My android app is designed to fetch calendars and events from Google. I downloaded Google API v3 and followed the example from official tutorial. In the tutorial, it uses Account Manager to do authorisation for android, which means user can directly pickup an account already set on android device to get authorisation done.
startActivityForResult(CalendarHelper.getInstance().credential.newChooseAccountIntent(), REQUEST_ACCOUNT_PICKER);
The code runs good, but I don't want authorisation this way. I prefer the way that start a webview and open an url which lead user to a login page, after he login and accept the permissions, the taken will be returned to access calendar data, just like the Google API in iOS.
I understand the workflow of OAuth 2.0, but I can't find any sample code on android to do authorisation the way I described above.
Can any one help?
You could try adding approval_prompt=force in your HTTP request that you make while looking for access tokens. This parameter ensures that the user has to log in/provide credentials every time the app is run.
Quoting from Google's documentation.
"If the value is force, then the user sees a consent page even if they
have previously given consent to your application for a given set of
scopes."
Related
We have used com.amazonaws:aws-android-sdk-cognitoidentityprovider:2.6.8 SDK for username and password based login and register flow. Following the approach mentioned here https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-integrating-user-pools-android.html. Sign up and Login Process is working as required.
For Facebook and Google authenticate through federation, We do not want to use the hosted UI for this purpose and are not using federated identities. We had followed this link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html.
We have setup user pool with an application client and a user pool
domain.
Setup Facebook as a social identity provider.
Added android call back URL to mobile.
First Approach
We look into CognitoSyncDemo Sample application, It was using federated identity so we had to discard it. We are just using federation in userpool.
Second Approach
We have used the webview and load the below URL. The URL takes me directly to Facebook, after authentication, it returns me back to redirect URL with access_token, auth_type, expires in and id_token. But no refresh token.
URL https://yourdomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=redirect_app_path&response_type=code&client_id="client_id"&identity_provider=Facebook
But there is a problem using this approach. I couldn't find a way to push the access token to cognitoUserSession in SDK which is managing a user session. So every time I sign up with Facebook (using webview), there is no session maintain in SDK. Hence I am redirected to login view again. How to ensure the Facebook user is authenticated and signed in by cognitoidentityprovider? How to create user session in SDK when getting access_token and id_token?
Third Approach
We tried to use the Cognito Auth Demo https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo. For this, we have to add another library com.amazonaws:aws-android-sdk-cognitoauth. After clicking on sign in, it used to take us to hosted-ui. After looking into similar IOS project, we made tweaks in android library project (com.amazonaws:aws-android-sdk-cognitoauth for android). We added identity_provider in URI for sign in. It then takes us directly to Facebook on chrome tab. After authentication, it set the session in our application. But it has own authentication object which is AuthSession but previously we were using CogintoUserSession for normal sign up. AuthSession is do not have User Attributes and nor offer any get user details or authentication handlers. If we use this approach, then how to link AuthSession with CognitoUserSession and manage user session in the application?
Summary
In short, We had tired AWS samples, it is taking us to web-based hosted UI. We need to authenticate a user via Facebook to userpool using only federation identity provider. We need to maintain session in Cognito SDK without affecting our username and password based login flow. We want to open Facebook directly or on webview in our application on button click, authenticate the user and maintain session in the application using only Cognito SDK.
To connect to user pool i had included aws-android-sdk-cognitoidentityprovider. But if you need to add social sign up, you need to add cognitoauth as well.
Ensure cognito sdk version are same otherwise you might run into complication error.
As per the need of project, i need identity provider to pass into sdk so it could directly navigate directly to my social identity provider page. But current sdk version '2.6.24' didn't provided me with this provision. I had downloaded the android-sdk-cognitoauth sdk from awslab github and included in my project. I alter Auth.java class added identity provider variable in it.
