I am trying to authenticate my app with the server using token.
when I login to my system, server sends the token and I store it in current Session/ Application instance.
Later I need to pass that token on each request along with the other data.
Could anyone please provide me a way of sending the token to server? Do I need to do anything for security for eg. encryption etc. ?
Pass your token in as Auth Header in your request header
for example
request.put("Auth","token_here");
Related
I am developing a messaging and social networking application on Android.
Current steps:
The user enters his username and password when entering the application.
The username and password entered are sent to the server and validation is performed.
The server responds by sending a token to the user and storing it in the database. (Both client and server store same tokens)
In each request - the user sends this token to the server and is validated by it.
The question is:
Is this a safe and secure method? If not, what solution do you suggest?
I am assuming you are used rest API for server communication. To make your API request more secure you can use JWT token in the header which needs to implement both app and server-side.
I have an Android App, for the login use google account using Firebase. When I launch the Android application, Firebase returns a token with user information. I sent that token to my server to validate. In the token there is a date and an expiration date (1 hour).
Client -> Android
Server -> RESTFUL PHP
From here I do not know what is safe or what is the safest way to communicate:
1st - In each https request from the client to the server send the Firebase token until it expires. (For each request I must collect the public keys provided by Google in a URL to decode the token)
2nd - When my server receives the Firebase token, it must return a new token (generated by the server) that the client must send in each https request to the server until it expires.
Which is the good way ? I am wrong and is there another better way?
The correct option is the 2nd.
Although you have to make a query to Google for each request to decode the token, the real reason is that the token generated by the server may contain other data related to the application: permissions, profile, or whatever interests us.
To generate the Token on the PHP jwt server
composer require firebase / php-jwt
I am working on an App which allows login through Facebook and then after it makes REST API calls to fetch data.
What i want to do:
Most of the APIs are supposed to be secured hence I want to protect the APIs using a session token. That mean with every request i will send USER's ID and a Session token which will be saved on DB. My API will first authorize the request and then will send data.
I want this token to be generated from Server side when user logs in using facebook or google. As if i do it from client side then any one can make that call from REST client like postman or something else.
I can do this when login is done on Webpages but not able to figure out the same when done on native android app.
Let me know if you need any information.
I am posting this because i am not finding any info.
I think there's a simple way.
ANDROID APP
Login using Facebook and get AccessToken
Send this token to your server
SERVER
Use AccessToken to get user's data.
Return YOUR user's id and token as response
Hope it helps
You can use Facebook Graph Api to get access tokens and then you use them to Get/Post data on facebook.
I'm developing an Android app and I'm a little confused regarding token and refresh token.
Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library.
When the access token will expired I will ask a new one using the credential of user stored in the AccountManager.
Is it the correct way to implement this authentication?
Or I'm missing the refresh token, which I ask a new access token when this expired?
Thanks in advance,
Daniele
I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.
Here how I implement the token/refresh token process :
1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).
2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).
3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.
I'm trying to authenticate a HTTP request using a token sent by an Android application, but I have no idea how to do this.
To get this token I must to send an user a password, to my ruby application that returns the token, but I want to know how to verify all requests from my android application using this token.
I know the "before_filter" on ruby, but I think that it could have problems with my first authentication, because I have to login with the user and password just once, but every time with the token.
If you can indicate any links or some pieces of code ...
Thanks in advance.
After successful log-in you should save Token in Constants and should send this token with each HTTP request.Server will verify user with access token and return result.