So I have some solid experience programming games to which I want to add push notifications but I have very little web experience apart from html, css, and some lightweight php.
I've created and ran the example GCM server application in my Eclipse installation with Google plugins installed.
I wish to make a control panel for myself to send notifications and wish to allow only myself to login to obviously restrict public access. This doc page on Google only shows how to authenticate with a Google account, but it seems like any valid Google account that uses this auth will be able to access the GAE GCM server I am developing.
https://developers.google.com/appengine/articles/auth
Does anybody with GAE have any advice? Should I just allow Google Account authentication and then just serve control panel content only to accounts I specify or should I implement some "traditional" authentication. I don't myself know what "traditional" would be but I will research it if someone says authentication via Google Accounts and serving content to certified accounts is not wise.
You need to keep authenticating with google accounts.
All that does is make sure the user is logged into their google account but doesnt validate beyond that. In your servlet use the User service to get the current user's email and if its not the one you want show/return an error.
Related
I have an android app which communicates with Google cloud api services like speech to text, translation, NLP etc. The application is using a service account to do this and the private key file is stored in the application itself. I understand that is a bad practice as anyone can see it using dissembler but I am not sure where else to store it for an android device.
The following post suggests to store this file on a build server:
https://brightinventions.pl/blog/securing-your-google-service-account-key-in-builds/
However, I think that it does not fix the issue as the service credential file is getting included in the publish package.
Please let me know if you can think of a solution.
Do not embed service account credentials in applications. Service Account credentials have a permanent lifetime which means you will be breached. You can delete service account credentials, but then you will have to re-release your application.
You have several options:
Implement Google OAuth so that your users authenticate with Google Accounts. When authenticating use the correct Google OAuth Scopes to provide temporary permissions.
Implement temporary access tokens. Your users will connect to your website, authenticate and your code will give them a temporary access token created from service account credentials. This access token will expire. The default is 3600 seconds but you can control this.
You users will make all requests thru your website API's. You control authentication of the users. Your website code then makes the API requests on behalf of the users. This is not an ideal solution as all traffic goes thru your website (Compute Engine, App Engine, etc.) and you will pay for that bandwidth.
Not sure if this is the right place for this question. This is not necessary 100% coding problem but it is not not a coding problem either. Anyway, here is
The Story: I want to create a shopping system. The user can use the website or the mobile application or the google assistant to get product information and make purchases from this shopping system. The problem I am facing is how can I associate the user among these 3 clients. More specifically for the google assistant/actions.
Things I have done:
Using firebase auth for authenticate and login users onto the website or the mobile applications. After the user is authenticated and a firebase access token is available for the website or mobile app to use. The website or the mobile app can send the firebase access token to the backend server, and the backend server can verify this accessToken through firebase admin sdk. Everything is working as expected until I want to introduce the google actions/assistant into play.
For google assistant/actions: I followed this and this for logging the user into the google actions app. At this point, I am able to get user basic profile information if the user logged into the google actions app using their google account.
The Problems:
After I get the user profile such as user id, email, etc, from the google action login, then I query the database on the backend server and if I find a user with this id or email, then this is a valid and authenticated user, and I will allow the user to make purchases through google assistant. Is this approach safe and sound for identifying the user on google actions/assistant?
Assume the above approach is safe and sound, what can I do if the user account was created using other email account instead of google account? i.e. The user initially registered either on the website or mobile application using a non-google email or other Oauth2(fb, twitter, etc) through the firebase auth. In this case, my backend database won't have google account information for the user, and if the user log onto my google actions app using a google account, I will have no way to identify this user in the existing user database.
Is there a way to authenticate/login the user onto the google action app through firebase auth and obtain a firebase access token on the google actions' fulfillment backend server? If there is a way to do this, I suppose the previous problem will not exist because I will be able to use this firbase token to verify the user no matter if the user account was created using google account or other email accounts or other Oauth2 providers.
If all of the above failed, is dumping firebase auth and creating my Oauth 2 service an option and is it going to be the only backup plan available for me?
Some answers to your questions:
If IDs or Email matches - does this identify the user?
Well, yes and no.
If the IDs match, then you have verified that the Google ID for the account that logged in matches the Google account you have on record. Great! This is secure and you can trust it.
If the email matches... well... a much lower degree of confidence. While Google does do opt-in checking, this still seems like you're taking a risk. Email addresses do change over time.
What if they authenticated via some other means?
Did I summarize that question correctly?
I guess I'm not sure how you would handle this in any other case. If they're logging into your Assistant app using a different account (not email, account) than they used for the web... they want the two to be different?
And they can log into your Action using a different Google account than the one they used to setup their device. There are flows that encourage them to use the same one, but they don't have to, and you can fall back to those other flows if you don't have an account on record for the one they use by default.
Can't I just use Firebase Auth?
Well... no and yes.
No, there is no way to just tell the Assistant to hand you a Firebase auth token instead of the token it wants to hand you.
However, you can use Firebase Auth if you're willing to setup your own OAuth2 server. The link to the StackOverflow question above was just trying to work around having to setup an OAuth2 server yourself. If you set one up you can have them login using Firebase Sign-In, generate the token and store it against their Firebase ID, and issue that token to the Assistant client. When you get that token back, you can easily associate it back to the Firebase ID.
BUT You need to do that work. Neither Firebase nor the Assistant will do it for you.
(A missed opportunity for Firebase and Google Cloud, imho. But...)
