I have an authentication server whose web interface directs users to Google's auth page, which then sends them back to the authentication server to validate the OpenID key-value pairs. On success, the auth server checks its database to see if there are any existing users with the Google identifier retrieved from validating the OpenID key-value pairs (such as https://www.google.com/accounts/o8/id?id=moo). It is this identifier that allows me to match the Google account to a user record in my database.
Next, I'd like to build an Android app which connects to my server via TCP (not HTTP/HTTPS this time) and uses a Google account linked to the device (asking the user to choose, if more than one) to convince the server that the Google account they have authenticated to has the OpenID identifier https://www.google.com/accounts/o8/id?id=moo (or whatever it is).
How could this be achieved?
Thanks in advance!
Related
My project includes web and android client. I want to combine Google cross platform sign-in and loopback third-party login.
In my scenario, I will never ask username and password. User only uses Google sign-in button for authentication and authorization on both web and android app.
Lets assume, it's the first time you logged in with Google sign-in through my web site. In loopback third-party scenario, if you are not existing on db, it creates an account corresponded provider and external id. (In this case provider is google and external id is your unique google id). This is for web, loopback-example-passport
So, assume that above scenario for android. You click only Google Sign-in button and then loopback server will able to do above things (as web)
Is there a built-in way in loopback for this? If not, how can I integrate this scenario in loopback properly?
Well it's a little bit old question, but I've encountered the same issue on android, but with facebook third party login.
I didn't find any trivial solution, so after a lot of struggle tried different approach: (change facebook to google for your case)
UI user presses 'login with facebook' button (provided by facebook sdk for android)
UI User signs in with facebook credentials
Client side gets user's access token from facebook
Client side encrypts the access token and passes it to the server.
Server decrypts the access token, and talks with facebook graph API using access token - for validating the token, and if needed, for getting additional info related to requesting user.
Assuming it's valid, server check's if the user already has local account (can be checked with email or id):
6.1 If user doesn't have an account, we create a new one with the Facebook User ID or email (loopback requires password so a random one can be provided), this will assign our own unique UserID and issue our auth ticket (user.createAccessToken(ttl, callback)).
6.2 else, continue just with assigning auth ticket to user for this session
I need to create application (iPhone/android) that:
shows login screen with username/password fields
could create account with info provided by user (email confirmation)
connects to server with provided credentials to retrieve token
uses web api with provided token to store/retrieve data (but only his data, not other users data)
I am familiarized with client side programming. But I need a server that allows creation of account, login using https+basic auth (or some other mechanism), store client data and allow access to his data via web api (GET/POST/PUSH + token).
I could use FireBase but looks like it can't login user to obtain token, it needs another server to do so.
Ideas?
Found out that Parse allows to create API that could have:
users
data
security rules (data can be read/write only by it's user)
user login via WEB API + token
Hope it is usefull for someone.
I'm developing an Android app and I want users to sign-in to my app using Google+ Sign-In.
At the moment, I pass the user's name which I get from Google+ within a PHP login script. The script loads a new session with the user's ID.
Currently, the site is highly insecure: anyone who knows another user's username can potentially login as them.
What is a secure way to do this?
How do I authorize a user against my server?
It looks like to me, Google+ was purely a social networking API...
Google+ Sign-In uses OAuth 2.0 - which means the user does not authenticate directly with your server. Instead they authenticate with Google and obtain a token signed by Google. Your app gets that token (from Google Play services on Android) and can pass it to your servers as proof that the user authenticated with Google. You then associate the users Google+ ID with a new or existing user ID on your own servers. So whenever a user can prove that they authenticated with Google for a specific Google+ user ID, you treat them as authenticated on your own server.
To implement, you have a few options depending on how you architect your system:
When you simply want to authenticate your user to your own servers: On an Android device your user is very often already authenticated with Google because they have a Google account in the account manager. Your app can take advantage of this and obtain a token for a user in the account manager without them having to type any passwords. After the user clicks 'Sign in with Google' in your app, you can fetch an ID token for them using GoogleAuthUtils.getToken() and pass it to your server. Your server, after verifying the Google signature, can then safely associate the users session with the appropriate user account and permissions (ie. treat the session as authenticated). The process of getting the token and verifying it is discussed by Tim Bray here and by Ian Barber here.
If you want to authenticate the user to your own servers and make Google+ API calls from your servers: Then you should take a look at the server side flow documentation on developers.google.com. This takes the same approach as option one, but in addition, when the users signs in for the very first time the Android app requests an authorization code instead of an ID token. This can be exchanged by the server for an access token and refresh token - which, in turn, can be used by your server to make API calls on behalf of the user, for example, by using the PHP client library.
