I'm lost on this one. The problem is simple: what is the correct, recommended way in Android of logging in a Google user, as a page that they own (e.g. they first login and they are presented with what page they wish to authenticate as, to the app)?
The web solution is straightforward - Google's /oauth endpoint automatically redirects to a delegation page into which you choose your main account or the page you wish to continue as. The next page will have a pageId=... extra argument in the URL. As such, your authorization is linked to that specific page, not to the main account.
With Android, I'm completely lost. Every possible official guide out there is either deprecated, un-recommended, or just simply, blantly ignores this simple use-case and only works with getting an OAuth token for the main account, without even a word given to help for the case of users that own pages which can be used as their own identity under the user's account.
What I'm doing now (at the high level), using Google Play Services:
Start an activity intent via AccountPicker.newChooseAccountIntent
User selects an account on device.
Calling GoogleAuthUtil.getToken to get an OAuth token - this triggers the basic OAuth flow which asks the user to authorize the app - NO ACCOUNT SELECTION at this step, like the web flow does!
What I looked at:
Google HTTP Api Client - this one recommends to use Android's AccountManager and never use a "custom" solution to save any refresh tokens, etc. Completely useless for the use-case.
Google Sign-In - this one seems to require a server end-point (wtf?). I tried using it and adding in the OAuth scopes I'm interested in, it didn't even work. I'm not interested in the user's email, and this API seems to be oriented for signing users up rather than authenticating as a Google one.
Other apps I looked at seem to just open a WebView and force the user to login in that, which triggers the normal web flow, with account/page selection after login. I really don't like this since it requires a separate login.
Is there an official stand on this issue and I'm not seeing it?
Related
We currently have an Alexa app that lets users ask for details about upcoming events, now the company wants to implement the same thing for Google's assistant. It seems like this is supported through "Actions On Google", which is very similar to Alexa.
One thing Alexa allowed us to do that I cant figure out with Google is setup a login screen. When a user first accessed the app via voice command, it would take them to an authentication page. We used this to tie an Amazon user to our internal records so that we could identify their specific information when they made a request. It was also used for authentication and authorization.
I dont see how to do that with Google. I assume that you can, but I havent been able to find it. Is there a way to set up a login screen so that when someone says "Hey (Agent), tell me about my day tomorrow", I can confirm who the person is to look up their information?
Yup, you're looking for Account Linking.
The term comes from linking the account they log into with your service to the account that Google uses to track them. You'll need to implement a basic OAuth server, including the page where they log into your service when they're directed there from the Assistant, and a way to issue authentication tokens to the Assistant. When requests come in from a user with a linked account, you'll get the tokens from the user, and you can use this to identify who the request came from.
Google's decision to disallow oauth via webview is causing me huge amounts of trouble. It's been a long and difficult process migrating to an alternative (I'm using the suggested AppAuth library at the moment) and I'm getting user complaints about not being able to link accounts without also adding them to chrome/their device (which as far as I can tell is now impossible without somehow forcing a private browsing session). My latest problem involves google oauth to sign into another service. Here's the scenario:
A user wants to link a 3rd party service to my application. Their account on the third party service is linked to a google account. To auth with this third party service, they must sign into their google account. The problem is that the 3rd party service only allows http:// scheme redirect URI's for their oauth, so the flow looks something like this:
User is in my app on their android device
User clicks a button to link their thirdparty account with my app
Using the appauth library, I launch a browser or custom tab with the oauth URL's for the 3rd party, let's just call it http://thirdparty.com/oauth
From that page, the user clicks a "sign in to google" button, which triggers the google oauth flow, which they then follow to provide their google account token to thirdparty
User approves access to my app with thirdparty now that thirdparty has validated their google account
thirdparty redirects to the registered redirect_uri which is then opened in the browser tab instead of redirecting back to my application.
The problem is step 6 here. Because I am required to register an http:// scheme redirect URI, the browser tab attempts to load the webpage directly, even if I have registered my app to handle that particular url. Now if it wasn't required for users to be able to sign in with google, I could easily just do this whole flow in a webview and manually trap the redirect, grabbing the token, but because thirdparty allows users to link their google account, I can't use a webview because google will block users from performing google auth in a webview, so I am forced to pass off to an app or browser tab that I don't have control over and am dependent on that behaving properly (which it often doesn't)
I did plenty of searching and it looks like App Links would solve my problem by registering my app as the primary handler for a link, but that only works in Android 6.0+, which is higher than my device minimum, so I'm at a loss as to what I'm supposed to do here.