You've already seen the page for how to build a minimal OAuth2 server.
Should I just dump Firebase Auth?
There is no need to. You can use Firebase Auth in conjunction with setting up your own OAuth2 server. It is a great base for it! I, personally, use Firebase Auth and Firebase Sign-In (and Firebase Hosting and Firebase Functions) as the basis for my OAuth2 implementation.
I am quite new to android and recently started building an application which requires
Registration using a google id.
Continuous interaction with a back-end server.
For the registration , i was wondering if it is possible to have a python webapp on Google App Engine which has the OAUTH2 authentication .
This page if opened in a webview should return the token to GAE (please correct me if i am wrong here , because i am not sure the token won't just go directly to the app).
Then again on the backend i generate a token(newly generated) and update the user tables with this new token and pass this onwards to the application.
Every subsequent request made by the app will be referenced using this token.
Is this feasible or is there a better standard way to do it (i do not want to use the login info already stored in the phone) ?
Also , how can i get information from a google account(name,email) like Facebook has access to the graph is there a google counterpart ?
As far as I understand, you implement your Android app using WebView. This means that the app interacts with the server the same way as the built-in Android web-browser. As a result you don't need to add anything special to your Android app with regards to authentication.
Built-in Users service
In GAE, you get out-of-the-box support for three different types of authentication where all of them are designed in a way that your app doesn't store user credentials but rely on user authentication from identity providers:
Google Accounts (e.g. jonny#gmail.com)
Google Apps Domain (e.g. jonny#mydomain.com hosted in Google Apps)
or Federated Login (a.k.a. OpenID, e.g. Google, Yahoo!), which is going to be replaced by Login with oAuth2 (OpenID Connect)
All three types allow your app only access to very basic information of the user. Enough to match a returning user of your GAE app to their data, and an email address or unique ID, but that's it. For more, see below (oAuth2 consumer).
In appengine console, you can select your preferred authentication type in page Administration > Application Settings.
Whatever of these types you use, in your Python code you can use GAE's Users service which will deal with the authentication of your users. Basically, you just write something like:
from google.appengine.api import users
user = users.get_current_user()
if not user:
# The user is not signed in.
else:
print "Hello, %s!" % user.nickname()
On development server, you will be prompted with a dummy login page for requests where you require login or admin login. In live environment they will be replaced by GAE with real login page flow. There are also articles linked in the docs with HTML/JS examples if you want to show custom login pages to your users, for example User Experience summary for Federated Login
oAuth2 for authentication and authorization with Google
Regarding oAuth2, with the built-in authentication it is rather easy to integrate the builtin oAuth service, so your GAE app becomes a service provider, i.e. a user of your GAE app can share data with any 3rd party app or website through some simple API. You also can have your GAE app consume data that your users have stored somewhere else (e.g. Google) and they want to share with your GAE app (consumer). If you are especially interested into accessing user data in Google services, there is this good overview.
Custom user management
Finally, you could implement your own authentication mechanism, rather than relying (and depending) on GAE features. For example you can implement your custom user management based on webapp2. This means that you have control of the user-accounts and credentials, but aside of eventual security risks the disadvantage is that it can be really hard and tricky to integrate services and APIs like Google Cloud Endpoints.
I'm wrapping a Rails mobile website with an Android WebView wrapper, but it's also supposed to be available through the browser as well. The website is using Google/FB OAuth authentication, but that's not essential.
When the wrapper is used, I wanted the user to be already signed in with its primary email.
Are there any secure methods to achieve this? Something which will not allow using this method in the browser?
I was thinking about sending some kind of checksums / secure tokens but this could be easily reverse engineered.
Would the authentication with device id and android id be enough? I mean, these are available publicly for other apps so I guess possibly not. Maybe there is something that is unique to the app instance and private?
There is nothing automatically secret in an instance of an Android app that your server could verify. Using Google/Facebook OAuth login is a reasonable choice.
You can use the Facebook SDK for Android to allow the user to log in using their Facebook account, and as a.ch. mentions in the comment you can do the same with the Play Services SDK to log in via their Google account.
In both of these cases, this works because there is a local broker app (Facebook, or Google Play Services) that is trusted by the identity server (facebook.com, or google.com). The broker app has the user's credentials, can verify the identity of the app that is requesting access, and can display a view where the user can approve/reject the request. Once the identity server knows that the user has logged in on the device, knows the identity of your app, and knows that the user approved the login request, it can safely send back a token to your app via the broker. That token allows whatever permissions your app requested and the user approved.
Your WebView can then include that token in an initial request to your rails server, which checks the token with Facebook/Google. From this point, the code should look similar to the existing desktop web, at least with respect to user authentication.
You can download the Facebook SDK for Android from https://developers.facebook.com/android/, and you can get the Google Play services SDK in the Android SDK manager ('android sdk') under Extras. Both have tutorials to help you get started.
In my android application I am trying to build an array of login credential methods for the user. The user should be able to login using their google, facebook, outlook and twitter (etc...) credentials. I am not sure if there is an easy way to do this but currently I am looking up the API for each one of the mentioned services and researching how to use their authentication method and gaining access to services like contacts for invitation purposes.
I am having a hard time finding any resources for outlook authentication and services. If anyone can point me in the right direction I would appreciate it very much!
you can try Socialauth-Android:
The API enables user authentication and sharing updates through different various social networks and hides all the intricacies of generating signatures & token, doing security handshakes and provide an easy mechanism to build cool social apps.