I am having trouble integrating LinkedIn authorization from OAuth .io with Firebase on Android.
I am able to authenticate my user through LinkedIn, and OAuth .io is able to save the token into the Firebase database (on the application table not the system table, yet).
But when I pass the received token to Firebase as shown on the code below, firebase replies with an error.
oauth.popup("linkedin2", new OAuthCallback() {
#Override
public void onFinished(OAuthData data) {
String token = data.token;
FirebaseAuth.getInstance().signInWithCustomToken(token);
}
The error I get is:
com.google.firebase.auth.FirebaseAuthInvalidCredentialsException: The
custom token format is incorrect. Please check the documentation.
How can I make this work?
Just a suggestion, why dont you do the normal authentication with either
Facebook TwitterGitHubPersonaEmail/Password
And then after successful signing ask the user to retrieve their data by signing in to their linkedIn account.
Related
I have integrated the docuSign Android SDK in my app and been able to achieve embedded signing. But it asks for the customer to login before signing the document. As its a customer facing app, we dont want them to enter the organisation docusign credentials.
How can we skip the login or authenticate implicitly using the SDK methods or some other way?
Thanks in Advance!!
In Android SDK, we provide the following apis to login or authenticate.
Login with Access Token:
You can invoke the following SDK API:
// accessToken - Access Token which authenticates the user
// refreshToken - If the access token can be refreshed, the refresh token. Optional
// expiresIn - The number of seconds from the time the access token was provisioned to when it will expire
try {
DSAuthenticationDelegate docusignAuthDelegate = DocuSign.getInstance().getAuthenticationDelegate();
docusignAuthDelegate.login(accessToken, refreshToken, expiresIn, context,
new DSAuthenticationListener() {
#Override
public void onSuccess(#NonNull DSUser user) {
// TODO: handle successful authentication here
}
#Override
public void onError(#NonNull DSAuthenticationException exception) {
// TODO: handle authentication failure here
}
}
);
} catch (DocuSignNotInitializedException exception) {
// TODO: handle error. This means the SDK object was not properly initialized
}
You can retrieve access token the following ways:
a. Using JWT Grant authentication by following steps mentioned at https://developers.docusign.com/platform/auth/jwt/jwt-get-token/
b. Using Authorization Code Grant by following the steps mentioned at https://developers.docusign.com/platform/auth/authcode/authcode-get-token/
Using JWT Grant authentication to fetch access token needs to be implemented at your backend and once your server receives access token from DocuSign using this approach, then your server needs to pass that access token and the expiration time to your app and your app can invoke the above mentioned Android SDK login api with access token and expiration time.
Login using OAuth:
UI is displayed where user enters credentials.
Get the OAuth Client Id/Integration key, secret key and redirectUri from your account. (Please refer to https://developers.docusign.com/platform/auth/authcode/authcode-get-token/ on how to retrieve the clientId, secretKey and redirectUri from your account).
While initializing the DocuSign SDk, pass these values as shown in below
DocuSign.init(
context,
clientId,
secretKey,
redirectUri,
DSMode.DEBUG
).setEnvironment(environment)
DSAuthenticationDelegate authenticationDelegate = DocuSign.getInstance().getAuthenticationDelegate();
authenticationDelegate.login(REQUEST_LOGIN, this, new DSAuthenticationListener() {
}
This will open the OAuth login screen. Enter your username and password and you should be able to login.
In your use case, you can use SDK 'Login with Access Token' approach.
As the title says, I'm trying to use the Google Sign-In API with a Spring Boot backend server, as described here.
Just to describe the context, the Spring backend is basically a resource+authentication server, that is currently providing Oauth2 authentication to a second spring boot application containing the frontend website, via Google SSO or simple form login (similar to what's described here).
My original idea was to mimic the #EnableOauth2Sso annotation by simply providing an access token to the android app and attach it to every request as "Bearer ".
Using the user credentials for this was pretty straightforward: I simply make a request to the server at "/oauth/token", using those credentials inserted by the user as authentication and I correctly receive the access token.
Now, I have absolutely no idea on how to build a similar procedure with the Google API in Android. The tutorial page I linked before describes how to get a token ID and how the server should validate it, but after that I don't know what to do.
So far I've managed to add a filter to the security chain that simply checks the token like this:
private Authentication attemptOpenIDAuthentication(#NonNull String tokenString){
String clientId = authServices.getClientId();
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, factory)
.setAudience(Arrays.asList(clientId, androidClient))
.build();
try {
GoogleIdToken token = verifier.verify(tokenString);
if (token != null) {
return authServices.loadAuthentication(token.getPayload());
} else {
throw new InvalidTokenException("ID token is null");
}
} catch (GeneralSecurityException | IOException e) {
throw new BadCredentialsException("Could not validate ID token");
}
}
This manages indeed to create an Authentication object, but how can I generate an access token after the authentication filtering?
To recap, so far I've got:
The Android app successfully retrieves the Google token ID and sends it to the server
The server sucessfully intercepts the request and validates the token
I'm basically missing the third point where I return a proper access token to the Android client.
Here you are a simple scheme to better understand the situation:
Is there any other way to validate the token and get an access token from the server, or should I completely change the authentication procedure on Android?
As far as I can tell: Yes, you need an access token from the server. If I understand this correctly, a webapp is already authenticated via Oauth on your backend, so the procedure is similar here: Load the user with the google-ID and generate a token. In my application I used a JWT which is valid for 30 days. If the token expires, the Google authentication in the app is usually still valid, so the token can be renewed using the Google ID. With Oauth you can also send a refresh-token directly.
