I started using firebase auth with google and while that works I'm unsure how I can transfer a user's identity to a server call. For example
User authenticates in my Android app. I know they are xyz#gmail.com
Now I need to make a call to the server (not firebase/app engine) and the server needs to know this is user xyz#gmail without reauthenticating. I thought I'd send the auth-token and then I could verify it on the server with same id/secret, but the auth-token that I get back from IdpResponse does not work.
Any ideas on the recommended solution for this situation? Thanks
This is well documented on firebase
https://firebase.google.com/docs/auth/admin/verify-id-tokens
Works beautifully. I'm still not sure why the auth token doesn't work with the google oauth client.
Related
I am working on the mobile application for android which is written in Android Studio in Java language. I would like to implement Facebook authentication firstly and then Google and I will see which else.
A lot of backout action will be carry out by backend server. I spent a lot of time to figure out the solution but I didn’t find the response which straight explant me how should I proceed with facebook Authentication and tokens.
I have already implemented facebook API (https://developers.facebook.com/docs/android ) in my mobile application. I can get access token and so on. After that I stuck and could you tell me is there any way to connect this access token which I have got on my phone which backend server? Or should start everything from the beginning and Manually Build a Login Flow?
Second question. Could you tell me if what is correct and the easiest way to connect Mobile App, Backend Server and Facebook authentication?
I would like to have something like that I know that comparing access token is not acceptable but can you tell me how to do it?
Facebook API with application server
Make a Login flow as below
Send token-to-inspect(access token), user facebookID and remaining user data to your server
On server side check the response for access_token from the Step 1
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as a separator and must be there after filling the other fields.
Also don't send app_id, app_secret from the app, keep them on the server side only.
If in response you get the same user_id, is_valid, application then it is a valid user else not.
After verifying in Step 3 give user your own auth_token for accessing app resources
Also, check out Firebase Authentication and Firebase ADMIN to make this flow safe/secure and developer friendly.
Hope this helps
I am getting into Android development for the first time and am having a blast, of course. I do have a question, though, about the general approach to authentication (for dealing with a backend).
To begin, here is, in a nut shell, what I have worked out.
Using google's documentation (link), I authenticate the user using the google sign in api. I have put the logic mentioned in the reference in my app's main activity. After the onConnected method fires, I have a successfully connected GoogleApiClient.
With the now connected GoogleApiClient, I use a call to GoogleAuthUtil.getToken to get an oath2 token that I use to authenticate requests to my backend. Basically, any time I make an HTTP request to my backend, I include this token as a header. My backend reads this token and uses the Python API google provides for verifying this token. In the backend, I use the email that is embedded in the (now parsed) token to make sure the user to whom that oauth2 token was issued is, in fact, a user of my system.
Now, here are the questions. First, does this sound like a reasonable approach to authentication on the Android platform? What might I be missing? What could go wrong?
The second question is a bit more direct. When I get the oauth2 token from the client app, I store it and use the same token each time an HTTP request to a secured resource is made. Eventually, of course, the token will expire. From some limited testing using the Android emulator, it seems that if I shut down the application and restart it, I am getting the same, expired token back using the GoogleAuthUtil.getToken, rather than getting a fresh token with a new expiration in the future. In my tests, I have had to restart the emulator in order to get a token with a correct expiry. Am I mistaken here? Is there something special I need to do to tell the Google API to issue me a new token? Do I need to disconnect the GoogleApiClient and reconnect it? I hope to avoid doing this in order to limit the number of activities that need to carry the callbacks required to complete this process.
Any words of wisdom here will be greatly appreciated!
after you have got your token you can use Validate Token, and if it responses with an error: 'invalid_token', you can use GoogleAuth.clearToken(Context context, String token) to clear the token and get a new token with the method you are using to get auth token.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I have android app comunicating with api on remote server. I want to make user authentication via google account. I know there's many pages/questions about this topic, but I kind of couldn't figured out which method I need to use.
What I want is, when user registers with his google account, his account will be authenticated and then I want Google to generate some auth token, which is specific for the app and users account. This token should never change, because it should be used on api server to authenticate user.
Do I need to link my app somehow to Google AppEngine or is there any simple solution which I'm not seeing? Or is this method of authenticating completly wrong?
You might be a bit wrong. Cause No one (Not even the Google apps on android) ever get a non expiring token. You Need to save the refresh token and the current token. and after every hour you need to refresh the token using refresh token. And you are good to go (If I have understood your question :P). I would suggest if you already own a server better host the back-end there else GAE works just fine. I hope it helps :)
I'm trying Google Plus sign-in in an Android app (with backend support).
I could get access token and email from the user, but know I don't know how should I recognise this user from the server. I'm sending this to the server (email and oauth token) with a POST throught SSL
Of course I could recognise them with their email, but that would open the doors for everyone how knows another email that's on the database.
How could I verify that the user's correctly authenticated and has sent me the correct oauth token for this email?
Thanks!
Two thoughts:
1) Generally, you shouldn't be sending the auth token over the wire if you can help it. Instead you should be using a hybrid flow where the client gets a one time code when it authenticates, passes you this one time code, and you can redeem this for an auth token and a refresh token. Using this method, your server also has offline access on behalf of the user. See https://developers.google.com/+/web/signin/server-side-flow for details. However, I'm not entirely sure how this works with the Android library.
2) Regardless of (1), generally what you can do is to use the plus.people.get method on the server with the userID of "me" to get the user's userID and verify this against what you're expecting. See https://developers.google.com/+/api/latest/people/get for more details.
Yours is a perfect case to use the Authorization code flow.
See this link. It has some workflow diagrams that you might want to see. In your case the user should authenticate and receive an authorization code (and not a token!).
He would then send the authorization code to your server, you can exchange this code for access + refresh tokens. Have your client registered for the scope and have the client credentials.
The access token flow (called the implicit grant flow) is generally used when requests need to be sent directly from the user's browser.
And, as #Prisoner already mentioned, you will have offline access too. That would be a much better design.
EDIT - you might also want to take a look at What is the difference between the 2 workflows? When to use Authorization Code flow?