I am using Rails 5 application as a backend for my Android app. On my rails, I am using Devise to authenticate users and I have implemented the JWT gem with rack-cors to pass token https://www.youtube.com/watch?v=EF5Cm2jZHk0.
I am struggling with my Android app and I am not able to authenticate users. I am using Retrofit2 with Android and I have passed credentials with the header but I am getting the response code 401 (Not Authorized).
I am open for any kind of suggestions that can lead me to solve this problem.
Okay, this appears to be a really old question, but will answer anyway, for the sake of someone who will come across the same issue, if a model has device installed on it,then we can access a particular object and have the method valid_password?
For example user = User.find_by_email("doe#example.com"), to find if the password is right, then we use user.valid_password?("password"), this will return true if it's the password for that user.
Related
I am working on the mobile application for android which is written in Android Studio in Java language. I would like to implement Facebook authentication firstly and then Google and I will see which else.
A lot of backout action will be carry out by backend server. I spent a lot of time to figure out the solution but I didn’t find the response which straight explant me how should I proceed with facebook Authentication and tokens.
I have already implemented facebook API (https://developers.facebook.com/docs/android ) in my mobile application. I can get access token and so on. After that I stuck and could you tell me is there any way to connect this access token which I have got on my phone which backend server? Or should start everything from the beginning and Manually Build a Login Flow?
Second question. Could you tell me if what is correct and the easiest way to connect Mobile App, Backend Server and Facebook authentication?
I would like to have something like that I know that comparing access token is not acceptable but can you tell me how to do it?
Facebook API with application server
Make a Login flow as below
Send token-to-inspect(access token), user facebookID and remaining user data to your server
On server side check the response for access_token from the Step 1
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as a separator and must be there after filling the other fields.
Also don't send app_id, app_secret from the app, keep them on the server side only.
If in response you get the same user_id, is_valid, application then it is a valid user else not.
After verifying in Step 3 give user your own auth_token for accessing app resources
Also, check out Firebase Authentication and Firebase ADMIN to make this flow safe/secure and developer friendly.
Hope this helps
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.
I'm trying to determine if there is a specific method of authentication one should use besides the traditional basic HTTP auth that is offered with the Sorcery gem given the fact I would want to authenticate users on a variety of mobile platforms (Android, iOS, WP7 etc.)?
Thanks in advance.
EDIT
What I have decided to do for the time being is as follows:
Login user with Sorcery's :http_basic_auth to the web service
If the login was successful generate a time based token and an expiration time for the token
Pass the token back to the client
Client (Android, iOS, WP7 etc.) passes the token to the service with each request.
Web service then uses the auto_login Sorcery method to authenticate the user and then passes the resource back to the client
Also for extra security and due to the fact it's an ecommerce site it will be running over SSL. I will eventually plan to implement some kind of OTP/OAuth method but will do that after testing. I hope this helps anyone else looking for simple Rails mobile authentication. Thanks for the help.
Even if you don't use one of the sorcery's modules, know that you can always implement your own auth strategy and log your user with the auto_login(user) method. So you're free to implement token-based auth which I think would be the basic way for an API to communicate with your application.
I have a rails app (rails3) that uses sessions for users to navigate upon login. I am trying to create an android app for this rails server and trying to figure out what is the best way for handling login is.
From what I've found so far, there are two possible ways:
1. Get sessions from rails server and setCookie on android side upon login
2. Use OAuth.
Which would you recommend?
At this point, I am unsure of how to manage sessions when using OAuth, that's why I am asking the question. Thanks
I encounter this problem last time as well. As we need to allow logged in user in the android to be able to query the rails server for some data. Initially we thought about sending password/username from android and then set the session and cookies in rails server, then send back the info. Android then use this cookies to determine if the user is successfully login. However, in the end we didn't do this, as the cookie information maybe hard to manage in mobile device. In the end we create a separate protection scheme for the rails server, if the android send user/password, rails server would validate, if sucessfully, we will insert a encrypted token into the database that contains user name and token. For subsequent request, the android device must send token to rails server, if the token is valid and can be found in db, the validation passed,and we will return data.
Good thing about this is it is easier to manage users. E.g. you can easily manage how many concurrent loggin you allow for the user. Or even better if needed, you can kick out some users without touching the android apps. Not quite sure if this fits your questions. Just to share.