I have an app which do the canonical email/password login and signup to the server.
Note: I need to do the login / auto-login every time the user open the app.
Now I want to add login/signup with fb.
Currently I'm using the android Account manager with a custom authenticator where I save mail and password. If a user log in with fb I will not have any password to save in the account: I have to save something else instead or I'll leave that field empty? In the latter if I'll add another auth system as Twitter how can I know to which system the user belong?
Speaking about the server, which data I'll have to send to it to authenticate Fb users? I thought about the couple email/id, but it doesn't seem too strong to me...
Thank you for your time
how can I know to which system the user belong
Use SharedPreferences in order to save which system the user belong to:
public static int TWITTER_ACCOUNT = 0;
public static int FB_ACCOUNT = 1;
onLogin(){
if(fb){
SharedPreferences sp = getSharedPreferences(context);
sp.edit().putString(PREF_ACTIVE_ACCOUNT, FB_ACCOUNT).apply();
}
}
which data I'll have to send to it to authenticate Fb users
Why not sending the access_token?
If a user log in with fb I will not have any password to save in the account
Just keep the access token. you should use fb access token to get data from FB or login to your system. have a look at oauth2
Also do note that you are missing the point if your users need to login each time the app starts
To save user data in AccountManager use:
public void setUserData(final Account account, final String key, final String value)
public String getUserData(final Account account, final String key)
Related
Hi im making a app with a register page where the user enters email, password, shared secret and then a sign in page. Using firestore i store the users shared secret which works fine. I also use the firebase authentication method for email and password. The issue i have is on the sign up page using the firebase authentication signInWithEmailAndPassword method i can only call the email and password. How would i go about checking the shared secret of the user as well as the email and password?
thanks for any help
The easiest way that I know how to do this is to add additional statements. I am assuming the shared secret is saved in the Realtime database. In this case, you are going to want to call that data and compare it to the user's input:
FirebaseAuth auth;
DatabaseReference secretRef; //before onCreate
private String currentUserId;
Now for your signin method
final EditText sharedSecret = findViewById(R.id.sharedSecret); //find user input
auth = FirebaseAuth.getInstance();
currentUserId = mAuth.getCurrentUser().getUid();
secretRef = FirebaseDatabase.getInstance().getReference().child("User").child(currentUserId).child("sharedSecret");
final String checkedSecret = secretRef.toString();
Then you would compare it by using code like:
if(checkedSecret != sharedSecret)
{
//user is not login
}else{
//continue with login
}
Good luck
When using email and password based sign-in, Firebase Authentication only lets you use that email and password pair to authenticate the user. It has no concept of a shared secret. If you want to check additional data, you will have to do that after the user is signed in, and decide what to do if the data doesn't match.
Actually I have 2 questions. I added google, facebook and twitter sign in to my android app. I use firebase sign in for register and login. After that I will use my own python server. Now, I want to add auto sign in. Namely, after first login, it won't show login page again and it will open other pages automatically. I searched but i didn't find a sample for this structure. How can I do auto sign in with facebook, google, twitter in my android app. And how my server know this login is success and it will give user's data to clients in securely.
You need to do a web-service call from Android side just after login from firebase, stating in your server that this user has logged in to your app. You can store the access token provided by firebase or you can generate yours on web service call and thereby authenticate user with that token for user specific pages.
When the user first logged in you need to save a Boolean shared preference states that the user is already logged in
every time you need to check if the user is logged in before showing the login screen.
public void saveIsLoggedIn(Context context, Boolean isLoggedIn){
mContext = context;
sharedPreferences = mContext.getSharedPreferences(PREF_NAME, PRIVATE_MODE);
SharedPreferences.Editor editor = sharedPreferences.edit();
editor.putBoolean ("IS_LOGGED_IN", isLoggedIn);
editor.commit();
}
public boolean getISLoggedIN() {
//mContext = context;
sharedPreferences = mContext.getSharedPreferences(PREF_NAME, PRIVATE_MODE);
return sharedPreferences.getBoolean("IS_LOGGED_IN", false);
}
I want to create a User Session on Android so that i do not have to login every time.
What content should be stored in Shared Preferences so that i can authenticate every time my server gets a request from the user i can make sure people are not hacking into my system.
The users can login via the following in my app
Facebook
Google
Do i need to convert and store some encrypted data in Shared Preferences ?
Or just Storing the users Email or Username should be enough.
