I am building a android application that requires Sign in. For this, I have used the Facebook and Google+ sdk for android. I use Facebook and Google+ sign in instead create my own sign in.
This app will connect with a Spring service to access a storage data. This data is private for each user, therefore I need a log in system. The data will be stored in a database in the server.
My question is, how I can link the data with the user?
I have thought obtain the access token in the android app and pass it to the service. With this access token, can the server obtain, for example, the user id to link the data with the user? or are there other ways to do this?
You can follow either of below mentioned approaches:
You can pass the access token from the app to the server and using the graph API, get the user details including user id, email ,etc. Once you get this information you can link it to your data.
Using the access token in the app itself and calling the graph API from the app, get the user details and then pass the user id from the app to the spring service.
This is the simplest approach you can follow.
Related
I am using Azure mobile services to store data from my Android app. Users have to log in using Google and I've used Azure's Easy Auth to implement that.
However, I also need the display name and the email of the user. I have searched a lot and couldn't find a way how to get the info. I know that for other providers like Facebook or Microsoft you can just check attributes that should be included in the response (e.g. Microsoft as provider) but with Google, Azure doesn't provide any attributes.
I just followed How to configure your App Service application to use Google login to configure my App Service Authentication (Easy Auth) for Google login. I just leverage the Server-managed authentication and log with my mobile app backend via the browser as follows:
GET https://<your-app-name>.azurewebsites.net/.auth/login/google
Using fiddler to capture the network traces as follows:
Then, access the /.auth/me endpoint via the browser, I could retrieve the user email as follows:
Moreover, you could follow Obtaining user profile information. Also, you could access https://www.googleapis.com/oauth2/v1/userinfo?access_token=<access_token> to retrieve the user profile manually.
Additionally, if you want to modify the google OAuth Scopes (set googleOAuthScopes array property via https://resources.azure.com) or retrieve the refresh token (access_type=offline), you could follow this similar issue. And you could follow App Service Token Store for more details about App Service Authentication.
I am currently developing an android app that will make use of facebook login. I can use two classes to access user information. Profile and AccessToken. What is the difference between these?
Profile is used to store basic user information
[https://developers.facebook.com/docs/reference/android/current/class/Profile/]
Access tokens give you the authority to access this information [https://developers.facebook.com/docs/facebook-login/access-tokens]
So basically, you cannot read the profile information without the access token, and it's best to monitor the token using the AccessTokenTracker, which lets you know when the user changes their access state.
[https://developers.facebook.com/docs/reference/android/current/class/AccessTokenTracker/]
My Android app needs to send an authorization code to my server so that the server can use that to acquire an access token for the user's Google Drive account. I have been trying to figure out how to acquire the authorization code and I found this in the Google API documentation (Using OAuth 2.0 for Installed Applications):
This sequence starts by redirecting a browser (system browser or
embedded in the application as a web view) to a Google URL with a set
of query parameters that indicate the type of Google API access the
application requires. Like other scenarios, Google handles the user
authentication and consent, but the result of the sequence is an
authorization code. The authorization code is returned in the title
bar of the browser or as a query string parameter (depends on the
parameters sent in the request).
After receiving the authorization code, the application can exchange
the code for an access token and a refresh token. The application
presents its client_id and client_secret (obtained during application
registration) and the authorization code during this exchange. Upon
receipt of the refresh token, the application should store it for
future use. The access token gives your application access to a Google
API.
Now I am not sure how to get this authorization code in my Android app since the Android examples I have seen seem to get the access tokens directly. I am looking at the Android AccountManager class and it has a method getAuthToken but this seems to refer to the access token and not the authorization code.
So how does one acquire the authorization code that can be shared with a server? If it is possible I would greatly appreciate some example code. If this is not possible what are the possible workarounds?
You may want to take a look at the Cross-client Identity document. It should keep you from needing to pass user tokens back and forth.
I believe you can actually take the access token returned by the Android AccountManager, send this to your server, then have your server make a call against the Google Drive API using that same access token - it is a bearer token and not bound to the channel that created it, so please take good care of it and only send over encrypted connections.
Documentation on how to get that access token can be found here:
https://developers.google.com/drive/quickstart-android
While that access token is good for immediate use, it will expire in less than 1 hour, so if you are looking for a solution that enables your backend server to have continued access to the Drive data, without the user being present at your app at the time of request, an alternate approach will be needed.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….
I am creating an Android app that uses Facebook SSO to login and I'm not sure how to authenticate with my own webservices after I login to FB. When a user first opens my app they login to Facebook, authorize my application some privileges, and continue into my app. This part works great, but now to use my app they need to create an account on my server and talk to my webservices.
Right now I have a call to an authenticate webservice on my server that adds their Facebook ID and other basic info into a database and at the same time does a Diffie–Hellman key exchange so any future calls to webservices can be encrypted by a shared key. But the problem is that very first initial call to create this account and create this shared key, how do I authenticate that? How do I know this person is really the one who just authenticated with Facebook and not just someone who found the URL for my webservice and is creating accounts and saving the keys?
Facebook SSO returns an access token. If you'd like, you can pass that along to your server and your server can make a call to the Facebook APIs to check that it's a valid access token for that user (eg by calling https://graph.facebook.com/me?access_token=ACCESS_TOKEN) -- if it is, you're good and have verified that the user is who they say they are (or is a hacker with enough access to have a valid auth token for your app for Facebook, at which point their identity has been compromised on Facebook's end).
I think you have to pass a password along with your basic info upon profile creation. All in all, the Facebook SSO only gives your client application the right to access the profile user, but it does not garantee your web services that the caller is the actual owner of this FB account. I am afraid that subsequent calls from the Android client to the web service needs to be authenticated via a normal user/name password ( different from the FB account ) if you want to be sure that the caller is the one who retrieved the key the first time ( no matter what Facebook profile he might be linked to ).