If you want to authenticate the user to your own servers, but also make Google API calls from the Android device: Then you should use the PlusClient provided by Google Play services to make Google API calls in addition to the steps you take to authenticate the user with your own server.
You probably want to make Google API calls in your client or on your server so that you can pre-populate your registration form with data from the users Google+ profile, for example.
Google Plus uses OAuth 2.0
https://developers.google.com/+/api/oauth
It has auth token. You can use auth token to access Google Plus from Android or server.
On server you can verify token by accessing Google with that token.
I want users to be able to enter data from a web server and/or native PC app and transfer it to their chosen Android device in much the same way that Google Play's install on device works.
I'd like to use the user's Google account authentication to establish a link between the application server and the user's Android device that registered with GCM.
I couldn't find any mention of how to handle this kind of authentication in the Google Cloud messaging API documentation, but did find this unanswered question in the GCM forums.
I'd like to authenticate users from a web application via the his or her Google account. Similarly, the Android application would somehow obtain a handle on the same Google Account, which would be sent to the web application server once at same time as initial GCM registration.
Then when the user uses the web application, the server provides a list of devices the user has already registered to the server, so that the user can be prompted about which Android device he or she would like to send data to.
How can I accomplish this on the web server as well as on the device?
What information can I use after authenticating with the Google account to establish a link between the two logins?
You should use the user_id that is returned from the Google account server after registration to uniquely identify each user. Email addresses shouldn't be used for a number of reasons:
Accessing email addresses may require additional permissions from the user and dissuade users from using your service/app because of trust issues.
Adds liability for securing database of users' email addresses
Users may change their email addresses in Google accounts but cannot change their user IDs.
Users can associate one email address with more than one user ID, so it is not necessarily unique.
The following sequence diagram shows the initial registration from client Android app:
The next diagram shows what happens when a client wants to access his device from a browser:
Note that although not shown, the client Android app can now communicate back to the client browser if needed via the application server.
The user_id you get from the device when you register with GCM should be the same as the user_id you get with your OAuth token for your app. Just store the OAuth token and Registration ID in your user repository, associating both with the user_id.
I'm building an Android app as part of a client/server architecture, where my server will provide a service to the Android client. The server will not communicate with any Google server, but will need to authenticate the user via their gmail account. That is, the server needs to be sure that the http(s) requests coming from the phone are indeed from the person with that specific gmail account.
I was looking into Android's C2DM framework, which I can certainly use for passing service-related data back and forth, but how can I use Google account authentication between an Android phone and a third-party (non-Google) server?
Will Oath2.0 work for this, or is Oath2.0 only used for direct authentication between the phone and Google's services?
You didn't mention which language code you're going to use in your server.
The easier way to use C2DM is inside Google App Engine which comes with native support for Android integrations with C2DM.
If that's not the case ( EX: youre using php in your own server ) I would take a look to AccountManager which can provides you the auth token ( the app-user must allow it ).
When registering a new device to your C2DM server you'll need the device to communicate also the token so you'll be able to know if the user is really owner of that gmail account through a connection between your server and Google Servers.
:)
I think you must have got the answer to your query by now. But I still would to answer this question to assist other users who are interested in achieving something like this.
So to use google account access token to authenticate and authorize your app user against your own services you have to follow following steps.
Create a project in Google Cloud Console with two components (Create components by clicking on "APIs $ Auth >Credetials" option on left pane ). First component will be your web component (e.g. web-services) and second component is your android application.
Try to get access token by querying account manager in android app by executing GoogleAuthUtil.getToken() method by passing the current context, email id(queried using account manager) and scope as ("audience:server:client_id:").
Where is the "Client ID" parameter of the web component available under the project created on Google Cloud Console.
The method will return you the ID token encoded as JSON web token or JWT.
This ID token everything that a app would require to authenticate user on server.
The ID token consists of following parameters
iss: always accounts.google.com
aud: the client ID of the web component of the project
azp: the client ID of the Android app component of project
email: the email which identifies the user requesting the token, along with some other fields.
Pass this token to your web component (e.g. web services) over https(mandatory) where the web component and Android component client id's are already stored.
After decoding the received JWT ID token on server, check if "aud" parameter of the token and stored web component client id are equal and hence authenticate the user.
User identity can be fetched by reading the email parameter of JWT ID token which specifies the email id provided to access the Id token in android application while executing GoogleAuthUtil.getToken() method.
Note : The ID token on android can only be fetched by executing GoogleAuthUtil.getToken() if it is the same application singed by same certificate specified while creating android component under the project on Google Cloud Console.
More information can be found on "https://developers.google.com/accounts/docs/CrossClientAuth"