I'd like to use SSO (Single Sign-On) for users of my app, but I don't understand how to apply it to my case.
To summarize, we have:
a database
a website
an iPhone app / an Android App
Currently, it's possible to create an account on the site, and then use the same credentials to connect from the mobile apps. All communications between mobile apps and server work through http requests.
To put it simply, I would firstly
be able to use Google accounts to authenticate users
offering Android users to choose one of Google accounts associated with their smartphone
I found several sources of information:
Google - Using OAuth 2.0 for Login
Android - Remembering Users
Unlike what I saw in some examples, I don't need to make request to Google services like Google Calendar or Tasks, I just want to authenticate the user.
Does someone could tell me what I need to do on the website and on the mobile app. Should I store information in my database? How to ensure that after authentication, all http requests from the mobile application are really from authenticated user?
Do not hesitate to ask me to clarify some points.
Thanks in advance
As OAuth is a standard for authorization and not for authentication, it doesn't support any direct method for this. However, most providers allow you to call an endpoint that returns the id of the logged in user. Google returns the id as part of the basic profile information. This step is described in the first article you already mentioned. There are multiple libraries available to simplify this step for you.
So for identifying a user you acquire his Google user id and store/match it in your database.
To get the user's id on an Android device, there's an even more simple way. Just use Google Play Services as described in its documentation. You can find the user id in the response to the call in the last section of the documentation.
Now there's still the problem that you have to send the user id from the device to your web server and verify that this call was issued by your app. Fortunately, Google has also built a method into Google Play Services for exactly this scenario. There's a blog post by Tim Bray at the Android Developers Blog about this.
Related
Hello to all of you guys.
Today I received the following warning from Google to my inbox :
We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021.
We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. Please review your use of Google Account authorization flows in the following Google OAuth client IDs and make any required changes before January 4, 2021...
In my project, I am using the official google sign-in library to authenticate a user and retrieve user's account and token. When user is logged in and token is successfully retrieved, token is send to backend server in order to generate the access & refresh token as described in the OAuth2 flow.
My question is, is there a conflict using both these flows to finally generate an access token for the user? If not, do you have any ideas where I should focus to locate and fix the problem? As the warning says, I am not using any embedded browser login functionallity so my concirns are on the previously described case.
Thank you in advance!
Google's recommendation for some time has been for mobile apps to follow the AppAuth pattern, where the app itself never sees the user's credentials and a Chrome Custom Tab is used for logins.
If you are interested in evaluating this option there are a couple of code samples from my blog that you can easily run. It is quite a difficult flow to implement though.
Google AppAuth Sample
Advanced AppAuth Sample
In my android application I want to let users to authenticate with google or facebook account.
I've implemented sign-in with google already.
I'll try to implement sign-in with facebook soon.
I've read about IAP in android:
https://developer.android.com/google/play/billing/billing_overview
https://droidmentor.com/inapppurchase-subscription/
at least what I understand it is about google account authentication.
So I wonder is it possible to make IAP in android application if the user is authenticated with facebook account ?
I cant find examples or explanations by now.
Any good examples/explanations about IAP with google is also very appreciated because I still don't have a clear vision on IAP.
fyi: In my app user will be able to buy "virtual tickets pack" (e.g.: 10, 15, 20 tickets) and to add them to their profile. and later they will "consume" tickets one by one.
Best Regards
My understanding is that you already have a user system that you are using to provide a Google login to your customers. When you add Facebook login, you'll probably want to match both Google and Facebook logins with your own custom user ID. It's always a good idea to have a custom ID of your own so that you can map it to different types of logins.
When purchasing through Google Play Billing, the purchase gets associated with the user's phone Google account and you can also provide an optional way of associating a purchase with your own user account system. In order to do that, when building the BillingFlowParams, call setAccountId and pass your account's system custom ID.
To provide the best experience persisting purchases during installs or across devices you should also be saving the purchases on your server's database. In order to do that in a secure manner, you will also have to implement server-side receipt validation. If you want to avoid most of these headaches, I recommend you to use a service like RevenueCat.
IAP can only be done through the user's google account, as that is what one needs to use any part of the Play Store. The user's google account is also where the credit card/other payment methods are stored for each user.
In spite of the above, the way users log into your app has nothing to do with them using the IAP system. When a user will choose to use an IAP, the google account data will be provided by the android device/Play Store, not by your app (Off subject:the process is similar on iOS if you ever get to try there).
