I followed the following guide on how to set up Web API with Google authentication.
Basically the Azure page has to redirect to Google and the Google login has to redirect back to an Azure page that gives an access token that I can put in a header to get data specific to that Google Account.
It works on Android when I use a WebView but apparently this is frowned upon for security issues and on IOS, Google blocks me from entering a password.
So my question is how do I do the same thing but without using a WebView? I tried implementing Google+ Sign In but I was only able to retrieve an authentication token and I don't know if this is useful at all.
Related
Setup:
Website with Google login button
Backend: nodejs + express
Frontend: Google Sign-in for Web (I know it is deprecated and I need to upgrade) https://developers.google.com/identity/sign-in/web/build-button
There is NO additional native Android or iOS app available
Situation:
I have received an email from Google stating that my web application client ID is receiving OAuth requests within an embedded webview, and I need to make some changes to these webviews to avoid man-in-the-middle attacks. This is a similar email: https://groups.google.com/g/omegaup-soporte/c/xrspGg8T94o
The subject of this email is: "[Action Advised] Take action to continue using Google's OAuth authorization endpoint" and the first statement is "We detected requests to our OAuth 2.0 authorization endpoint from one or more of your OAuth client IDs within an embedded webview context in the past 30 days.".
Question:
As stated above, my application is a web app, how is it possible that OAuth requests from an embedded webview are received?
As you see, Google disagrees with using webview.
Maybe, you can build your own sign in button with google icon and then add onclick event with window popup to solve this problem.
If you have any question, feel free to ask me.
I've searched a lot for this, but not so much info found.
Actually i'm trying to implement disqus in my app, and it has google authentication, which is disallowed by google from embedded web views.
Is there any workaround?
I didn't worked with disqus but you can use Google SingIn authorization to get some user data including id, email and other personal info inside your app. Or you can integrate Google SignIn into your backend and after verifying JWT get the same info on the server.
Useful link
Our Android app is a minimal wrapper around our mobile-friendly website. This is by design.
Google OAuth is one means by which users can authenticate. With the announcement that WebView's will be blocked from Google OAuth, we are now looking at how to move forward.
My current plan is:
Use a JavascriptInterface to invoke native code when someone clicks on the web app's Sign in With Google button
Use Google Sign In to authenticate the user on the mobile app side.
Somehow send this authentication to the web server. Should I just redirect the user to the existing oauth callback URL?
Step 3 is where I'm not sure what the best approach is. It's a Ruby on Rails application using Omniauth.
Are there any examples of integrating Google Sign In with an almost entirely WebView-based application? Is this approach the right way to go about it?
The solution described in Authenticate with a backend server sounds just like what you want to do in step 3, though without using the OAuth callback URL.
Unfortunately, I could not find any reference on how to use it with OmniAuth.
Here is our setup:
1) a Web Api project with ASP.NET Identity 2.0 with external login support for Facebook.
2)A native iOS App and a native Android App
We are using the appid and secret in the web api and the identity Facebook authorization options. and using web views to do the login process for Facebook. However, we are also, after the user is authenticated, allowing them to share different pieces of the application to Facebook. Currently, the website shows the scope of publish_actions, user_videos and user_photos.
Facebook is telling us that custom web views are not okay, and that we have to use the native SDK's on all of them. What's the purpose of identity providing the ability to utilize getting external accounts and access tokens if you can't even use them on a mobile app? All of our code that does the sharing process happens on the actual controllers in the web api project. We display a popup that allows the user to enter the text that gets posted, just as Facebook describes.
How can we submit a Facebook App that will explain to them that the website is the actual application that utilizes the Facebook actions we are requesting?
Is this even possible? if not, why is the technology even available to allow external logins via an api, when you'd most likely be using it to service a native mobile client??
Thanks for the help,
Brent
I'm currently trying to write a task manager in android which syncs with google tasks. The app uses google client API along with AccountManager to communicate with google servers. It works under android. However, I want to run it under android player on Blackberry playbook. Although the .apk file converts to a blackberry application, it seems that AccountManager does not work under playbook android player as it is not tied to a google account. I'm finding it difficult to communicate with the google servers without the account manager. I've tried adding an account manually to the AccountManager but it also throws a security exception. I'm curious if there is any other way to log into google services given an username and password (along with the API key for access)? Thanks
The AccountManager and the Google Play Services that both allow you to go through an OAuth 2.0 authorization flow with a native experience on Android (for Google APIs only) are only available on Google Experience devices. The Android Emulator of the Blackberry Playbook is likely not a Google Experience environment.
So in that case the best way is to implement an OAuth 2.0 flow by using a WebView. This is also the technique you need to use for non-Google APIs (Facebook, Microsoft, Salesforce, Dailymotion, ...)
Basically you will have to send your new users to a special URL in a WebView where Google (or the other OAuth 2 provider) will ask them to grand you access to the APIs requested. Then you will need to extract the auth code from the URL or from the content of the page once it has been generated and returned by Google auth servers. The last step is to exchange that auth code for a refresh and an access token.
You need to read and understand how OAuth 2.0 authorization flow works for Installed application: https://developers.google.com/accounts/docs/OAuth2#installed
The step by step process to do OAuth 2.0 with a WebView on Android is as follow:
Redirect Users to the grant screen URL in an embeded WebView
Use http://localhost as the redirect URI
Register a WebViewClient with an onPageStarted method to intercept page changes
Detect successful/failed authorization by detecting redirects to http://localhost and read the auth code from the URL of the WebView
Finish the OAuth 2 flow by exchanging the auth code for tokens and save these tokens in local database for further use
You can find an open-source sample that does this on Onavo's GitHub.