Actually we have created the backend module for our android app in Google cloud module.
We also did the validation for authenticating users in backend module(Google cloud module) following the below reference,
And also we picked the authentication option as Google Apps domain. And also we did the below configuration in console.cloud.google.com,
(Google app engine->Setting->Authentication->Google apps domain->mycompany.com)
We followed the below reference for client application(android app) to make API call,
[https://cloud.google.com/appengine/docs/java/endpoints/calling-from-android].
Now we are expecting like the login success will happen only the registered Google apps domain users (Ex: user#mycompany.com). But all the google account users getting success login.
So kindly provide you advice to make the expected workflow.
If the invocation of the service EndPoint you realize it from the web , you can use https://cloud.google.com/appengine/docs/java/users/ otherwise check authentication control endpoint.
Related
I am trying to add the "Microsoft" sign in method to my Firebase project, with the hope of allowing users to login to my Android app using their Azure AD credentials. I already have everything set up to use the "Email/Password" provider, which is working well.
I don't plan on accessing any Azure APIs, I just need to authenticate a given user so that when an organization terminates said users account, he is no longer able to login to my app.
I am following https://firebase.google.com/docs/auth/android/microsoft-oauth this guide. I have registered an app on my Azure AD, set it to allow accounts from any organization as well as personal accounts, and added the client ID and secret to my Firebase project. I have also added the redirect url from the Firebase project to the App registration on Azure.
I start the login process using startActivityForSignInWithProvider like in the example. The chrome tab loads and takes me through the entire authentication process. The problem is this always returns a failure with the exception Error: (invalid_client) AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented'
This is confusing, since, in order to enable this sign-in provider on Firebase, you are required to enter the client ID and client secret.
I've tried with the app registration setting "Treat application as public client" set to Yes and No. I've also tried with a blank scopes collection and adding 'openId' to the scopes as a stab in the dark.
I'm a bit out of my depth with this Microsoft Authentication stuff, so any nudge in the right direction would be greatly appreciated.
Register the app in Azure as web app instead of Native App. Because the URL provided by Firebase is for Web App. Hope this helps.
I have an android app which communicates with Google cloud api services like speech to text, translation, NLP etc. The application is using a service account to do this and the private key file is stored in the application itself. I understand that is a bad practice as anyone can see it using dissembler but I am not sure where else to store it for an android device.
The following post suggests to store this file on a build server:
https://brightinventions.pl/blog/securing-your-google-service-account-key-in-builds/
However, I think that it does not fix the issue as the service credential file is getting included in the publish package.
Please let me know if you can think of a solution.
Do not embed service account credentials in applications. Service Account credentials have a permanent lifetime which means you will be breached. You can delete service account credentials, but then you will have to re-release your application.
You have several options:
Implement Google OAuth so that your users authenticate with Google Accounts. When authenticating use the correct Google OAuth Scopes to provide temporary permissions.
Implement temporary access tokens. Your users will connect to your website, authenticate and your code will give them a temporary access token created from service account credentials. This access token will expire. The default is 3600 seconds but you can control this.
You users will make all requests thru your website API's. You control authentication of the users. Your website code then makes the API requests on behalf of the users. This is not an ideal solution as all traffic goes thru your website (Compute Engine, App Engine, etc.) and you will pay for that bandwidth.
I have a web application that is written on Python / Google Appengine / WebApp2 framework. The web application has native (custom) authentication. The userid / password is managed by the application (and it does not use Google Accounts).
The web application needs to be extended to Mobile clients as well. So I am developing a native Android Client application and trying to integrate with Google Appengine.
For authentication from the Android Client to the Google app engine, I am trying to keep it very simple by using Google Cloud Endpoints. Can you please suggest if my approach below is correct ?
Generate a white list of client IDs using the Google app engine console (for Android, Web and eventually IOS).
Create a Google Cloud Endpoint backend Api (in Python) with the white list of clients(Web, android and IOS) as suggested here – https://cloud.google.com/appengine/docs/python/endpoints/getstarted/backend/
Create a backend library.
Import the library to the Android Client
My expectation after the above are as follows –
End users using the Google Cloud Endpoints Api (from Android Client) will authenticate the android client with Google App engine.
As part of this secure authentication of the Client-GAE, I can then pass the user login-id as a parameter of the API calls and get data / post data for that particular userid.
I am storing the userid (not the password) for the end-user using local storage in the mobile client.
Can you please suggest if my approach above is correct? I purposefully would like to avoid using Google Accounts based authentication from Android Client to the GAE.
In order to get an App Engine user instance injected into your API method by Google Cloud Endpoints, you do need to be using a Google account in the Android app. The service builder in your Android code takes a GoogleAccountCredential.
You can still support your own userid and password, but you can't leverage the user injection if you do.
[EDIT]
If you're not going to use Google Accounts in the Android app, forget the SHA1 and API key. You're going to have to roll your own auth. It's up to you how you do this, but you might start your session with an API call that takes a username and password and returns a token. All other API calls might take that token and check it for validity before returning a result, for example.
I want implement login with google account in my Android app. with an App Engine backend.
I've found this post explaining the Android side: http://devblog.consileon.pl/2014/01/14/Android-authentication-against-Google-App-Engine/
but I have some questions:
Is this method safe or is it deprecated (I initially read this article: http://blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app saying that it uses ClientLogin for installed apps which is deprecated)
In the article it's specified that App engine settings should have Google Accounts API activated, but I need to have Federated Login because i have clients that use their yahoo address (and android's AccountManager does not provide an authToken when selecting a yahoo account). Will this method work if i have Federated Login active ? (will it work with google accounts or google apps accounts?)
How does the app engine java code looks like ? how do I determine the user ? Do I use
UserService userService = UserServiceFactory.getUserService();
User crtuser = userService.getCurrentUser();
How do I make the requests to my server when developing in localhost ? I have tried some manual requests using a token given by my test app in android and it redirects to the local dev servers' login page (the one containing "test#example.com as default user)
I'm wrapping a Rails mobile website with an Android WebView wrapper, but it's also supposed to be available through the browser as well. The website is using Google/FB OAuth authentication, but that's not essential.
When the wrapper is used, I wanted the user to be already signed in with its primary email.
Are there any secure methods to achieve this? Something which will not allow using this method in the browser?
I was thinking about sending some kind of checksums / secure tokens but this could be easily reverse engineered.
Would the authentication with device id and android id be enough? I mean, these are available publicly for other apps so I guess possibly not. Maybe there is something that is unique to the app instance and private?
There is nothing automatically secret in an instance of an Android app that your server could verify. Using Google/Facebook OAuth login is a reasonable choice.
You can use the Facebook SDK for Android to allow the user to log in using their Facebook account, and as a.ch. mentions in the comment you can do the same with the Play Services SDK to log in via their Google account.
In both of these cases, this works because there is a local broker app (Facebook, or Google Play Services) that is trusted by the identity server (facebook.com, or google.com). The broker app has the user's credentials, can verify the identity of the app that is requesting access, and can display a view where the user can approve/reject the request. Once the identity server knows that the user has logged in on the device, knows the identity of your app, and knows that the user approved the login request, it can safely send back a token to your app via the broker. That token allows whatever permissions your app requested and the user approved.
Your WebView can then include that token in an initial request to your rails server, which checks the token with Facebook/Google. From this point, the code should look similar to the existing desktop web, at least with respect to user authentication.
You can download the Facebook SDK for Android from https://developers.facebook.com/android/, and you can get the Google Play services SDK in the Android SDK manager ('android sdk') under Extras. Both have tutorials to help you get started.