I develop a web application with nodeJs. Most of the functions auth protected. I use Oauth2 (Google, Twitter) to authorize users to use the application.
I must create an Android application, what communicate with my backend over http after the user authenticated with Google account in the Android app.
What is the best practice for that?
I think OAuth2 would be good for this job. But how?
you can't really use oauth in this case. as this How can I verify a Google authentication API access token? explains, you should not share authentications.
Instead, you should have your mobile app use a separate authentication for backend requests. You could have them login once, generate some secret token you can store in the phone so they don't need to login each time. That token is protected by the google login anyway.
You might want to consider using PassportJS (in case you are using ExpressJS as your web application framework).
Related
I want to create a mobile app that can access a RESTful API that I will write. To access that API, I wanted to use Oauth2 to Authorize the mobile app.
Is this a valid use of Oauth? Or should I only be using an Authentication service?
Edit:
What I'm trying to make sure I understand is the context that Oauth should be used it. My idea was to validate a username & password then return an authorization token, then use that token as an API key for the mobile application.
You can defiently use oAuth for this.
We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.
I'm still confused on what is the best architecture design for this kind of use case.
Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?
Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.
Option B: Server authenticates to FB in behalf of the client.
Additional notes (may be relevant or not):
I'm developing the REST API part using Django.
The app will need access to the user's Facebook friends so we can invite them to use the app.
You should go with option A.
Authenticate with the client. Then you will receive an access token.
Send this token to the server.
Now you can create a user, fetch FB friends, and all other you might need.
If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.
https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional
You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).
Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.
I have a more structural question about designing a connection between an app (android) and a server (rails-api gem) using json. It should use facebook as authentication and afterwards handles the connection flow via a token.
My planned solution looks like this:
I'm planning to use the facebook sdk (client side), to get a facebook access token.
a) Should I use client side? I am considering it, because the request would not be done by my server. But is the access token trustworthy?
Afterwards I send the access token to my server and check it with the facebook graph api
If the token is correct, I create a new user with the information from the facebook graph api
Next I use doorkeeper for creating a oauth provider. The client gets an oauth2 access token which he uses to communicate with the server…
a) Should I use another authentication gem? Or should I use the facebook access token as normal authentication token?
b) I am not sure if I should use doorkeeper or devise. Is doorkeeper enough? I read somewhere that u should use doorkeeper for apis and devise for normal websites.
c) I don’t get the implicit grant stuff from oauth2. Should I consider it here?
Thanks for our help :)
I've recently done some OAuth authentications on Android apps (or iOS), but I now have a problem.
When this OAuth authentication needs to be stored in a remote server to perform login request. Which is the best way to do this?
Should I send access token from this oauth provider, and then get otherr access_token just for my app?
Or should it be done in a different way?
Thanks!
Well, there's no general answer but I'll try to explain.
2 basic flows I can think of :
1) If yo don't want that your app directly asks for a username/password, you can use Facebook/Twitter login.
2) Ask the user for a username/password directly and implement your own OAuth service with your server, then use an iOS OAuth library to communicate with it. Your service will need to perform user/pass authentication at some stage.
You can either generate a random UID (user identification) on the client and use that to communicate to the server. Or you can just pass the username/password, let the server generate a UID and from there on communicate using that UID in the request headers.
Hope this help
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….