It is important that the app always checks the Google authentication first and only in a second step that of the backend.
For the Authentication process on the backend u may need to manually implement a dedicated securityConfiguration for this. Have a look at the jhipster project, they implemented a custom jwt-authentication which may give you an idea how it works.
I am integrating Firebase with my existing Authentication in Android app. As per Firebase documentation, below steps needs to be followed to achieve authentication
Generating a Secure Token on a Secure Server
Authenticating Clients
I am confused in generating a secure token, Do I need to generate it on a secure server? What does it meant? I am thinking of generating the token in the android client itself.
Let me explain my existing Authentication mechanism, After getting credentials as input it will check against MongoDB which is connected with MongoLab API through Retrofit
After this, I am thinking of integrating with Firebase in the below way
From Login User UID which I get after successful login and in the android client itself I will generate a Secure Token (JWT).
With the generated JWT, I will again authenticate a client (Second time with firebase, as Initially with my existing authentication mechanism)
Generating Secure Token (JWT)
Map<String, Object> payload = new HashMap<String, Object>();
payload.put("uid", "uniqueId1");
payload.put("some", "arbitrary");
payload.put("data", "here");
TokenGenerator tokenGenerator = new TokenGenerator("<YOUR_FIREBASE_SECRET>");
String token = tokenGenerator.createToken(payload);
Authenticating Clients
Firebase ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com/");
ref.authWithCustomToken(token, new Firebase.AuthResultHandler() {
#Override
public void onAuthenticationError(FirebaseError error) {
System.err.println("Login Failed! " + error.getMessage());
}
#Override
public void onAuthenticated(AuthData authData) {
System.out.println("Login Succeeded!");
}
});
Here it looks like a round trip, like Authenticating a User 2 times, with my existing authentication and again with Firebase Custom Authentication. Is there any better way to achieve the above process?
The custom token has to be generated on a backend server. Generating it on the client side will expose your project credentials compromising your entire users. Any attacker who can install your app will be able to figure out your service account credentials and have full access to your users.
I am working on an app in which I have to use facebook login for accessing data from my backend server. I have search on this and got that:
First, the user will enter username and password of facebook then the request goes to server.
If user authenticated then fetch access token of user.
Send this access token on server.
The server will verify this access token.
I have successfully connected my app with facebook i.e, now user can logged from my app to facebook. But I don't now how can I get the access token of user and also how I can verify this access token on server.
Can you provide me some sample code for this. Please help me I am stuck in it from a long time.
I'm not sure if it is best practice, but this is how I do it.
When you log a user in Android on the client device via any of the SDKs, you get an user access token. The token can be accessed as follows
AccessToken token = AccessToken.getCurrentAccessToken();
if (token != null) {
Toast.makeText(getActivity(), token, Toast.LENGTH_LONG).show();
}
You can then pass this token to the backend as a POST variable:
'access_token': '32b409xceBV78d2932b409xceBV78d29'
Using a backend SDK, you can get the user info again. Here's a example in python
facebook_graph = facebook.GraphAPI(access_token)
If the email and fbid match the user information stored in your database, you grant access:
user = get_user(email=facebook_graph['email'], fbid=facebook_graph['fbid'])
login(request, user)
To access the data of the facebook user you have to take permissions and the following link may be useful for you. Just check it out...
https://developers.facebook.com/docs/howtos/androidsdk/3.0/fetch-user-data/
Is it possible to authenticate the user on server side using auth token retrieved by Android applicaton from Facebook?
In other words Android application uses SSO and obtain auth token. Then sends this token to backend application deployed on Google App Engine. Then backend application verifies the user against Facebook using the token.
I guess it's not feasible because retrieved token can be used only by Android application, but who knows? Maybe it may be reused somehow?
The Token you get from Android API can be sent to your server, who can check the validity of the token by querying the graph ( using /me?auth_token=.... for example).
The problem is that the same token can be used by any third party - it's not client specific - and so if you base server identification based on that, you have a problem (since a third app could use its user token and get authenticated by you). I am trying to find a way to solve this issue, but I don't have good ideas yet...
Facebook actually has an Android SDK that lets you do this. Information can be found here.
Yes you can. A valid access token is a valid access token. The Graph API does from where the token came, but only that the token has the appropriate permissions to access that portion of the graph api. Keep in mind, though, that the token is only valid for 24 hours from the time of its issuance. (is that really a word?) From the time it is issued?
When using facebook android sdk with SingleSignOn (SSO), the access token format actually changed.
Instead of getting traditional auth token which contains userid & session key as a part of authToken
now we get a different format of authToken
As Facebook Devs are still in process to support there rest apis with newly formated access token
meanwhile we can disable the SSO on android facebook sdk by changing DEFAULT_AUTH_ACTIVITY_CODE to -1 from 32665 (in Facebook.java)
This will invoke Traditional dialouge for granting acess token and in return you'll get access token which will contain session key in it.
Those who are looking for generating secure session key you need to add your own method in Facebook.java like
public String getSessionSecret(String accessToken) throws MalformedURLException, IOException
{
Bundle b = new Bundle();
b.putString("method", "auth.promoteSession");
b.putString("access_token", accessToken);
b.putString("session_key_only", "true");
String response = request(b);
return response;
}