I have been working on an account manager in android to maintain a separate account for my app.
I searched through many sites, but I couldn't understand the meaning of authTokenType. I want to know whether the authTokenType is generated by the server dynamically for every user or if it is a static string used for all the users by the app itself.
Thanks in advance.
The authTokenType specifies what kind of token you you are trying to get when you're calling (among others) the GetAuthToken methods in the AccountManager.
Some account authenticators only use one authTokenType and others, such as the authenticator for Google accounts can issue many different types of tokens with different permissions. You can get a list of OAuth 2.0 related tokens for Google at the Google OAuth 2.0 playground. For example the AuthTokenType for getting the user's email from a Google account is "https://www.googleapis.com/auth/userinfo.email".
The authTokenType nothing that is server generated and if you are using the account manager to manage your own account type you should be able to decide yourself what your token type should be for your accounts.
Related
I am new to Android but old to Java. I have some questions before getting into my own account manager implementation. Here are the stuffs,
How google account manager works ?
I have come across couple of forums and blogs and mostly they explained how account manger is working and how to add our own. Here i have couple of questions,
How google account manager stores user's password in android ?
If they are not storing the user password in the device itself then how
they are seamlessly producing the auth tokens for the requested apps
who are using google account manager (Like maps / hangouts / ...)
References
How does Android's account manager use the stored password to retrieve an auth token?
https://developers.google.com/tasks/oauth-and-tasks-on-android
http://blog.udinic.com/2013/04/24/write-your-own-android-authenticator/
They (most probably) don't store the password but the Oauth token received from Google servers after authenticating, together with the refresh token.
All Google apps can use the same account manager to get the authentication token and talk to their backends, once this token expires, the account manager uses the refresh token to get a new token and store it in the account manager.
Storing the password is very dangerous, not just for the app, but it leaves the user's account completely vulnerable to be stolen both in the client app in the servers.
Why is it that when using
GoogleAuthUtil.getToken(context, account, "audience:server:client_id:XXX");
you get a different ID token than when you retrieve it like this (when using Google Sign In)
GoogleSignInOptions.getIdToken();
?
Even weirder is that the id token returned by GoogleAuthUtil.getToken(...) can't be validated by the backend (with google certs), while the id token returned by GoogleSignInOptions.getIdToken() CAN be validated.
There's little documentation online, and so far I have no clue how this happens.
I have found the following inside Google's documentation - Authorizing with Google for REST APIs:
When you want your Android app to access Google APIs using the user's
Google account over HTTP, the GoogleAuthUtil class and related APIs
provide your users a secure and consistent experience for picking an
account and retrieving an OAuth 2.0 token for your app.
You can then use that token in your HTTP-based communications with
Google API services that are not included in the Google Play services
library, such as the Blogger or Translate APIs.
And you can find their notes at the above link.
My android app logins with Google Plus, I am trying to integrate it with Cognito. When I run the app, it gives me Cognito Credential Provider ID, and when I login with Google Plus it gives me Google token. I checked my AWS Cognito, and it shows me this.
Unauthenticated connections 3
Google Sign-in 0.
But when it signs in properly with Google, and also provides me Google Token, then where I am doing wrong?
EDIT 1: Here is my code:
Login with Google Plus
Cognito Sync Client Manager
In the future, you may want to include relevant code from your application to better help others assist you.
Have you followed the guide for integrating identity providers?
It's also important to note that the CredentialsProvider does lazy loading, meaning simply adding the token to the provider does not associate the identity. To ensure the token is actually linked to the identity, you can either:
Make a call to another service (for instance the SyncManager) that using this provider (recommended)
Explicitly call refresh on your CredentialsProvider. (only recommended for testing purposes)
Edit 1
Did you add the tests I suggested in my original answer? If so, what if any errors did you receive?
You may want to try some of the following steps to verify your configuration:
Inspect the token via jwt.io. Validate that the azp field of the token matches the value entered into the Cognito console.
Create an OpenId Connect provider via the IAM console, adding all client ids from the Google console. Use this provider instead of the basic Google+ integration in your Amazon Cognito identity pool.
I want to develop an Android Application that allows users to sign in with their Google Accounts (i think it's always an email address) instead of forcing the user to create a new one. I have 3 questions regarding this:
When the user starts the application for the first time i'll have to use the AccountManager, right? If the user has only one com.google account i'll use that one, if not, i'll ask him which one he wants to use. My question is, can i be sure that every com.google account in the AccountManager has been properly authenticated and the application can be sure that the user is who he says he is so that i don't have to ask him to choose the account every time the application launches?
The application will have a server that will store on a database what restricted content the user has unlocked, that's why it needs the Google Account, to match the foreign key of the user with the foreign key of the content to know what that user has unlocked. How do you suggest i save the Google Account in the database as the user table's primary key? I could store the email of the Google Account, but isn't there any privacy problems with that? What else can i use? I suppose there is no Facebook ID-like integer value for Google Accounts.
Do i need to use OpenID or oAuth 2.0 for any of these operations i've mentioned? I'm asking this because when the application doesn't have internet connection i want the user to still be able to access the restricted content he unlocked and previously downloaded into the phone. If i use OpenID that requires internet connection right? So the user shouldn't be able to enter the application and that's not what i want.
Thanks
Using the account manager to check which accounts are available on the phone and ask the user which account he want to use sounds like a good idea. I think it's a good idea to use OAuth 2.0 and grab the OAuth 2.0 access token for userinfo in your client application (https://www.googleapis.com/auth/userinfo.profile is probably the scope you want to use) and send this to your server when the client communicates with the server. Then using the userinfo Google API your server can use the access token to make sure the user is who he claims to be. With this api you can get hold of the user id which you can use instead of the user's email.
Getting the auth token will require internet access, but since it's only needed when you communicate with your own server you can grab the token at that time.
I'm not 100% sure if the accounts given by the AccountManager can be trusted, but it will provide you with the google accounts available on the phone and I don't know of any way of adding an account to the phone without having access to the account. If this was possible it would be a really big security issue as well so I think you can trust that the accounts given by the AccountManager are authentic.
When you get the OAuth 2.0 token on the client I suggest you use the Google Play's GoogleAuthUtil instead of the account manager if it's possible. For more details on this see: In a nutshell what's the difference from using OAuth2 request getAuthToken and getToken
I'm using the Android AccountManager to authenticate a users google account for access to Google Drive. However, I want to allow the user to access Drive accounts that are not on their phone. For example, I have a work google account that is not on my phone, but I would like to use in my app. Is there a way to allow users to authenticate accounts that are not necessarily stored in the AccountManager?
Thanks
Perhaps you could add another Google account to phone and allow user to select which account to use. If this option doesn't satisfy you and you really want to authenticate to Google Drive accounts not on phone you must then use OAuth.
If you also really, but really, want to use AccountManager facility in your app you have to make an account type that behaves like the following:
When you create a new account you open a browser widget and perform an OAuth cycle with Google Drive, then store the token in secure store
When you request a token via getAuthToken() it either releases you the stored token or triggers a token refresh cycle using OAuth
This has its security drawbacks: better perform OAuth cycle without AccountManager and store tokens in app memory