What your app needs to do, is receive the confirmation of purchase from the IAP sdk and then mark on your server that this particular user has purchased this item. Basically for any purchases (no matter the payment provider) you would usually mark in your DB the following:
what the user has purchased
how much did he pay
when did he pay
provider's id of the purchase, so you can later match the accounting reports with the payment provider's report
where he payed from (IP can be a good indicator, although in the age of VPNs not necessarily 100% acurate)(this can be useful for your marketing decisions)
mark that this user now has access to the item he purchased and if it is a time limited item, mark when it expires, so you are able to later check if he still has the right to access it.
Disclaimer:
I have not used the android IAP system directly before. I have implemented mobile app payment systems before using iOS IAP and on android Braintree payments. But the process is most likely very similar with android IAPs as well.
I'm writing an app that requires a user sign in with Google on Android and then proceeds to get data from the server (a Google App Engine instance, in this case). How could I go about making sure that the user is actually logged in instead of just calling with a user ID? Is there a way for google to check a secure token they provide on Android for authenticity? Or is there another non-google related way to do this?
Thank you for the help!
Okay, so this is actually a very simple task. You ask Google Play Services for its OAuth Token and send that. Then the server asks Google about that token and Google will give it all of the information in the scope at once using one of their multiple limitless OAuth APIs.
I was using Facebook login and other 3rd Party login in mobile game based on the way that,
client integrates Native Facebook SDK (or other native sdk)
client login and get OAuth access token
client pass access token to server side and server makes a server-side authentication to Facebook
if server side get FB Uid, then based on it creates an account or login to existing account for the user.
My question is, in order to free user from login to service every time, is it possible to directly use Apple ID on the device for such flow of authentication? What about Android and Google ID? Or other type of solutions I should look into?
I know the question is old, but it's one of the first that get get listed when searching for "apple oauth"...
Apple has anounced at the WWDC 2019 a new feature called Sign in with Apple which allows you to use oauth for apple logins like facebook, twitter, google etc. Developer resources can be found here and a good introduction here.
————- update: ————————————————
We now have Sign-In with Apple: https://developer.apple.com/sign-in-with-apple/
—————— old version —————————————
For apple user accounts there is no oAuth 'ID'-provider
https://discussions.apple.com/thread/6594633?start=0&tstart=0
https://en.m.wikipedia.org/wiki/List_of_OAuth_providers
My personal opinion about that fact is the following.
Apple wants to sell hardware. If software is needed to support that, they implement or buy it.
Apple might be wrong, as web apps are integrating Facebook, Google, Twitter, Windows Live and sometimes Weibo, LinkedIn or Amazon oAuth.
I never heard about plans for oAuth for Apple ID.
I'm creating an app that will need users to create an account. (Like Facebook or Twitter would require you to.)
BUT, since it's an Android app, should/can I let them sign in with their Google Account using AccountManager or some other service? It'd be very helpful if they could just sign in to their Google account and their settings and other options would be saved to that account.
Main questions summed up:
Is it possible to let a user just use their Google account in my app?
If so, do I use AccountManager to have them sign in and save account information/settings?
What are other options?
Yes, you can get users to log into their Google Services using their Google credentials, for example, I have an app on Google Tasks and I use the Android AccountManager to let users authenticate themselves using their Google account on the android device (No need for users to enter their password!)
There are some really good examples to get you started:
This is an in-depth look into how you can authenticate based on the users Android credentials, has an example of how things work and how the UI should be: http://www.finalconcept.com.au/article/view/android-account-manager-step-by-step-2
This is an example of getting AccountManager to work with a Google service like Google Tasks: https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android
The last example is using the same concept for accessing the Google Picasa service: http://code.google.com/p/google-api-java-client/wiki/AndroidAccountManager
The other options you have is to have users manually enter their username/password. For that you have to use a third party authentication API (like signpost for OAuth) for them to log in.
In my tasks/todo application I provide users both options to sign in, using their android credentials or using third party authentication for users that want to log in using some other account (an account which is not enabled on that device)
Let me know if you have more questions
Although it is a new development, Google Plus Sign-in introduced as part of Google Play Services can also be used. More info can be found at Android developers blog. See example implementation from Banjo app
There seems to be a big limitation - The user need to have Google+ app installed on the device to use this.
Also this is a pretty good blog if someone is interested in implementing the solution.
#Soham gave you some very useful links but he didn't correct one major error: AccountManager is the entity that manages the accounts on your Android device - it has nothing to do with your google account! you can use google account and create a NEW account on your device using the AccountManager.
The rest you can learn from the links Soham gave you.