Next step, i alter AuthClient.java method launchCognitoAuth. I place additional condition to check if identity provider present or not. Then i set it in sign in uri.
if (pool.getIdentityProvider() != null) {
builder.appendQueryParameter(ClientConstants.DOMAIN_QUERY_PARAM_IDENTITY_PROVIDER, pool.getIdentityProvider().toString());
}
After making above alteration, i can configure identity provider through my app in auth.builder(). The hack worked, i directly navigated to my provider page. After authentication, sdk set session it self.
To sum up, I found difference between android and ios project implementation. In iOS project, aws has given provision to add identity provider directly. I followed the flow of ios project and made tweak to android congitio-auth project. The difference has been reported as well to aws-sdk-android-sample issues.
We have an application for embedded Android-based device, it uses WebView and inside it we use Google OAuth 2 to login to the app. Unfortunately Google will soon block OAuth 2 inside WebView, and we have lots of restrictions:
The device doesn't have Google Services installed, so probably no 'official' way of logging in would work (or maybe any of them would work without Google Services?)
We can't just invoke Android browser to do login, because it shows address bar, which would allow the user to surf the internet, which we can't allow
We don't fully control the software installed on the device: can't install Google Services, update Android version, install Google Chrome, etc..., we can just update our app.
What else could we do having those restrictions?
Implementation through a browser:
1) Register custom URI scheme (How to implement my very own URI scheme on Android), for example, app-oauth2://
2) Make access request in user's browser
https://accounts.google.com/o/oauth2/v2/auth?
scope=...
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http://example.com/oauth2-handler&
response_type=code&
client_id=...
3) If user accept or denied requested rights in the confirmation dialog, it will be redirected to redirect_uri (http://example.com/oauth2-handler) with some params
4) On the side of redirect_uri handler (http://example.com/oauth2-handler), mare a redirect to custom URI scheme with params:
Success: app-oauth2://?state=state_parameter_passthrough_value&code=...&scope=...#
Failure: app-oauth2://?error=access_denied&state=state_parameter_passthrough_value#
5) In your app you can parse URI scheme app-oauth2:// from option 4 and receive the code for future usage or error for displaying to the user.
As per the problems on your side it would be best to open an Intent from within the App targeted towards the sign in Weburl [this won't trigger up address bar link]
Refer to this stackOverflow page
how to open "Add a Google Account" activity using intent?
now you may use Shared preferences to store the Authentication data for further logins [ if the requirements of the app permits it.]
https://developer.android.com/reference/android/content/SharedPreferences.html
You need to use OAuth Web services for implementing a solution based on your needs.
Reference link: https://developers.google.com/+/web/api/rest/oauth
Here is a sample github project that is using OAuth 2 web service for logging into Twitter. You can take help from it for consuming the Google's OAuth2 web services in your Android Application.
Repository link:
https://github.com/sathify/tagpulse
Web service consumption screen link:
https://github.com/sathify/tagpulse/blob/master/android/src/tag/pulse/main.java
I hope this helps.
There is a library that supports Android 1.5 and higher for Google OAuth 2:
Sample code found here:
https://github.com/google/google-api-java-client-samples/blob/master/oauth2-cmdline-sample/src/main/java/com/google/api/services/samples/oauth2/cmdline/OAuth2Sample.java
I'm lost on this one. The problem is simple: what is the correct, recommended way in Android of logging in a Google user, as a page that they own (e.g. they first login and they are presented with what page they wish to authenticate as, to the app)?
The web solution is straightforward - Google's /oauth endpoint automatically redirects to a delegation page into which you choose your main account or the page you wish to continue as. The next page will have a pageId=... extra argument in the URL. As such, your authorization is linked to that specific page, not to the main account.
With Android, I'm completely lost. Every possible official guide out there is either deprecated, un-recommended, or just simply, blantly ignores this simple use-case and only works with getting an OAuth token for the main account, without even a word given to help for the case of users that own pages which can be used as their own identity under the user's account.
