I have a question concerning Facebook/Twitter authentication on mobile application when dealing with an API as the mobile application backend.
Currently, I'm developing an application on the 3 platforms Android, iOS and Windows Phone. These applications are linked to an API which handles basic authentication (sign up, sign in) and provide access to a remote database.
Now, I want to let my users to authenticate with their facebook or twitter account, but I don't really know what to implement on the applications, and what to develop on the API. Moreover, I want to keep my existing basic authentication feature in the case the user doesn't want to authenticate with his facebook account.
I've heard about omniauth and the facebook & twitter APIs, but this does not really answer what I have in mind.
First, I've thought to implement everything server-side. This way, the applications provide the API the email and password of the user's facebook account. The applications tell that these credentials should be use to authenticate through the facebook API and my API just does the job. However, if I have well understood the articles I've read, when we want to authenticate through facebook, we are redirected to the facebook website in order for the user to confirm that he confirm to grant access to his facebook account. This is not really convenient.
So, after reading this, I've thought that it would be better to handle authentication on the mobile apps: applications get the facebook access token, fetch information of the facebook profile and create an account with this data on my API. The problem here is that we don't have a password to create a valid account.
We only get a temporary access token when authenticating with facebook, so how do I create an account in my database with this information? How can I handle sign in with it? Should I store in database that the user account has been created with facebook data?
So, how to make facebook or twitter authentication in that case? What should I do on my applications and what am I expecting to do on the API?
Related
This question might sound silly to some, my scenario was that i had to implement facebook login in my mobile app.
I added to my project:
Facebook SDK
Firebase authentication SDK
Implement both Facebook login and Firebase authentication mechanism for facebook.
Couldn't i just implement facebook SDK and implement the login?
I understand the benefit of receiving statistics about users and logins from different social networks in one place.
Are there more benefits i am missing?
You're most likely to use Firebase Authentication if you
Use other Firebase products, which integrate with it. For example Cloud Firestore integrates with Firebase Authentication to provide a server-side security model, while allowing direct database access from the client.
Use multiple providers, and want to link them together. Firebase Authentication allows accounts to be linked, so that a user ends up with one profile, no matter if they sign in with Facebook today, and with Google tomorrow.
My project includes web and android client. I want to combine Google cross platform sign-in and loopback third-party login.
In my scenario, I will never ask username and password. User only uses Google sign-in button for authentication and authorization on both web and android app.
Lets assume, it's the first time you logged in with Google sign-in through my web site. In loopback third-party scenario, if you are not existing on db, it creates an account corresponded provider and external id. (In this case provider is google and external id is your unique google id). This is for web, loopback-example-passport
So, assume that above scenario for android. You click only Google Sign-in button and then loopback server will able to do above things (as web)
Is there a built-in way in loopback for this? If not, how can I integrate this scenario in loopback properly?
Well it's a little bit old question, but I've encountered the same issue on android, but with facebook third party login.
I didn't find any trivial solution, so after a lot of struggle tried different approach: (change facebook to google for your case)
UI user presses 'login with facebook' button (provided by facebook sdk for android)
UI User signs in with facebook credentials
Client side gets user's access token from facebook
Client side encrypts the access token and passes it to the server.
Server decrypts the access token, and talks with facebook graph API using access token - for validating the token, and if needed, for getting additional info related to requesting user.
Assuming it's valid, server check's if the user already has local account (can be checked with email or id):
6.1 If user doesn't have an account, we create a new one with the Facebook User ID or email (loopback requires password so a random one can be provided), this will assign our own unique UserID and issue our auth ticket (user.createAccessToken(ttl, callback)).
6.2 else, continue just with assigning auth ticket to user for this session
I am creating a native android application with Drupal at the backend. I also require the user to be able to login directly through facebook (using facebook android SDK). The authenticated users have special permissions to access certain nodes through ACL.
I am able to connect to FB and authenticate the user which returns a token for any future communication with facebook.
Now I need to use the same authentication token to tell Drupal that it's a valid user and the required permissions are granted. I am confused on how to achieve this.
Will appreciate if someone can help.
I am quite new to android and recently started building an application which requires
Registration using a google id.
Continuous interaction with a back-end server.