Its easy to store the credential in shared preferences So that when you splash screen comes it you can check it and redirect the user to the next screen without asking user to Login into google or facebook.
I have used the preferences to login using facebook and our own server. For that i hae stored one boolean variable that user is is login with facebook or our own server then if the user loged in with our own server then we have called the webservice in background with stored usercreadential in preferences and if user loged in with facebook then we have usered
if (Application.prefs.isFacebookLogin()) {
facebook = new Facebook(Application.APP_ID);
// Instantiate the asynrunner object for asynchronous api calls.
SessionStore.restore(facebook);
SessionEvents.addAuthListener(new FbAPIsAuthListener());
if (facebook.isSessionValid()) {
Application.prefs.setAccessTokenFb(facebook
.getAccessToken());
Application.prefs.setExpirationFB(facebook
.getAccessExpires());
}
// redirectHome();
// finish();
}
Here after that we have redirect user to the first screen if the creadential goes right.
I am trying to get my head around Android AccountManager and OAuth.
What i would like to do is not let the phone have access to the password. (That is what Google suggests: "Be Smart About Security!")
So i checkout the Google sample application SampleSyncAdapter and start reading through the code. then i see this happen in AuthenticatorActivity:
private AccountManager mAccountManager;
private String mPassword;
/**
* ... Sets the
* AccountAuthenticatorResult which is sent back to the caller. We store the
* authToken that's returned from the server as the 'password' for this
* account - so we're never storing the user's actual password locally.
*
* #param result the confirmCredentials result.
*/
public void handleLogin(View view) {
....
mPassword = mPasswordEdit.getText().toString();
....
Log.d(TAG, "mPassword set to Account:" + mAccountManager.getPassword(account));
}
private void finishLogin(String authToken) {
....
mAccountManager.addAccountExplicitly(account, mPassword, null);
....
}
This Log message is "mPassword set to Account:test".
This is in some way understandable when you read the rest because of this
protected String doInBackground(Void... params) {
....
return NetworkUtilities.authenticate(mUsername, mPassword);
....
}
if the password was a token this would not work.
Also i would expect the rest of the code to work differently in Authenticator on getAuthToken()
I Assume i am completely wrong about something but i just want to use AccountManager to store the result of an OAuth "Dance" so that i can use this Account to authenticate my JSON RESTful service.
Can any one shine a light on this?
From the documentation we can read this:
It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.
Thus, as I understand, here is a problem of misuse of the words (password and token). I guess the procedure is the following:
You ask a user to provide a login and password.
In your application you somehow send this login and password to your server.
Basing on this information your server generates a token and sends back to your application.
AccountManager stores this token in plain text and then this token is used to authenticate your user.
We are implementing a project where the users post and get some information from a server. The scenario is that the user can create account/login both manually (giving email and password) and with facebook credentials using SSO. I implement mostly the Android part, but my questions are general.
Let’s say that I have a button where SSO is called prompting the user to give his credentials. So in order to create account what should I send to the server? Get the FB email of the user and set as password the Access Token that I received? Is that Access Token unique and permanent for every FB account, meaning the each time I use the same FB credentials I get the same Access Token?
Is there any additional work that needs to be done on the server side? Or can the server handle the users that use their FB accounts similarly as it handles the others?
Every clarification will be really helpful. Thank you in advance!
Are you using the Facebook Android SDK? If so, manual login (with user email/password) and SSO (via the Android Facebook app) are very similar, in particular with respect to token handling.
For example if you check out the example in the SDK (at sdk\examples\simple\src\com\facebook\android) you will see that the code does something like the following (split between three files).
private static final String TOKEN = "access_token";
private static final String EXPIRES = "expires_in";
private static final String KEY = "facebook-session";
Facebook session = new Facebook(APP_ID);
SharedPreferences savedSession = context.getSharedPreferences(KEY, Context.MODE_PRIVATE);
session.setAccessToken(savedSession.getString(TOKEN, null));
session.setAccessExpires(savedSession.getLong(EXPIRES, 0));
if (session.isSessionValid()) {
session.authorize(mActivity, mPermissions, new LoginDialogListener());
}
So you have to save the session token in SharedPreferences after each successful login (that is also in the example), but the token handling and login (authorize()) is the same for both manual and SSO login (depending on the activityCode parameter).
The token has a expiration timestamp, I guess the easy way is to generate the user account with the data fb will send you and store the fb token and expiration date as user attributes.