When using the new Google Play Services to authenticate an account, you first use the AccountPicker to allow the user to select an account. If the user has not authenticated with your application before, a UserRecoverableAuthException will be thrown which gives you an intent to show the 'Allow Access' page. You only need to allow access one time. However, for testing purposes, I need to be see the Allow Access page every time.
So, does any know how you can clear the permissions for Google Play Services? Or some other method that will show the allow access page every time?
In your Google Account Settings, there's a way to set up application-specific passwords. Sign up for 2-step verification and then you can create them. To temporarily revoke the permission, you can remove or change the password: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1070455
Otherwise, change the password to your entire Google account temporarily.
Unfortunately I don't think there's an easy programmatic way to do this. It seems like quite a serious security flaw that a user/administrator can't revoke Google Account access to an installed app. From what I can tell, Google is fetching the authentication information from a server, and if something in that operation fails, it throws the UserRecoverableAuthException. That's when you normally fire off the Intent from UserException.getIntent(), which contacts the server with a request such as:
scope:oauth2:https://www.googleapis.com/auth/drive.readonly[
account:<your_account>#gmail.com,
scope:oauth2:https://www.googleapis.com/auth/drive.readonly,
extrashash:<some_number>]
Now there's no documentation I've found for instructing the server to revoke that Auth Scope requested above. It might not even be possible. However, you could try to capture the values in the Intent returned by UserException.getIntent() and use it to create a new Intent you launch whenever the user wishes to sign in with their Google account. However, the server might realize the app is already authenticated, and then send you through without the prompt.
Related
I am learning about how to implement backup/restore for android as described here
It is said that "Doesn't require a user to be logged into your app. The user must be logged into the device with a Google account. Doesn't require a user to be logged into your app. The user must be logged into the device with a Google account."
But for example, if user isnt logged in any google account, can we ask within the app to login to google account and select frequency? For example, whatsapp is doing it on its settings? you can even change the account if you have multiple accounts? Otherwise user has to go to phone settings and has to enable this and most of the users dont even know that is available there.
So if I implement a google authentication within my app and get authentication token. how can I implement this? Any sample code or project?
I am using xamarin.android but I dont mind java code as well.
The Auto Backup is provided by android. You can enable it in the system setting.
When you enable it, you can set the location to backup, for example set a google account or let it backup to SD card. And you could also set frequency and which app you need to backup. It all sets in the system setting not in the app.
You could refer to this article for more information.
I've implemented Firebase Invites as described in the documentation and it works fine.
I've discovered that if a user has multiple Google accounts then the first time the Intent is invoked, Firebase asks the user to select one of these accounts (if they choose to send an invite via email, the selected account is the one it comes from).
However, my users have complained that that there is no way to change the account that is used. Uninstalling the app and reinstalling does not cause the prompt again, so apparently Firebase is storing the selection internally.
I've found the setAccount method, but that would require me to launch the account-chooser dialog and specify the Account every time. I was hoping there would be some mechanism to cause Firebase to reset the choice that it has stored internally. Is there a way to do that?
Note that calling FirebaseAuth.getInstance().signOut() has no effect. In fact, calling FirebaseAuth.getInstance().getCurrentUser() returns null. That seems to confirm that Firebase Invites is not using Firebase Auth. [It would be nice if Google documented what is going on, instead of us having to guess how it works.]
Here's the private response I got from a Google engineer:
No, there's no way to clear the default account. As they mentioned, setAccount would be the recommended way to choose the account. For this case, though, you might want to tell them that the user actually can change the account from the Invites screen by tapping on the user avatar. If they have more than one account on the device, this should bring up the account chooser to change what account emails are sent from.
Im developing an android application for the first time (no prior experience whit coding....). Mainly the app is going to be used at work as a tool for service technicians. The app is almost ready for field testing, but there is one thing i need the app to do before that. I need the app to force the user to log in every time its opened. This is because some of the info on the app is confidential, and only people that currently works for the company is allowed to have this info. Whit firebase i can then block the users that leave the company, or users that are not verified. Currently the users sign in whit google and they stay signed in until they clear the app data or delete it.
I have looked far and wide for the answer to this, but i have only come across different use of timers.
If anyone has a better solution to this "safety" issue, im open to anything.
If you are using Google Sign-In for authentication, there is no out of the box support for forcing your user to authenticate with Google every time they use your app.
This makes sense, because the user is still authed with Google on your phone. A login system only authenticates the user; it doesn't inherently protect data stored on the device. As long as Google has a valid access token, the user won't have to type a username and password again (and simply clicking "login with Google" again doesn't really provide extra protection here).
