I just started to learn GAE and noticed that there can be access to my servlets from anywhere.
My GAE is only used by an Android app to store user data and to keep track of users and GCM regId's.
The expensive GAE SSL implementation in this stage is overkill for me so I need advice on alternative solutions. I read many answers about this and and they all using some form of HTTP login page or other browser related access. I use com.android.volley in my Android app.
Any advice would be grate.
For *.appspot.com domains, SSL is available. Please refer to the following for configuring your application : https://developers.google.com/appengine/docs/java/config/webxml#Secure_URLs
You could also look at Google Cloud Endpoints to expose your APIs and ensure that you enable security for the different methods that you expose. You can also specify the Client Ids that the Android Application will be using to authenticate itself to your Endpoints implementation. https://developers.google.com/appengine/docs/java/endpoints/ '
Check out Android Endpoints client too : https://developers.google.com/appengine/docs/java/endpoints/consume_android
Related
My company has an internal web app and several other services that use Azure AD for authentication. Because they are SPA and single-tenant, they are able to use implicit grant flow in order to avoid the use of access and refresh tokens.
I am building an internal mobile app that needs to use Azure AD for auth and should also be single-tenant(my org). My understanding is that this is insecure for mobile applications. The only flows I see that apply to mobile include using access tokens to gain access to Microsoft protected API's. I understand that I am able to expose my internally hosted API but that doesn't seem to be allowed in Azure AD with a single-tenant configuration. Therefore I cannot request API access as a scope and the whole system of access and refresh token breaks down.
In addition, all of the client libraries I see are setup for the access token and not sending raw ID tokens or refreshing them. Is something like firebase on top on my app a solution? I have been all over the microsoft docs on this and am struggling.
I understand that I am able to expose my internally hosted API but that doesn't seem to be allowed in Azure AD with a single-tenant configuration.
This is incorrect. You can use Azure AD to secure access to your API even when used by a single-tenant client app.
You can create an app registration for your backend API (where you would define at least one scope), and a separate app registration for you client app (which would request the scope defined for your backend API).
If the client app and backend are really all one logical app, you could also define a since app registration, define at least one scope for it, and the client app would request that scope.
In both cases, the client app ends up with an access token to the backend API, and can use that for API requests.
I strongly recommend not implementing the flows directly. Use an SDK that will handle all the token juggling. The Microsoft Authentication Library (MSAL) for iOS and Android is available for production use now and really makes this fairly trivial: https://developer.microsoft.com/en-us/graph/blogs/microsoft-authentication-libraries-for-android-ios-and-macos-are-now-generally-available/
I own a WordPress based website and trying to write an Android app for it.
I already tried to check out WordPress's open source Android app, but couldn't figure it out.
I want to implement oAuth-2.0 login for the app. Does WordPress have build-in support for oAuth-2.0? How can I implement it on client and server side? Do I need to use a 3rd-party plugin, and is it safe to use plugins?
Is WordPress has build-in support for oAuth-2.0?
Yes, please refer this link: https://wordpress.org/plugins/oauth2-provider/
how can i implement it on client and server side?
For server side, please refer to: https://developer.wordpress.com/docs/oauth2/
For client side, you can use a well-known library like Retrofit to connect to your server. The link above also provided an examples what client sides should do.
do i need to use 3rd-party plugin and is it safe to use plugins?
Yes, Wordpress needs a plugin for this. Just pick a well-known plugin and you would be safe.
Your WordPress website needs an OAuth2 server plugin. This is our premium product: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
The OAuth2 server plugin provides the authentication server that is connected to the WordPress user system. It also provides the /authorize, /token and /resource endpoints, to which the client can connect and generate a token, and then use the token to access user data. The Android app will need to connect to these endpoints.
Basically, the Authorization Code grant type should be used for this purpose, because it also provides the WordPress login interface if you are not logged in and need to identify yourself. This is the most user-friendly and most popular grant type.
But it is possible that in the case of an Android app it is more beneficial to use the User Credentials grant type.
It is completely safe to use. We pay a lot of attention to security.
However, we also found serious vulnerabilities in several other OAuth plugins:
https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/ (CVE-2022-2083)
https://lana.codes/lanavdb/12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc/ (CVE-2022-2133)
https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c/ (CVE-2022-34149)
We are using a framework called LibGdx, which allows you to write cross-platform code using only Java. We are developing for Android and iOS.
We have a datastore in Google cloud, as well as an Google app engine api we made to communicate with this datastore.
Now we want to secure this API, but cannot find good guidance on how to approach this for cross-platform. Since we have a mix of fb-login and email-login we need to use client credentials (i.e only our app is allowed to communicate with our API).
Using .NET you would send client credentials (Client ID/Cleint secret), then get an access token, not sure how to approach that in this scenario. We do not have any scopes or anything like that, we just want to secure our API so it can't just be called by anyone. So a simple Bearer-token would solve our issues. Just not sure where to begin.
you should have a look at Firebase Authentication
https://firebase.google.com/docs/auth/
Firebase supports several login providers like Google and Facebook. You will receive a token from Firebase Authentication which you have to forward to your API at Google App Engine.
You can use the Firebase Admin SDK at Google App Engine to validate the Token again
https://firebase.google.com/docs/admin/setup
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
I don't know whether i am asking a stupid question here.
I am just starting to learn and program android applications.
I wondered :
How is the mechanism of an application and its back-end server works?
How to have a user login and only the contents related to that user is shown?
Which is something like when we login a Facebook account, we will have access to our information only.
Had a looked at SQL server and Data store and it seems like the database is shared for everyone using the application.
Android supports client apps, AppEngine supports server apps, communication between them is HTTP(S).
Endpoints are libraries of client code generated from server projects. Endpoints perform authentication by passing client credentials to the AppEngine server. Client app developers use Endpoint libraries instead of developing networking software themselves.
One of the AppEngine services is the optional Users Service to look up information related to the client credentials. If a server app needs to implement access control, it can be programmed to accept or reject requests per request detail and per user. The application author is responsible for implementing such security.