you can use to ensure the user is verified. The ID token is a JWT which can't be compromised without the Firebase Auth backend private key.
Related
I am trying to find a solution to the following:
Requirments
There is exists an app that allows users to add integration providers
These integration providers use oath 2.0 authorization to secure their data
The app needs the ability to have a backend job fetch data on-behalf of the user once per day
The data fetched is ingested and merged into a report that is compiled on the app for the user
Problem
User Delegated Access Token from Backend Job - I'm having trouble finding the solution that allows me to have a valid access token that is on behalf of the user without having to generate the access token from the app side
What I have tried
Refresh Token - I have tried the approach of using the refresh token to constantly get a new access token but this solution is fragile in the sense that there might be a situation that a new token is not generated in time or for some reason the user still needs to reauthenticate the connection to the provider
Automated Browser Flows - I have tried automating the user's authentication flow from the backend using saved credentials given in the app. This approach is just sketchy, costly, and would require a lot of work on the user agreement side ensuring that is being done on the backend has been consented by the user which essentially reinvents the wheel on user consent which the identity providers should have already been handling
We can use JWT for this. By doing it with JWT we'll create a token and save to the database and on every request it will decrypt the token and get the required data from the token.
Link- https://jwt.io/
Scenario:
I want to create an android app which uses username and password for authentication. I decided to use firebase custom auth for that purpose.
From my android app, I am calling a firebase cloud function to authenticate the user with the provided user credentials.
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
Source: https://firebase.google.com/docs/auth/admin/create-custom-tokens
I would like to make use of firebase firestore to store username and password and use it to create custom JWT for Firebase custom authentication in firebase cloud functions.
Question:
Should I store user credentials in firebase firestore and if yes, what is the secure way to do so. If no, how should I proceed further?
How to create JWT in firebase cloud functions if the credentials passed to the function match with the credentials in firestore.
Note:
I don't have a credential system or own a server.
If you've never created authentication systems before, I highly recommend finding an existing implementation of such an authentication system for your app. Using something that is made by folks that do this for a living, is much less likely to lead to future data leaks that would negatively affect the users of your app.
That said: if you're going to build your own system, you'll want to have a look at this example usename/auth provider in the functions-samples repo. It shows how to receive the data, how to call a backend system, and how to mint a custom token.
For some information on how to store username/password, see Best way to store password in database. Storing this information in Firestore is a common approach, and no better or worse than storing it in any other properly secured cloud-based database.
Using Firebase as DB for the app only.
I would like to use Firebase to store data that is global for all users. User authentication is not required to access those data.
So, all user's will be able to access same data. For example "news articles" are same for all users. Users don't need to authenticate to access the news.
How can I setup android application to access Firebase data securely for all users?
By "securely", I mean I don't want to bundle credentials to access the DB with the app. Otherwise, anybody can access the data and wipe it or corrupt it.
Based on quick investigation, I found there might be 2 ways:
Firebase REST API
Using Firebase REST API and service account token to access the Firebase data.
Firebase Auth
Use one of the auth schema. For example use email & password auth or custom auth with custom token.
I would assume both of them require me to bundle the secret password or token with the application.
Has anybody designed app with such use-case? Any pointers would be appreciated.
Firebase Authentication doesn't require any bundling of anything. Your users provide their own credentials. Google Play services on the device provides the security that only your app signed with your signing key may receive the token that authorizes the users to perform the actions on the data that you decide through security rules.
I’m implementing a Android app and that must contain a user login. To do this I create my own authenticator with the purpose of login only once. Then AccountManager can request access tokens, so the application is not handling passwords directly. The AccountManager stores the user account and the token.
I’m using JWT (Json Web Token) to authenticate the user in my REST API.
I wonder whether this flow is correct or there is a better approach to do this in Android.
Here is the flow I am currently using:
The user enter user and passwords in the login screen at first time.
I make a request to server to retrieve a valid token (JWT) that is stored in the Account Manager.
Subsequent requests use the received access token until it is expires (1 hour) to retrieve content from the API.
After the token is expired, it can be refreshed up to two weeks after issue time. From this moment, user credentials are needed to retrieve a new token.
Is this process the correct way to work with the token, and refreshing it? Is the process safe? Are there other options?
Considering this flow is not using a “refresh token” to generate a new one but the access token, what would be the best usage of the Android Account Manager? What other tools should I use? Is it recommended an Oauth2 implementation along JWT in order to implement a “refresh token”?
Cheers!
I can tell, you are on the right road of using JSON Web Tokens and reproducing it.
but the safety you mentioned is all about encrypting the token you retrieved and then saving it in Account Manager (also the same with user credentials) with some encryption method of your choice like AES or RSA and then decrypt if when you wish to use. Also using a server-generated secret key with a secret algorithm would kill the shot for any hacker.
As you understand everyone with a root access can get hands on the saved credentials database and use it.
Using these tricks will lower the need of using Oauth 2.0 which involves a refresh token.
hope it helps
Here is the idea:
There is an android application that will consume services that I will create using Spring. However, this services should have some sort of security, so only people logged in on my android app can consume such services.
On my android app, I will use Firebase to do the authentication, using email and password. So, there will be no need for me to configure any server to make this control. (Like Spring OAuth2)
The question is, once the user is logged on my app and wants to consume some service, for example GET LIST of something, that I will provide on the Server using Spring, how can I check if the user is logged on the app, so I can grant access to that service?
Your Android app will need to pass the user's token on to your app server, where you can then verify that the id token is valid and use the information in it.
See the Firebase documentation on verifying id tokens for full information, including this description:
If your Firebase client app communicates with a custom backend server, you might need to identify the currently signed-in user on that server. To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.
Also note this first note in blue:
Note: Many use cases for verifying ID tokens on the server can be accomplished by using Security Rules for the Firebase Realtime Database and Firebase Storage. See if those solve your problem before verifying ID tokens yourself.
While it might not apply for your use-case, always keep it in mind since the most maintainable code is the code that you didn't have to write. :-)