What I'm doing now (at the high level), using Google Play Services:
Start an activity intent via AccountPicker.newChooseAccountIntent
User selects an account on device.
Calling GoogleAuthUtil.getToken to get an OAuth token - this triggers the basic OAuth flow which asks the user to authorize the app - NO ACCOUNT SELECTION at this step, like the web flow does!
What I looked at:
Google HTTP Api Client - this one recommends to use Android's AccountManager and never use a "custom" solution to save any refresh tokens, etc. Completely useless for the use-case.
Google Sign-In - this one seems to require a server end-point (wtf?). I tried using it and adding in the OAuth scopes I'm interested in, it didn't even work. I'm not interested in the user's email, and this API seems to be oriented for signing users up rather than authenticating as a Google one.
Other apps I looked at seem to just open a WebView and force the user to login in that, which triggers the normal web flow, with account/page selection after login. I really don't like this since it requires a separate login.
Is there an official stand on this issue and I'm not seeing it?
I have been trying to find a way to remove my fake score from my app's Leaderboard. I can't reset it because a lot of users have already connected to it. I found a way to do it: https://developers.google.com/games/services/management/api/players/hide
But I can't understand how to use it. Access token and all that just confused me. Any help anyone?
Because it's a one-time thing, I suggest you go to Google's OAuth 2.0 Playground and try to do what is documented in the link you provided.
Step-by-step instructions:
Open Google's OAuth 2.0 Playground;
In Step 1, paste https://www.googleapis.com/auth/games in the "Input your own scope" text box.
Click Authorize APIs. You will be taken to a Google OAuth2 login page.
Log into your Google account that registered your game and Allow what is being requested.
In Step 2, click on Exchange authorization code for tokens.
The previous step gave you a permanent Authorization code, this one is giving you two new tokens: the Refresh token and the Access token.
In Step 3, customize the POST request with the parameters and URL documented in the link you provided. You will see the live response from the server.
Note: this is standard OAuth2 authentication.
The user needs to interactively allow the application so it will generate an Authorization code, that will work forever (or until it is re-allowed).
The refresh token is requested using the authorization code, and is also permanent (until it is requested again).
The access token expires in one hour, and it is requested using the Refresh token.
Basically all these levels exist for security reasons.
You don't have to provide anyone your authorization code, only the refresh token. If some unwanted person gets access to the refresh token, you can invalidate it by requesting a new one using your secret authorization code, without having to ask for the user's permission interactively again.
I have read your README.dm from the firebaseui-android library. Can be found https://github.com/firebase/FirebaseUI-Android. This will be the first time that I have used your Authentication for getting a user to login. I am currently only using the Google sign-in, but will add Facebook and Twitter in the future. In this README.dm keys section github.com/firebase/FirebaseUI-Android#add-facebooktwittergoogle-keys this is the only instructions for the Google sign-in.
If you're using Google authentication, place your google-services.json in the app folder.
There is no mention of having to setup anything else for the Google sign-in to work. But at least in my app for the Google sign-in to work I needed to also setup the authentication for a web app which can be found www.firebase.com/docs/web/guide/login/google.html#section-configure. But if I configure the Web app authenitcation then I don't need to google-services.json. Why is your library not using the google-services.json but instead only using the web app. This is not a web app as it is a native Android app. I think that this also leads to the user being logged out if they do not use the app after the expiration unix time returned in you authData.
All I want to do is log a user into my app using either Google, in the future Facebook or Twitter, and not have to have them re-login if they don't use my app for a few days. If you library cannot log a user in using the native and keep them logged in then I guess I will have to write the login myself.
I don't really know for sure what you want but I think the Firebase team was trying to make the document more concise for everyone. You have to do some of the work yourself.
So I will just drop this links and run
Create a project in Google Developers Console https://console.cloud.google.com/project
Click on "Get a Configuration File" https://developers.google.com/identity/sign-in/android/start
Know that I did not (actually, could not) give you all the information you may need because I am also working on something. Just like you.