If your primary concern is blocking access to users who have left the company, you should be covered if you are using Google Apps for your company. If you disable the user's account, their access tokens should become invalid. Google Apps admins can also manually revoke access to specific apps for specific users.
If you don't use Google Apps (e.g. your users are using #gmail.com accounts or accounts from a domain outside fo your control), you might want to consider implementing a list of users allowed to access the application, and verify the current user has access by checking that list via an API call on launch.
If the goal is really protecting the confidential information in the application, you might want to take an approach similar to Android Pay in which you require your user to set and enter a PIN number to access the application. As an added benefit, you can then use that PIN to encrypt any confidential data you are storing locally.
I will suggest you take a look into shared preferences and every time when the user is back into the app you send them to the login activity.
Many Google Applications allow you to switch between Google Accounts and show you the currently connected account.
For example Google Fit, Gmail, Google+, etc...
From the perspective of the code I call .connect() on the Google Client and enter a loop of
connection failed
launch automatic resolution
get activity result
retry connect
until I finally connect.
This is documented in many places, here for example: https://developers.google.com/android/guides/api-client
On the UX side what happens is that the user is presented with multiple dialogs asking every time something different.
One of the dialog ask to chose an Account between the ones available on the phone (it probably automatically resolve without user interaction if there's only one account configured).
How do you query the Google Client to know which account is currently connected?
I found no documentation about it anywhere.
The closest thing I found is this:
https://developers.google.com/android/reference/com/google/android/gms/common/AccountPicker
but I do not create the picker, it's something completely handled by the Play Services in the procedure I described above.
You have to request the Account resource with Google Plus API.
Add the following permission in the manifest:
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
Then use this API to get the account that is logged in currently.
EDIT (addressing the comment):
In .builder add login scope as shown in the example and initiate the G+ Api as well. Since you do not need social scopes, this scope will give you access to currently authenticated user's information.
Once you setAccountName through the builder, you can access the Account resource for this user which you can get at anytime through getAccountName.
EDIT 2:
So apologies for not addressing the G+ context with last edit.
Here's a class in simple Google Sign In (Identity platform) which give you access to account resource.
More information in the official documentation.
I have a private app which works totally offline (i.e. no server data sent/recieved), however I have a need to restrict it only to users with a valid Google account on their phone. I can get make sure there is a suitable account on the phone by iterating a list of phone accounts, but is it possible to check the account is valid/authenticated without me having to introduce the full OAuth process? I have no need to get a cookie or send any data to a server.
Ideally I'd like to do something like:
1. Check with the account manager for an auth token.
2. If token recieved then allow access to the app.
Currently without any checks via the account manager, anyone could create a fake account on the phone and then gain access even if they put in a email/password and they would never be authorised.
I hope I've explained this clearly. As my app has no network connectivity so I would like to avoid adding any of my own network/oauth checking.
What about this:
AccountManager manager = AccountManager.get(this);
Account[] accounts = manager.getAccountsByType("com.google");
final boolean connected = accounts != null && accounts.length > 0;
The connected boolean will indicate if there is a connected Google account in the phone.
Indeed there won't be any check on the token, but if the account is registered on the phone, then Google checked it before, server-side, to validate it...
How about implementing Google Plus login API? It's not really setting up a full OAuth process since G+ it's fairly simpler, even if it is actually built on top of OAuth.
I use that in an app I'm developing that also does not require online access (except for initial G+ login access).
What I do is the first time the app is run I present the G+ login button. After user clicks on it he can accept the permissions request from my app (to be able to retrieve user email and some basic profile info, i.e. minimum permission needed) and if the API client connects correctly then I present the user with the dashboard or home screen and also set up a flag in SharedPreferences about the user being already authorized.
In this way, the next time the user starts the app it will remember it was already authorized and just ask the API client to connect (only if the access was revoked from the account's Play Store website do we need to re-verify that the user auth is still valid), and everything should work. If the user revokes the access to his G+ profile from my app, I clear the flag so the next time the user runs it it asks for authorization again.
It's actually very simple and at least for my use case (Which sounds very similar to yours) it works for what I want it with minimum user intrusion.
I strongly suggest you try out something like this Google Plus login tutorial
Edit: You can also check this question I asked before, about working with multiple activities that need Google Plus functionality
Also, forgot to say that with this method you are always sure that the user account is always valid since you are checking directly with Google's servers about its validity.