I am working on an app that will need to get authorization via OAuth2 from a 3rd party web service (3rd party meaning it's not Google and I don't own it).
This article:
http://developer.android.com/training/id-auth/authenticate.html
seems to suggest that I should be using AccountManager for this purpose. After giving this some thought, I have some doubts about the benefit of doing this, or even if it's appropriate for me to do this. If I wanted to use a Google account, or some other account that was already installed into AccountManager by some other app, then obviously it would be a good idea to get the credentials from AccountManager. But since I am going to use an account that is most likely not in AccountManager, I would have to do all the work to get it installed.
Does AccountManager provide any support in actually handling OAuth2 requests? If it doesn't, then what do I gain by using it?
And since I don't own the web service associated with this account type, is it even appropriate for me to be installing such accounts into AccountManager?
Thank you!
This might be a rather late answer after all these 4 years, but let me give you a short reply.
You cannot and should not be installing third-party accounts for Oauth yourself. It is the job of those third-party OAuth providers such as Facebook or Twitter to implement AccountManager functionality and create their own account type. This is roughly guided at https://developer.android.com/training/id-auth/custom_auth.html.
There are several services, including OAuth providers such as Facebook, Twitter, WeChat, and etc, who register user accounts in AccountManager but I believe most of them just use it to implement SyncAdapter (which requires Account), not to provide OAuth functionality to third-party applications like your app.
I think Google allows you to use their APIs using the token acquired through AccountManager; the link you provide gives an example of using AccountManager for Tasks API. However, using the client library is a better option of achieving the same thing as described in https://developers.google.com/google-apps/tasks/quickstart/java#step_3_configure_the_project_build.
If the third-party OAuth provider does not provide you any SDKs or client libraries, you have no other choice but to use REST APIs they provide.
Related
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
In my android application I am trying to build an array of login credential methods for the user. The user should be able to login using their google, facebook, outlook and twitter (etc...) credentials. I am not sure if there is an easy way to do this but currently I am looking up the API for each one of the mentioned services and researching how to use their authentication method and gaining access to services like contacts for invitation purposes.
I am having a hard time finding any resources for outlook authentication and services. If anyone can point me in the right direction I would appreciate it very much!
you can try Socialauth-Android:
The API enables user authentication and sharing updates through different various social networks and hides all the intricacies of generating signatures & token, doing security handshakes and provide an easy mechanism to build cool social apps.
After reading all sorts of Stackoverflow postings and various documentation including some on http://code.google.com/p/google-api-java-client/ site I feel utterly confused. So can someone explain to me the best way of achieving the following:
Let user to approve my app. I don't really care if this is done by accessing their registered Google account in accounts/settings and approving the app (preferred way) or by calling Google OAuth authentication page
Obtain the authentication token that can be used to communicate with Google Reader
Another point of confusion for me - I was able to approve my app using AccountManager and get auth token from it but it won't work with Google Reader. So how to balance Account information from the AccountManager and OAuth? Do I still need to do anything with OAuth after I get approved by user in AccountManager settings?
Code example would be nice but I look more for some clear explanation on how all these pieces are related to each other
The account manager lets you get authentication tokens for different services. There are different concrete implementation under the hood: ClientLogin, OAuth, etc. To get it to work with, say, Google Reader, you need to pass the appropriate token type. For ClientLogin, those are short string like "ah" (App Engine) and "reader" (Google Reader). For OAuth, they are scopes, as defined by each service. So, what are you passing as the authTokenType parameter?
Getting the token is asynchronous, since it may involve network access. If there is a cached token, it will be returned right away, if valid. The flow is not that complicated, see the link above for the pretty picture. Once you get the token, you put it in the appropriate header, and use the API as per the spec.
Here's an Android training class on AccountManager that might help:
http://developer.android.com/training/id-auth/authenticate.html
Also, using AccountManager with Google Reader is currently the only preferred way of doing this. Directing your users to a login page with a WebView is not very secure and using a browser isn't supported by Google APIs as far as I know (I'm also not sure if Reader uses OAuth2 or not).
I'm writing an android program which must interact with google documents, so I have watched this sample, but it uses an AuthSub token. How can I get an AuthSub Token from an android app?
For accessing Google Docs or any other Google service (or any OAuth based service for that matter) you will need to find a way to do an OAuth based authentication, after which you can u get a secure token which you can use to access a service based on the users credentials.
There are some really good examples to get you started:
This is an example of getting AccountManager to work with a Google
service like Google Tasks, this shows you how to generate tokens and
then how to use them:
https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android
This is an in-depth look into how you can authenticate based on the
users Android credentials, has an example of how things work and how
the UI should be:
http://www.finalconcept.com.au/article/view/android-account-manager-step-by-step-2
For something specific to Google Docs have a look at
http://code.google.com/p/google-api-java-client/wiki/Android
http://code.google.com/p/gdata-java-client/source/browse/trunk/java/sample/docs/DocumentResumableUploadDemo.java
I'm developing an android app that consumes a webservice that I will develop too (I'm thinking in using a RESTFul webservice)..
and I want to secure the connection between the app and the server but I need to authenticate users too..
My problem is in the last part, to secure the connection I think the best way to do it is to use SSL (https), am I wrong?
I don't know what's "the best way" to authenticate users, to make sure that a user cannot consume the webservice as another user..
I have some ideas, like using a authenticate(login,pass) method on the webservice that returns a token.. And for any operation that requires authentication the user would need to pass that token as a parameter.. The thing is, is this a good way to do this? whats the most common technique used to auth users in a situation like this?
If a token based auth is a good idea how should I generate the token?
Sorry for this long text..
Any help will be usefull
Thanks
Make sure you understand a trendy standard like OAuth before you go down that path. Most OAuth flows are centered around a user logging in to your server through a web browser. This can lead to pretty bad user experience for a mobile app. The standard does allow for alternatives. Here's a decent introduction.
You could also use an existing identity provider like Google, Facebook, Twitter, etc. instead of implementing your own authN/authZ. On Android, you can ask for a Google auth token using the AccountManager. This usually works because the user needs to be logged in to their Google account to access the Android Market. Anyway, this will prompt the user to grant authorization to your app. You could then use the Google auth token to login your user to your service with your own token. The login would essentially be your server verifying the Google token is valid (by contacting Google's servers) and then issuing its own token to be used for calls to your web services. If you don't like Google, you could use the Facebook SDK, etc.
As for what to use for tokens... The OAuth spec has stuff on that as well. You could do something as simple as a random string or something as complex as encrypted SAML assertions.
You should implement a token based OAuth, which will require the users to log in once, and then permanently have access.
You can use Google App Engine which already provides user authentication services for you (your Android users most likely already have google accounts) But this is only one of many options.
You can also look into Amazon's Identity Access Management (IAM) which will allow you to manage the users who have access to your web service, and authorize them accordingly.
I think the best way to do it is to use SSL (https), am I wrong?
This only prevents certain types of malicious use, but not everything. There is still nothing to prevent people from accessing your database on the phone, and retrieving credentials that way.