I'm using the Android AccountManager to authenticate a users google account for access to Google Drive. However, I want to allow the user to access Drive accounts that are not on their phone. For example, I have a work google account that is not on my phone, but I would like to use in my app. Is there a way to allow users to authenticate accounts that are not necessarily stored in the AccountManager?
Thanks
Perhaps you could add another Google account to phone and allow user to select which account to use. If this option doesn't satisfy you and you really want to authenticate to Google Drive accounts not on phone you must then use OAuth.
If you also really, but really, want to use AccountManager facility in your app you have to make an account type that behaves like the following:
When you create a new account you open a browser widget and perform an OAuth cycle with Google Drive, then store the token in secure store
When you request a token via getAuthToken() it either releases you the stored token or triggers a token refresh cycle using OAuth
This has its security drawbacks: better perform OAuth cycle without AccountManager and store tokens in app memory
Related
I am new to Android but old to Java. I have some questions before getting into my own account manager implementation. Here are the stuffs,
How google account manager works ?
I have come across couple of forums and blogs and mostly they explained how account manger is working and how to add our own. Here i have couple of questions,
How google account manager stores user's password in android ?
If they are not storing the user password in the device itself then how
they are seamlessly producing the auth tokens for the requested apps
who are using google account manager (Like maps / hangouts / ...)
References
How does Android's account manager use the stored password to retrieve an auth token?
https://developers.google.com/tasks/oauth-and-tasks-on-android
http://blog.udinic.com/2013/04/24/write-your-own-android-authenticator/
They (most probably) don't store the password but the Oauth token received from Google servers after authenticating, together with the refresh token.
All Google apps can use the same account manager to get the authentication token and talk to their backends, once this token expires, the account manager uses the refresh token to get a new token and store it in the account manager.
Storing the password is very dangerous, not just for the app, but it leaves the user's account completely vulnerable to be stolen both in the client app in the servers.
I want to implement the UX where it is possible to quickly switch between previously signed in Firebase Auth users e.g. from a navigation drawer like Google apps do:
The problem is that Firebase docs and samples only implement the "sign in - sign out" flow, where switching users would require signing out first and then reentering a password / repeating auth flow with Facebook etc., instead of just switching with a single tap. Google advocates for Smart Lock, but it's only good for email and Google auth providers, and is generally not the UX I'm seeking.
What is the proper way to store those users and their credentials? The solution must support users authenticated via any of the supported providers, such as email/password, Google, Facebook, etc.
Since authenticating with either method results in obtaining an AuthCredential object, perhaps the question boils down to how to securely store those objects on the device, and whether they can be reused later.
Please do not store credentials on the device. Best way to do so currently is to initialize multiple Firebase App instances and keep an array of these apps. You would sign in the user on each app.
Refer to initializeApp API.
You can then access an App's Auth instance via: FirebaseAuth.getInstance(firebaseAppInstance).
I am working on an android app and want to authenticate the user via Google sign in.
Is there a way where i don't have to use any server, rather just add list of Gmail accounts somewhere on Google's developers account and only those users will be able to use my app, whose accounts are in my list.
is this how fire base works?
You'll always need a server to authenticate the users with. If you want to restrict your app to certain users, maybe try closed alpha/beta testing?
I have a Dropbox account which was created by logging in via the Google account. So, my Dropbox account is linked to the Google account.
I have an android application and my users can create their accounts either via Google/Facebook.
The question is,if it is possible for the user to login to our app once via his Google Account, and then using these same underlying google's credentials the user automatically gets logged in to Dropbox Account [Maybe a simple 'OK' button authentication is needed], so that they need not enter their login credentials twice?
I am planning to implement this using oAuth. Any guidance on whether is possible or not will be helpful. I am not expecting code but some guidance.
In general what you are asking is not possible.
The credentials/assertions that Google issues are for a specific app and only that app should accept those credentials.
So when a user signs into your app, you get a credentials from Google that says this is for your app. Also Dropbox accepts credentials from Google that was issued for Dropbox. Your app can not convert one into another (if it could this would be a big security issue e.g. one app could sign into a user's all other apps/account that accept Google credentials for expalple bank account).
What you want to do is integrate with the OAuth Apis that are from Dropbox and when the user is going through them try to prefill information to make the flow easier. If you send "user email" to Google OAuth flow (to get user signed into dropbox) for the same user (who is signed in) they could go through the flow easily. https://developers.google.com/identity/protocols/OpenIDConnect#sendauthrequest
I want to develop an Android Application that allows users to sign in with their Google Accounts (i think it's always an email address) instead of forcing the user to create a new one. I have 3 questions regarding this:
When the user starts the application for the first time i'll have to use the AccountManager, right? If the user has only one com.google account i'll use that one, if not, i'll ask him which one he wants to use. My question is, can i be sure that every com.google account in the AccountManager has been properly authenticated and the application can be sure that the user is who he says he is so that i don't have to ask him to choose the account every time the application launches?
The application will have a server that will store on a database what restricted content the user has unlocked, that's why it needs the Google Account, to match the foreign key of the user with the foreign key of the content to know what that user has unlocked. How do you suggest i save the Google Account in the database as the user table's primary key? I could store the email of the Google Account, but isn't there any privacy problems with that? What else can i use? I suppose there is no Facebook ID-like integer value for Google Accounts.
Do i need to use OpenID or oAuth 2.0 for any of these operations i've mentioned? I'm asking this because when the application doesn't have internet connection i want the user to still be able to access the restricted content he unlocked and previously downloaded into the phone. If i use OpenID that requires internet connection right? So the user shouldn't be able to enter the application and that's not what i want.
Thanks
Using the account manager to check which accounts are available on the phone and ask the user which account he want to use sounds like a good idea. I think it's a good idea to use OAuth 2.0 and grab the OAuth 2.0 access token for userinfo in your client application (https://www.googleapis.com/auth/userinfo.profile is probably the scope you want to use) and send this to your server when the client communicates with the server. Then using the userinfo Google API your server can use the access token to make sure the user is who he claims to be. With this api you can get hold of the user id which you can use instead of the user's email.
Getting the auth token will require internet access, but since it's only needed when you communicate with your own server you can grab the token at that time.
I'm not 100% sure if the accounts given by the AccountManager can be trusted, but it will provide you with the google accounts available on the phone and I don't know of any way of adding an account to the phone without having access to the account. If this was possible it would be a really big security issue as well so I think you can trust that the accounts given by the AccountManager are authentic.
When you get the OAuth 2.0 token on the client I suggest you use the Google Play's GoogleAuthUtil instead of the account manager if it's possible. For more details on this see: In a nutshell what's the difference from using OAuth2 request getAuthToken and getToken