I would like to display some information about the user before using SSO. Something like:
"Login with facebook as John Smith"
Is this possible before actually logging in? Like grabbing info from the facebook app?
It'd be nice to express to the user that pressing the button means logging in with the user defined in the fbook app. I just don't want my users thinking they'll get to input an email address and accidentally link their account to their friend's facebook.
The reason for why this is not possible is that if it would be possible you could easily track who exactly is using your app, without having the permission to collect that user information.
Related
We currently have an Alexa app that lets users ask for details about upcoming events, now the company wants to implement the same thing for Google's assistant. It seems like this is supported through "Actions On Google", which is very similar to Alexa.
One thing Alexa allowed us to do that I cant figure out with Google is setup a login screen. When a user first accessed the app via voice command, it would take them to an authentication page. We used this to tie an Amazon user to our internal records so that we could identify their specific information when they made a request. It was also used for authentication and authorization.
I dont see how to do that with Google. I assume that you can, but I havent been able to find it. Is there a way to set up a login screen so that when someone says "Hey (Agent), tell me about my day tomorrow", I can confirm who the person is to look up their information?
Yup, you're looking for Account Linking.
The term comes from linking the account they log into with your service to the account that Google uses to track them. You'll need to implement a basic OAuth server, including the page where they log into your service when they're directed there from the Assistant, and a way to issue authentication tokens to the Assistant. When requests come in from a user with a linked account, you'll get the tokens from the user, and you can use this to identify who the request came from.
When using OAuth we are using a third party to take care of the authentication of a user.
E.g. when using Facebook we “register” our app with Facebook and when a user of our app tries to login instead of providing to the app his credentials he logs in using his Facebook account.
What I don’t understand is why does the app trust the user? All the app knows is that the user is trusted from Facebook as he has an account there. How can we trust that the user should really access the app?
In this case the "user" you are providing services to is the Facebook/Google/Instagram/etc. account. From your perspective, you do not care who the person typing the credentials in is.
Normally, all you know is that the person who logs into your app knows the user name and the password for the account. In the external validation case, you know what the person has this specific login for fb/google/inst and knows the password associated with it.
Please keep in mind than in most cases (local or external validation), you do not know the person associated with the account (unless you have some method of personal validation, like credit card or sending a traditional letter with some auth). All you know is that the person who logged in knows the credentials.
Technically, each of those accounts (fb, google, inst) is a separate "user", and your local credentials login is a different one yet.
The whole concept is about user convenience really, plus some additional benefits like having the user data stored and maintained by someone else, additional security and so on.
That said, it is still totally fine if you stick to the "local" credentials method, just make sure it is secure :-)
EDIT:
A simple example:
Your app has two login options - a simple login with password and login with Google.
You also have a user, John Smith.
John opens your app, which requires login and has some sensitive data connected with each account.
Scenario 1. John selects standard, "local" login option and logs in using his credentials JohnSmith1111 and password 12345. John is now able to display the data associated with the account JohnSmith1111.
Scenario 2. John selects log in with Google. He is redirected to the login page, authenticates there and returns to your app. Your app is notified that the user google_john_smith has successfully authenticated. John is now able to display the data associated with the account google_john_smith.
The point is that the account validated using those login options is not the same! There is no "trust" issue here.
I'm currently building an app (android and ios) for which I now need users to be able to login. It must be possible to both sign up regularly (entering username, password, name, mail etc.) and to login through various not yet determined social media such as facebook, twitter, gmail, hotmail.
Now my questions are as follows:
1. Are there any framework's supporting this kind of in-app+social media login scenario ? (I know there is stuff like auth0 but it seems that you don't have that much control with this. As I'm going to save statistics about user navigation and such I think it would be preferable to store all my users in my own db, regardless of their way of logging in. Thus to me it seems like what I need is just an easy way of getting information from these social media and then register users as if they had just signed up regularly am I right ?
2. Anything obvious I'm missing ?
All of these social media sites have their own sdk's that allow you to login users and get certain information from them. So using a website like facebook's sdk you request certain information about the user logging in such as email and first/last name, then save this information in your database including it came from facebook. You will need to also create/encrypt a password for someone coming from a site like this. This is very important, obviously they won't give you access to a user's password but you don't want the user's account on your website to be vulnerable. I would limit the number of ways to login because you will have to program and work with each websites sdk in order to do this. Probably just use your own login and a facebook login to start
Here is a link to facebooks website for developers which gives you access to their sdk's for different platforms https://developers.facebook.com/docs/apis-and-sdks
I'm trying to integrate an existing login system for a mobile application with some social media sign-in solutions. I successfully managed to integrate both facebook and google+ sign in with my app and I get to the point where the users are signed in and I can get their social information.