My constraints are:
oauth redirect must be an HTTP scheme (required by thirdparty)
I cannot auth in a webview (required by google)
I need my auth redirect to launch my application in order to collect the token
I need the solution to work for all devices on android 5.0+
I have not found a single solution to this problem through hours of searching, and I have found no way to get in touch with the google oauth team to learn what their suggestions are.
Has anyone found a way to do have an http:// link launch an application without prompting the user and without requiring android 6.0?
If you have control over the redirect URI, you can set your application to listen for it using a custom Intent Handler. This is essentially a form of Deep Linking, and should work with Android 5+, (in 6 you can even set your app as the default!).
For the data, you will most likely need to use the URI itself. But that shouldn't be too hard assuming you have control of the re-direct.
I tried following urls and all work:
https://www.facebook.com/dialog/oauth?client_id=%s&redirect_uri=%s&display=popup&scope=%s
https://www.facebook.com/dialog/oauth?client_id=%s&redirect_uri=%s&scope=%s
https://www.facebook.com/v2.5/dialog/oauth?client_id=%s&redirect_uri=%s&scope=%s
All 3 work, the first two ones return simple token results and the last one a json result with the token in it. I just use a webview and let the user login to facebook via the webview. All works fine and my app get's access to all data in the requested scopes.
Problem
The required scopes (permissions) are not shown to the user, the user just sees a login window and if he logs in in my app, my app get's a valid token. That's it. This way facebook does not approve my app. I think, the correct login flow should be handled by facebook and if I call the oauth login urls facebook should redirect correctly and only return the token after they have asked the user if he wants to allow the required permissions.
So what am I doing wrong? Why are the permissions are not shown to the user before facebook returns the valid token?
EDIT:
Requirements: NO SDK, because I want to use a common OAuth2 flow for many social networks and cloud services, so I don't want to add the sdk for every single service...
Code
I just call the above urls and follow the redirects until I get a correct answer with an access token, that's it.
RFC 6749 requires scopes be separated by spaces, but Facebook's implementation requires scopes be separated by commas. This violation may be the root cause.
I am developing an Application with a google appengine backend where I want the user to be able to login.
It should be possible to login with Facebook, Google+ and my own login(for those users who don't have any fb or google account). Also it should be possible that when the user starts the app he shouldn't need to log in again if he didn't logged out before. So a valid token is requested somehow.
I already implemented the facebook login which uses sessions and a helper that handles all that stuff.
Thats all fine. But what I couldn't really figure out yet is what would be a right way to implement my own login. Is it right that this can be done with the Android AccountManager and Oauth2.0? If yes I don't really know how to combine that with the facebook login because that uses it's own facebook token. Would I need to handle two tokens then for a user that logs in with facebook and calls authanticated requests?
There are so many apps who have those three possibilities are they all using their own selfmade login procedure for the own app login, or is this done somehow with the AccountManager or something else in general?
Can somebody explain this to me or point me in the right direction or just give a little overview because I am just confused right now with all this.
My android app is designed to fetch calendars and events from Google. I downloaded Google API v3 and followed the example from official tutorial. In the tutorial, it uses Account Manager to do authorisation for android, which means user can directly pickup an account already set on android device to get authorisation done.
startActivityForResult(CalendarHelper.getInstance().credential.newChooseAccountIntent(), REQUEST_ACCOUNT_PICKER);
The code runs good, but I don't want authorisation this way. I prefer the way that start a webview and open an url which lead user to a login page, after he login and accept the permissions, the taken will be returned to access calendar data, just like the Google API in iOS.
I understand the workflow of OAuth 2.0, but I can't find any sample code on android to do authorisation the way I described above.
Can any one help?
You could try adding approval_prompt=force in your HTTP request that you make while looking for access tokens. This parameter ensures that the user has to log in/provide credentials every time the app is run.
Quoting from Google's documentation.
"If the value is force, then the user sees a consent page even if they
have previously given consent to your application for a given set of
scopes."