I am trying to make an android app to get my VSO items.
I am following the documentation here for the OAuth flow https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/oauth
The authorisation and authentication calls require a redirect_uri to be passed in the POST requests. What would be that value for an Android app?
The URL must be secured as per VSTS guidelenes.
Based on Authorize access to REST APIs with OAuth 2.0 article:
Q: Can I use OAuth with my phone app? A: No. Right now, Visual Studio
Team Services only support the web server flow, so there's no
supported way to implement OAuth for Visual Studio Team Services from
an app like a phone app, since there's no way to securely store the
app secret.
The workaround is that you can build a web app, then send the request to that web app from your Android app to retrieve necessary data.
Update:
If you can use Personal Access Token or Alternate authentication credentials, you can use it on your android app directly. (Can't access account and profile information)
Related
I have both mobile apps (android/ios) and a website that needs to sign in using linkedin.
On the website, using OAuth is working ok, so no issues there.
The issue I'm having is related to "Sign In" using the mobile SDK, because I need to send an access token to my website server in order to identify that the user is connected and authorized via linkedin.
According to the documentation ( https://developer.linkedin.com/docs/android-sdk-auth )
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the Mobile SDK > are only useable with the Mobile SDK, and cannot be used to make server-side
REST API calls.
Similarly, access tokens that you already have stored from your users that
authenticated using a server-side REST API call will not work with the Mobile
SDK.
So I see no way of using both solutions (web and integrated) in this scenario. If I use a WebView on mobile to connect to the app and sync with my website server, the user experience is not very nice (the webview does not sync cookies, the user has to authenticate in a strange way and does not take advantage of having the LinkedIn app installed on the mobile.
Anyone knows how to solve such a scenario? Thanks!
Yes. It's ok.
Authenticating with the Mobile SDK for iOS
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only usable with the Mobile SDK, and cannot be used to
make server-side REST API calls. Similarly, access tokens that you
already have stored from your users that authenticated using a
server-side REST API call will not work with the Mobile SDK.
Presently, there is no mechanism available to exchange them. If you require tokens that can be used in both the mobile and server-side
environment, you will need to implement a traditional OAuth 2.0
solution within your iOS environment to acquire tokens that can be
leveraged in both situations.
I'm currently working on an application that has web version (Play! Framework 2.2.x) and Android Client. Due to the fact that Play! is fully RESTful I want to communicate between Play! and Android with JSON requests and responses. Web version of the application is using Play Authenticate plugin which supports authentication and authorization. I would like to know how to enable login in Android Client that would use Play! app and how to secure the communication between Play! app and Android Client.
After not getting a reply for my question I figured out the following solution. Each user has it's own name and password and a token. This token is being set during registration and gets updated every two days. I save username and token inside shared preferences in android application and authenticate each request from client with those two fields. Since it was a student project I thought it might be a good choice, but the production product should have better security.
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….
I'm currently trying to write a task manager in android which syncs with google tasks. The app uses google client API along with AccountManager to communicate with google servers. It works under android. However, I want to run it under android player on Blackberry playbook. Although the .apk file converts to a blackberry application, it seems that AccountManager does not work under playbook android player as it is not tied to a google account. I'm finding it difficult to communicate with the google servers without the account manager. I've tried adding an account manually to the AccountManager but it also throws a security exception. I'm curious if there is any other way to log into google services given an username and password (along with the API key for access)? Thanks
The AccountManager and the Google Play Services that both allow you to go through an OAuth 2.0 authorization flow with a native experience on Android (for Google APIs only) are only available on Google Experience devices. The Android Emulator of the Blackberry Playbook is likely not a Google Experience environment.
So in that case the best way is to implement an OAuth 2.0 flow by using a WebView. This is also the technique you need to use for non-Google APIs (Facebook, Microsoft, Salesforce, Dailymotion, ...)
Basically you will have to send your new users to a special URL in a WebView where Google (or the other OAuth 2 provider) will ask them to grand you access to the APIs requested. Then you will need to extract the auth code from the URL or from the content of the page once it has been generated and returned by Google auth servers. The last step is to exchange that auth code for a refresh and an access token.
You need to read and understand how OAuth 2.0 authorization flow works for Installed application: https://developers.google.com/accounts/docs/OAuth2#installed
The step by step process to do OAuth 2.0 with a WebView on Android is as follow:
Redirect Users to the grant screen URL in an embeded WebView
Use http://localhost as the redirect URI
Register a WebViewClient with an onPageStarted method to intercept page changes
Detect successful/failed authorization by detecting redirects to http://localhost and read the auth code from the URL of the WebView
Finish the OAuth 2 flow by exchanging the auth code for tokens and save these tokens in local database for further use
You can find an open-source sample that does this on Onavo's GitHub.