I really want to know authentication about android..
I want to know about 2 case authentication (just android application login, android application login and web application login)
just android application
When i signed in sns like facebook or twitter, I got token and send it to server.
app and web
What if already have ID with sns in web application, what should i do?
Application sign in and got token. And next, send token to server and authenticate in server?
A lot of applications use token based authentication, where server is separated from the whole application, which e.g. allows to use one restful api for many services like mobile app and web app.
Basically it works this way, that first user sends his login and password through secured connection to your server, and then the server generates a token that allows user to get certain data from that server. Those tokens are made to expire after some time (for security reasons). You can read more about token based authentication, tokens, refresh tokens, json web token and similar things.
Here you have similar question on this topic, on stack overflow:
How do popular apps authenticate user requests from their mobile app to their server?
And here you have an overview of other types of authentication:
https://blog.risingstack.com/web-authentication-methods-explained/
Related
I have the following situation:
I have an app that will be using a subscription based payment system via the app or play store. I want to avoid implementing my own account system and verify the users via the Apple-ID or what the equivalent is on Android side, using Apple/Google Sign-in if this is possible.
The problem is that the app will have to communicate with a server every week, so that means the requests to the server need to be authenticated, that this is coming from a client (smartphone/tablet) that has an active subscription going. How do i do this the best way?
If i understand correctly then using Apple Sign-in you will get a token. Should i send this token to the server, where the server then communicates with the App Store API to verify the token on every request? Is this completely equivalent on the Android/Play store side? Or should i verify the token once on the first request, then generate my own token and send it to the client so for the rest of the session it can authenticate using that token to avoid having to go to a third party system on every call. But how do i store this self-generated token? As it needs to be linked to something on the client. Am i legally allowed to store Apple-IDs on a server?
We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.
I'm still confused on what is the best architecture design for this kind of use case.
Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?
Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.
Option B: Server authenticates to FB in behalf of the client.
Additional notes (may be relevant or not):
I'm developing the REST API part using Django.
The app will need access to the user's Facebook friends so we can invite them to use the app.
You should go with option A.
Authenticate with the client. Then you will receive an access token.
Send this token to the server.
Now you can create a user, fetch FB friends, and all other you might need.
If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.
https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional
You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).
Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.
I'm making an Android app that authenticates users via the Facebook SDK. However I also need to authenticate to a remote server in order to pull in new data for this user.
What's the best way to do this?
Should I send the Facebook token to the remote server, then on the server use this to verify it's a valid token for this user and thus confirm the user's identity?
Should I do the previous, but generate and send back my own token for the user to use in the future?
If I later add Google authentication would something like this also work?
Thanks!
IMO, the best way would be
Authenticate user to Facebook from Android application
Get the FB auth token to the android app
Forward the authentication token & facebook UID from Android to web server
On web server, make Facebook API call with the submitted token, to verify the user
I am creating an app and want to use the google accounts on the Android phone to get the user's email, name and possibly phone number. How can I securely communicate with a rails server? I could send the auth token but my understanding is that it changes often. I plan on making a private API token for very basic auth but I need a user specific authentication as well. I thought about using an email hash and sending that but there has to be a better solution.
Normally what I would do if the account logins were on the server is login and send a token back and check that token to the database every request but can't do that since I login on the client side.
What would be my best bet to implement something where I log in on the android side but store info on the server?
This is my answer... Uses Google Play API to get a token and verify on server/client side.
http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
I'm developing a webapp+android app that has its own registration flow - simple authentication using email and password.
I easily integrated the facebook login from the website, following the second scheme in this page.
Now, I need to 1-click authenticate the Android application with facebook. The main point is that, after the Android app is authenticated, i need to send from my server some specific cookies that are needed for permissions checks when the user wants to do some operations.
The problem is that I cannot authenticate through the facebook token: from what i see, the token would work even if it was taken from another application, so I cant send private data trusting only the fb token (even if it was sent by SSL), since it could be another app pretending it's the user.
Is there any registration flow similar to the one above for authenticating android apps?
Or there is any advice to overcome this issue?
Ok, facebook has fixed this by deprecating the offline_token and providing a longer access token from the client. This Token can be validated server side against my app id and app secret with this new endpoint:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
so I can be sure about the user identity.