I'm trying to consume a rest services from android.
I want the username and password is entered only once. Then the system can work without having to reapply username and password.
I do not know what would be the right way to do this.
Save the password on the phone seems a bit insecure, maybe it's just my paranoia. applications like facebook, store the password in the phone?
What I'm trying to do is generate a token, store the token on the phone, and send the token in the header in each request.
I do not know if it is the right solution. I can not find how to do this without the token lose the session.
I have also read about OAuth2, but I have not got any example of a small application That Demonstrates the use, not that of Facebook, Google, Twitter.
I used a Spring Server to communicate with my Android app.
I think you need to use OAuth2.0.
for more information refer to this.
Related
Please excuse my stupidity but is it possible to use something like OAuth2 so that users can log into my app securely even though the app doesn't use any features of Facebook or Google+ etc. So simply I just want something to authenticate my users.
My app makes calls to a database server but currently I have no security what-so-ever and I haven't got a clue as to what to even google for. I want to hold encrypted passwords for the users on the database and pass back some kinda of token to say they're now logged in, but I don't know how to go about this and just wondered if there was something more simple?
I had a long read in the threads here at stackoverflow. I would recommend having a read through this one. If you read the post, what you are looking for is a two-legged authentication, since you already trust the application (your own) you can trust it with the username and password. So, all you need is to authenticate those with your own database at the server and provide an access token to the user.
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.
I am building an app with an iOS and Android version. I want to create or implement an existing REST authentication process that can be used by both apps. I know that I can accomplish this with a simple Get service but this would pass the password in the clear. Is there any API that handles authentication for mobile apps?
I don't want to use OAuth because I don't want the user to have to take the extra step of having to allow access to their data. I want the user to seamlessly enter a user name and password and be authenticated like in most mobile apps that I have used.
If you're sure you don't want anything like OAuth then you just need two things :
1) https only - this prevents username:passwords being intercepted (easily)
2) A POST URL to send the username:password to
POST is important! If it was just GET then the username and password would be stored in your server logs and the request might be cached.
You will ned up with something like :
https://www.example.com/myaccount/login
with the POST parameters
username=deanWombourne&password=hunter2
I would then store the logged in state as a property on the server for that session for all future requests.
If you use a secure connection (HTTPS) sending username/password won't be an issue. Other things to think of are, session timeout and session caching on the mobile devices, and the security steps needed for that, intermittent network connectivity issues etc.
Could you show us some of your code so we can get a better idea, it is now ok to use OAuth as users are more familiar with this method and it is more secure without having you to use HTTPS because there is a part of users (me too) who don't accept to write their password on non-official apps, so they may ignore you .
HTTPS is your first choice,.. if possible.
I recommend you to look at amazons S3 auth.
http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html
Also look here.
I'm developing an android app that consumes a webservice that I will develop too (I'm thinking in using a RESTFul webservice)..
and I want to secure the connection between the app and the server but I need to authenticate users too..
My problem is in the last part, to secure the connection I think the best way to do it is to use SSL (https), am I wrong?
I don't know what's "the best way" to authenticate users, to make sure that a user cannot consume the webservice as another user..
I have some ideas, like using a authenticate(login,pass) method on the webservice that returns a token.. And for any operation that requires authentication the user would need to pass that token as a parameter.. The thing is, is this a good way to do this? whats the most common technique used to auth users in a situation like this?
If a token based auth is a good idea how should I generate the token?
Sorry for this long text..
Any help will be usefull
Thanks
Make sure you understand a trendy standard like OAuth before you go down that path. Most OAuth flows are centered around a user logging in to your server through a web browser. This can lead to pretty bad user experience for a mobile app. The standard does allow for alternatives. Here's a decent introduction.
You could also use an existing identity provider like Google, Facebook, Twitter, etc. instead of implementing your own authN/authZ. On Android, you can ask for a Google auth token using the AccountManager. This usually works because the user needs to be logged in to their Google account to access the Android Market. Anyway, this will prompt the user to grant authorization to your app. You could then use the Google auth token to login your user to your service with your own token. The login would essentially be your server verifying the Google token is valid (by contacting Google's servers) and then issuing its own token to be used for calls to your web services. If you don't like Google, you could use the Facebook SDK, etc.
As for what to use for tokens... The OAuth spec has stuff on that as well. You could do something as simple as a random string or something as complex as encrypted SAML assertions.
You should implement a token based OAuth, which will require the users to log in once, and then permanently have access.
You can use Google App Engine which already provides user authentication services for you (your Android users most likely already have google accounts) But this is only one of many options.
You can also look into Amazon's Identity Access Management (IAM) which will allow you to manage the users who have access to your web service, and authorize them accordingly.
I think the best way to do it is to use SSL (https), am I wrong?
This only prevents certain types of malicious use, but not everything. There is still nothing to prevent people from accessing your database on the phone, and retrieving credentials that way.
I'm a relative newbie to web and mobile development and especially to security so obvious answers are still appreciated.
I want my android app to be able to log in to a simple web service with a username and password.
What's the best way to send this information securely and keep the user logged in for an entire session?
Do you control the web service? If not then you will need to use whatever authentication mechanism the web service provides.
If you're writing the web service yourself, you have a lot of options.
The simplest is to just send the user's username and password via SSL with every request as a HTTP Authorization: header. The downside here is that you need to keep the username and password stored on the device. That being said, because of the way Android's permission system works, there's very little risk of an attacker stealing credentials off of the device, provided the user hasn't enabled root access.
If you still want to avoid storing the password in plain text, you can send the username/password once (again, using SSL), have the server return an encrypted authorization token, then send that token in place of the user's username/password. See Google's ClientLogin for an example of this. An attacker could still steal the token if they have physical access to the device, but at least the attacker can't use that to gain access to any other sites that use the same password.
There's other options out there as well, like using challenge/response to prevent the server from ever seeing the user's password, using OAuth to provide a common authorization API, and so on. It all depends on what your particular requirements are.
A friend and I are looking to do this same thing, and I think that we've settled on storing a web service key unique to the user on the device, and using that for authentication rather than storing un/pw (this is the second method provided by Trevor above). You'll need to make sure to provide for a means for getting that key onto the device as well.
You can use a server based random key and local imie based key along with users unique token for making a logic .you can put an expiry time for every key