I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.
Related
I am trying to add the "Microsoft" sign in method to my Firebase project, with the hope of allowing users to login to my Android app using their Azure AD credentials. I already have everything set up to use the "Email/Password" provider, which is working well.
I don't plan on accessing any Azure APIs, I just need to authenticate a given user so that when an organization terminates said users account, he is no longer able to login to my app.
I am following https://firebase.google.com/docs/auth/android/microsoft-oauth this guide. I have registered an app on my Azure AD, set it to allow accounts from any organization as well as personal accounts, and added the client ID and secret to my Firebase project. I have also added the redirect url from the Firebase project to the App registration on Azure.
I start the login process using startActivityForSignInWithProvider like in the example. The chrome tab loads and takes me through the entire authentication process. The problem is this always returns a failure with the exception Error: (invalid_client) AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented'
This is confusing, since, in order to enable this sign-in provider on Firebase, you are required to enter the client ID and client secret.
I've tried with the app registration setting "Treat application as public client" set to Yes and No. I've also tried with a blank scopes collection and adding 'openId' to the scopes as a stab in the dark.
I'm a bit out of my depth with this Microsoft Authentication stuff, so any nudge in the right direction would be greatly appreciated.
Register the app in Azure as web app instead of Native App. Because the URL provided by Firebase is for Web App. Hope this helps.
I am trying to add the "Microsoft" sign in method to my Firebase project, with the hope of allowing users to login to my Android app using their Azure AD credentials. I already have everything set up to use the "Email/Password" provider, which is working well.
I don't plan on accessing any Azure APIs, I just need to authenticate a given user so that when an organization terminates said users account, he is no longer able to login to my app.
I am following https://firebase.google.com/docs/auth/android/microsoft-oauth this guide. I have registered an app on my Azure AD, set it to allow accounts from any organization as well as personal accounts, and added the client ID and secret to my Firebase project. I have also added the redirect url from the Firebase project to the App registration on Azure.
I start the login process using startActivityForSignInWithProvider like in the example. The chrome tab loads and takes me through the entire authentication process. The problem is this always returns a failure with the exception Error: (invalid_client) AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented'
This is confusing, since, in order to enable this sign-in provider on Firebase, you are required to enter the client ID and client secret.
I've tried with the app registration setting "Treat application as public client" set to Yes and No. I've also tried with a blank scopes collection and adding 'openId' to the scopes as a stab in the dark.
I'm a bit out of my depth with this Microsoft Authentication stuff, so any nudge in the right direction would be greatly appreciated.
Register the app in Azure as web app instead of Native App. Because the URL provided by Firebase is for Web App. Hope this helps.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I have created the SDK and now want to integrate oauth for authentication process. Now I want to do same as Facebook SDK do, if client app is already installed and login, it switch to that app ask for permission and switch back to app who wants to authorise it. if client app is not there is will open the webpage and on login ask for permission and then redirect to my app after login.
We have implemented the oauth on server but not sure which grant_type we will use to achieve the above functionality. We can not store the password in client app.
Let me know if anyone has idea how to achieve this functionality and implementing the same flow as other SDKs(Facebook, Twitter) does.
For mobile based apps use the following URL for authentication:
POST https://api.example.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID
Pass the authentication code from the app if user is login else if user is not login first navigate to login page, on successful login authorization page come as-usual.
NOTE: It might be unsecure as we are sending the code in query param, but doing it in request over ssl enhanced security.
For browser authentication
https://example.com/auth?response_type=token& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
where authentication picks the login session if user is already login.
I think you already answered your own question when you said "I want to do same as Facebook SDK does".
Facebook SDK provides the framework for detecting if Facebook application is installed in order to avoid signing up through WebView interface. Google also provides an authentication and authorization API through Google+ sign instead of a browser. As you can see:
the documentation suggests using the right device infrastructure rather than the system browser.
According to this post, it is possible detecting programmatically check if an application is installed. For Android, I think that boths SDK check if their related apps are installed when you trigger the sign up/in/out process and invoke the system browser if necessary.
Thus, in order to provide a generic OAuth 2.0, you also could do the same programmatically, but I guess that drilling this information, pick the right application, and launch it won't be an easy task.
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….