I am creating an app and want to use the google accounts on the Android phone to get the user's email, name and possibly phone number. How can I securely communicate with a rails server? I could send the auth token but my understanding is that it changes often. I plan on making a private API token for very basic auth but I need a user specific authentication as well. I thought about using an email hash and sending that but there has to be a better solution.
Normally what I would do if the account logins were on the server is login and send a token back and check that token to the database every request but can't do that since I login on the client side.
What would be my best bet to implement something where I log in on the android side but store info on the server?
This is my answer... Uses Google Play API to get a token and verify on server/client side.
http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
Related
I have the following situation:
I have an app that will be using a subscription based payment system via the app or play store. I want to avoid implementing my own account system and verify the users via the Apple-ID or what the equivalent is on Android side, using Apple/Google Sign-in if this is possible.
The problem is that the app will have to communicate with a server every week, so that means the requests to the server need to be authenticated, that this is coming from a client (smartphone/tablet) that has an active subscription going. How do i do this the best way?
If i understand correctly then using Apple Sign-in you will get a token. Should i send this token to the server, where the server then communicates with the App Store API to verify the token on every request? Is this completely equivalent on the Android/Play store side? Or should i verify the token once on the first request, then generate my own token and send it to the client so for the rest of the session it can authenticate using that token to avoid having to go to a third party system on every call. But how do i store this self-generated token? As it needs to be linked to something on the client. Am i legally allowed to store Apple-IDs on a server?
I really want to know authentication about android..
I want to know about 2 case authentication (just android application login, android application login and web application login)
just android application
When i signed in sns like facebook or twitter, I got token and send it to server.
app and web
What if already have ID with sns in web application, what should i do?
Application sign in and got token. And next, send token to server and authenticate in server?
A lot of applications use token based authentication, where server is separated from the whole application, which e.g. allows to use one restful api for many services like mobile app and web app.
Basically it works this way, that first user sends his login and password through secured connection to your server, and then the server generates a token that allows user to get certain data from that server. Those tokens are made to expire after some time (for security reasons). You can read more about token based authentication, tokens, refresh tokens, json web token and similar things.
Here you have similar question on this topic, on stack overflow:
How do popular apps authenticate user requests from their mobile app to their server?
And here you have an overview of other types of authentication:
https://blog.risingstack.com/web-authentication-methods-explained/
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
I'm using Google+ authentication in my app to allow a user to sign in, and have access to their 'data' on my server.
The authentication process following the following steps:
User logs in using Google+ on the app, and receives an access token.
The user passes this token to the server.
The server uses this token to verify that the user is who they say they are (following the process shown here). The server can return the data as needed.
This is the part I'm stuck on - How do I verify that the user is who they say they are for future requests without making a request to Google's servers every time? Do I return a session token to the client application that is used, and regenerate the token after some amount of time?
Absolutely. Sending a session cookie is exactly the thing to do.
You will want to use ID tokens to verify that the user is who they say they are. There is a sample project in Java on Github to demonstrate this.
Also, you should be passing a one-time authorization code to your server, not access tokens. See the documentation for getting your server side tokens from an Android app. When you have that code, you send that to your backend and then exchange that one-time code for the server's own copies of access and refresh tokens for that user. Because you receive the tokens directly from Google on your backend they are more secure than having to send between mobile apps and your backend.
I'm making an Android app that authenticates users via the Facebook SDK. However I also need to authenticate to a remote server in order to pull in new data for this user.
What's the best way to do this?
Should I send the Facebook token to the remote server, then on the server use this to verify it's a valid token for this user and thus confirm the user's identity?
Should I do the previous, but generate and send back my own token for the user to use in the future?
If I later add Google authentication would something like this also work?
Thanks!
IMO, the best way would be
Authenticate user to Facebook from Android application
Get the FB auth token to the android app
Forward the authentication token & facebook UID from Android to web server
On web server, make Facebook API call with the submitted token, to verify the user