But now I was left wondering which would be the best approach in order to integrate users that decided to use a social media account with my native login system. Should I use their email accounts as login and maybe generate a password on the server side? Or maybe use an oauth token instead of a password?
I need to keep track of my users, even the ones that did not formally filled a registration form. So what should I place instead of email + password?
This can be tricky - the majority case is easy, but you need to think about the edges. I find it easer to consider email/password as just another authentication mechanism. You want
A user record with the core data about that user (perhaps name, email address, app specific profile data etc.)
A series of records for their connected auth methods, e.g. Google+, Facebook, user/pass.
The connected auth methods can store the relevant information for those methods - e.g. for Google it would likely be Google user Id and perhaps refresh token if using offline access. This makes it easy for you to offer connecting multiple social accounts.
Password may be a special case that you want to store against the original user record. In that case, if someone signs-up using a social login, then you can either generate a random password, or leave it null. Either way, as long as you request the email address for the user, you can always let them go through a Forgot Password flow (where you generate and email them a password) if they want to access their account but no longer have their 3p login.
What you don't want to do if avoidable is to force the users to give you a new password just after they sign in. However, it you are allowing multiple login methods to be associated with one account, you might want to allow associating them. So, your flow might be:
User signs in (with 3p or email/pass)
If you have a record for that login method (e.g. matching Google or Facebook user id, matching email/pass combination), sign the user in, and you are done.
If you have no matching record for that sign in method:
See if you have a matching email address with an existing user account. If you do, some sites automatically merge the new login method to this account. If privacy/security is more of a concern you might want to confirm the user wants to login to that account, or make them go through a 1-time validation (e.g. "it looks like you've signed in with a password before, please enter your password now to link your account and your Google account" etc.). Then link the accounts and continue as if signed in.
See if you have an account which may be that person. E.g, perhaps you have an account with a matching name. In that case, you might want to hint the user to connect their accounts (e.g. a prompt somewhere that says "have you connected before with Facebook? Click here to link these accounts" which then takes the user through a sign in process for the login method you suspect they might have).
If they look totally new, create a new user record, and treat them as newly signed up.
Its significantly easier if you can treat email address as a unique field. That means if someone signs in with a 3p account associated with an email address you already have a user for you might have to force them to link their account before continuing. If they didn't want to and you required an email address, you could prompt them to enter one manually and then validate it as normal by sending them an email and having them confirm it.
ChrLipp's links are good, also take a look at the guide for using FB and G+ together on the Google Developers site: https://developers.google.com/+/best-practices/facebook
How did you implement the social media sign-in's? For example Facebook: did you use Login for Android? In this case the docs say under Checking login status:
Apps using our SDKs can check whether someone has already logged in using built-in functions. All other apps must create their own way of storing when a person has logged in, and when that indicator is not there, proceed on the assumption that they are logged out.
And if you follow the link to Storing access tokens and login status you can read:
The token should be stored so it's available to all parts of the app when it makes API calls. ... If you're building a ... mobile app, then you should use the datastore available to your app. Also, the app should store the token in a database along with the user_id to identify it.
Have an enumeration (NativeLogin, Facebook, GooglePlus) and depending on this enumeration the following information:
NativeLogin
UserName, Password
Facebook and GooglePlus
Facebook or GooglePlus ID and their User Access Token
In all cases you should store the email adress you get in an additional field.
Right now i develop simple app that require login to my app (not login twitter), and he/she can look our collection and can share it into twitter. In setting there is option to login twitter and i use Twitter4j with this tutorial. My problem is :
if Person A login into my App and login Twitter and share content and then Logout my App without logout the Twitter
how can i detect if Person B login into my App and want to login Twitter (using same device with Person A) ??
do i have disconect twitter Person A and than connect Person B ??
If I disconect twitter Person A, and maybe Person A login again to my App , i dont want he/she do login Twitter again, i want automaticly..how can do that with twitter4j??
sorry i my qustion hard to understand, my english is bad ><
It is very difficult to understand but I shall try my best!
Note, this is just an example, there are many ways, better and worse than what I am suggesting so learn, research and good luck!
Now, to do what you're asking for build your application along these steps:
Create a collection of your preference that accepts some ID and access token object and save the collection permanently via a method of your choice, for use every time the application starts.
When a Person logs into your app and then twitter, save that Persons access token for twitter with that Person as its ID into your collection.
Re-save your updated collection.
Next time a Person logs in, simply check to see if they exist within the collection:
If they do? Go ahead and auth them with the access token stored.
If they do not? Go ahead and fire up a new twitter auth process when they need twitter services.
This way no matter how many users use your app on that same device, each twitter access token will be saved and only accessible by the appropriate user.
Also, As far as I am aware, to "log out" of twitter is as simple as deleting/throwing away the access token object relevant to the user wanting to log out.
Hope this helps.