For the registration , i was wondering if it is possible to have a python webapp on Google App Engine which has the OAUTH2 authentication .
This page if opened in a webview should return the token to GAE (please correct me if i am wrong here , because i am not sure the token won't just go directly to the app).
Then again on the backend i generate a token(newly generated) and update the user tables with this new token and pass this onwards to the application.
Every subsequent request made by the app will be referenced using this token.
Is this feasible or is there a better standard way to do it (i do not want to use the login info already stored in the phone) ?
Also , how can i get information from a google account(name,email) like Facebook has access to the graph is there a google counterpart ?
As far as I understand, you implement your Android app using WebView. This means that the app interacts with the server the same way as the built-in Android web-browser. As a result you don't need to add anything special to your Android app with regards to authentication.
Built-in Users service
In GAE, you get out-of-the-box support for three different types of authentication where all of them are designed in a way that your app doesn't store user credentials but rely on user authentication from identity providers:
Google Accounts (e.g. jonny#gmail.com)
Google Apps Domain (e.g. jonny#mydomain.com hosted in Google Apps)
or Federated Login (a.k.a. OpenID, e.g. Google, Yahoo!), which is going to be replaced by Login with oAuth2 (OpenID Connect)
All three types allow your app only access to very basic information of the user. Enough to match a returning user of your GAE app to their data, and an email address or unique ID, but that's it. For more, see below (oAuth2 consumer).
In appengine console, you can select your preferred authentication type in page Administration > Application Settings.
Whatever of these types you use, in your Python code you can use GAE's Users service which will deal with the authentication of your users. Basically, you just write something like:
from google.appengine.api import users
user = users.get_current_user()
if not user:
# The user is not signed in.
else:
print "Hello, %s!" % user.nickname()
On development server, you will be prompted with a dummy login page for requests where you require login or admin login. In live environment they will be replaced by GAE with real login page flow. There are also articles linked in the docs with HTML/JS examples if you want to show custom login pages to your users, for example User Experience summary for Federated Login
oAuth2 for authentication and authorization with Google
Regarding oAuth2, with the built-in authentication it is rather easy to integrate the builtin oAuth service, so your GAE app becomes a service provider, i.e. a user of your GAE app can share data with any 3rd party app or website through some simple API. You also can have your GAE app consume data that your users have stored somewhere else (e.g. Google) and they want to share with your GAE app (consumer). If you are especially interested into accessing user data in Google services, there is this good overview.
Custom user management
Finally, you could implement your own authentication mechanism, rather than relying (and depending) on GAE features. For example you can implement your custom user management based on webapp2. This means that you have control of the user-accounts and credentials, but aside of eventual security risks the disadvantage is that it can be really hard and tricky to integrate services and APIs like Google Cloud Endpoints.
I'm being asked if it's possible to have the ability to leverage facebook and twitter credentials by pulling account information from apps that are already installed and authenticated.
This means: an app is running and the user is logged in through FB or TW. Then, it launches my app. Could get those credentials and keep the user logged in on my app too?
I think this could be not so good to do it, but they are asking to me for an answer.
I did research and didn't find anything related, so I am thinking that it's not possible.
Could anyone confirm this or tell me how it could be done?
No, you can't. Each application must be registered on the respective social network, to obtain a application key and application secret. You then have to request a authorisation token from the server of the social network. Since the token is based on the specific application key and secret, even if you would be able to leverage this authorisation token (say on a rooted device), it would be useless to you, because you´d also have to know the key and secret. Ands Facebook matches the app signature as a extra layer of security.
Plain and simple no :)
If you just want to share data to Twitter or Facebook from your app, you should do this by using a share Intent. This way you push the data to whatever app (FB or Twitter, or others like email and messaging) while the user picks which app they choose to publish this data on. See more info at the developer blog here: http://android-developers.blogspot.com/2012/02/share-with-intents.html
And tutorial here:
http://mobile.tutsplus.com/tutorials/android/android-sdk-implement-a-share-intent/
If you want to do specific things with the authenticated account, like retrieve the user's timeline or wall posts, I don't think you'd be able to borrow that authenticated token from another app. You will have to register your app with each social network, ask the user his/her credentials and obtain a token. Then you can grab data from these services.