There is a lot of information but I can't find an up-to-date answer for my question.
I've got
1) Android app where user has got auth token (say from GoogleAuthUtil)
2) Google AppEngine app which provides custom REST API
Question
Is there any way to use token (got on Android side) to authenticate against AppEngine application? On the AppEngine side I just need to verify e-mail of the user
P.S. I don't want to use Endpoints since they don't support custom domains
For those who will be interested - here is the result of my research on what is the best way to authenticate against AppEngine app
I ended up with solution described in this brilliant article by #Tim Bray.
The solution has following advantages:
1) It works for local testing
2) There is no limitations on domain (Endpoints don't support custom domains)
3) If you have custom REST API you just need to add token verification (other code stays as it is)
4) It utilizes Google OAuth mechanism implementation, so I consider it as one of recommended methods
5) It's really easy to implement
Related
I own a WordPress based website and trying to write an Android app for it.
I already tried to check out WordPress's open source Android app, but couldn't figure it out.
I want to implement oAuth-2.0 login for the app. Does WordPress have build-in support for oAuth-2.0? How can I implement it on client and server side? Do I need to use a 3rd-party plugin, and is it safe to use plugins?
Is WordPress has build-in support for oAuth-2.0?
Yes, please refer this link: https://wordpress.org/plugins/oauth2-provider/
how can i implement it on client and server side?
For server side, please refer to: https://developer.wordpress.com/docs/oauth2/
For client side, you can use a well-known library like Retrofit to connect to your server. The link above also provided an examples what client sides should do.
do i need to use 3rd-party plugin and is it safe to use plugins?
Yes, Wordpress needs a plugin for this. Just pick a well-known plugin and you would be safe.
Your WordPress website needs an OAuth2 server plugin. This is our premium product: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
The OAuth2 server plugin provides the authentication server that is connected to the WordPress user system. It also provides the /authorize, /token and /resource endpoints, to which the client can connect and generate a token, and then use the token to access user data. The Android app will need to connect to these endpoints.
Basically, the Authorization Code grant type should be used for this purpose, because it also provides the WordPress login interface if you are not logged in and need to identify yourself. This is the most user-friendly and most popular grant type.
But it is possible that in the case of an Android app it is more beneficial to use the User Credentials grant type.
It is completely safe to use. We pay a lot of attention to security.
However, we also found serious vulnerabilities in several other OAuth plugins:
https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/ (CVE-2022-2083)
https://lana.codes/lanavdb/12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc/ (CVE-2022-2133)
https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c/ (CVE-2022-34149)
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I just started to learn GAE and noticed that there can be access to my servlets from anywhere.
My GAE is only used by an Android app to store user data and to keep track of users and GCM regId's.
The expensive GAE SSL implementation in this stage is overkill for me so I need advice on alternative solutions. I read many answers about this and and they all using some form of HTTP login page or other browser related access. I use com.android.volley in my Android app.
Any advice would be grate.
For *.appspot.com domains, SSL is available. Please refer to the following for configuring your application : https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
You could also look at Google Cloud Endpoints to expose your APIs and ensure that you enable security for the different methods that you expose. You can also specify the Client Ids that the Android Application will be using to authenticate itself to your Endpoints implementation. https://developers.google.com/appengine/docs/java/endpoints/ '
Check out Android Endpoints client too : https://developers.google.com/appengine/docs/java/endpoints/consume_android
So i need to be able to use Oauth for the login part on my Android application(not for Twitter, google,etc...) it's a private application. The rest of the app uses rest services w/ the authenticated token.
Here basically i'm looking for any tips, a library or an article recommendation. Most of the articles i found are about how to login to Google's services and such.
Thanks,
Check this one: scribe It is pretty simple.
Here it is a list of libraries cited by the Oauth2.0 "authority":
oauth.net/2
Users of my Rails app can authenticate in one of these 2 manners:
Using their Facebook account
Using our own authentication
I'm using Facebook SDK on Android and devise and omniauth on Rails.
How do I authenticate against my Rails app on Android so I can then fetch the information I need from the server?
NB: I've noticed this question is getting a fair amount of views recently. Please don't follow the advice given in this thread too closely -- the web moves fast and it dates from 3 years ago!
This can be done using the fb_graph gem (not fbgraph!).
You can just add it to your gemfile and do
user = FbGraph::User.me(token).fetch
where token is the oauth token you got by using, for example, the Facebook SDK on Android.
user.email will be the user's email address (if you set up the necessary permissions).
You can use this URL for testing:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token
That totally depends on how your authentication system works. You will need to create an API on your server to handle communication from the Android app and pass information between both using the API.
Niraj Shah is completely right, though the answer might not be detailed enough for you. For an in-depth answer to your question, have a look at Securing an API railscast by Ryan Bates that has been released only recently. It covers HTTP Basic Auth.
You might also want to have a look at the more advanced option to secure your API / provide registered users access to their data. There's a railscast about this one as well here: http://railscasts.com/episodes/353-oauth-with-doorkeeper - though it's a pro episode, so you need to sign up for it in order to watch it.
Francisco, I have the exact same need.
The devise scenario using token_authenticatable seems straightforward and shouldn't be a problem but I'm not sure the best way to handle the Facebook scenario. On the web side, for FB auth I'm using omniauth-facebook as documented here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. I think this uses OAuth with FB as a provider so it's a good possibility that the latest RailsCast about doorkeeper securing an API with OAuth should do the trick. I haven't tried it yet but will do so soon unless you beat me to it. Here is the link: http://railscasts.com/episodes/353-oauth-with-doorkeeper.