Users of my Rails app can authenticate in one of these 2 manners:
Using their Facebook account
Using our own authentication
I'm using Facebook SDK on Android and devise and omniauth on Rails.
How do I authenticate against my Rails app on Android so I can then fetch the information I need from the server?
NB: I've noticed this question is getting a fair amount of views recently. Please don't follow the advice given in this thread too closely -- the web moves fast and it dates from 3 years ago!
This can be done using the fb_graph gem (not fbgraph!).
You can just add it to your gemfile and do
user = FbGraph::User.me(token).fetch
where token is the oauth token you got by using, for example, the Facebook SDK on Android.
user.email will be the user's email address (if you set up the necessary permissions).
You can use this URL for testing:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token
That totally depends on how your authentication system works. You will need to create an API on your server to handle communication from the Android app and pass information between both using the API.
Niraj Shah is completely right, though the answer might not be detailed enough for you. For an in-depth answer to your question, have a look at Securing an API railscast by Ryan Bates that has been released only recently. It covers HTTP Basic Auth.
You might also want to have a look at the more advanced option to secure your API / provide registered users access to their data. There's a railscast about this one as well here: http://railscasts.com/episodes/353-oauth-with-doorkeeper - though it's a pro episode, so you need to sign up for it in order to watch it.
Francisco, I have the exact same need.
The devise scenario using token_authenticatable seems straightforward and shouldn't be a problem but I'm not sure the best way to handle the Facebook scenario. On the web side, for FB auth I'm using omniauth-facebook as documented here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. I think this uses OAuth with FB as a provider so it's a good possibility that the latest RailsCast about doorkeeper securing an API with OAuth should do the trick. I haven't tried it yet but will do so soon unless you beat me to it. Here is the link: http://railscasts.com/episodes/353-oauth-with-doorkeeper.
Related
This is a question of architecture. What I tried yet: Research, research, research.
I want to deploy various microservices with AWS Lambda. These should be accessible for authenticated users via Web and Android App.
Question 1: How to securely store AWS Gateway API keys (secrets) in an Android Kotlin / Webview app? Is Android Keystore the right (secure) answer?
Question 2: What's the best, secure way to make user login happen? Should the login be located at Lambda or inside the app? Again, how to securely store login data on Android? Could a cookie-based Web-Authentication be the answer (aka "Keep me logged in")?
The goal / my issue is that I want the Android App user to enter his / her login data only once in the App and never be asked again for login at my Lambda Microservices. I'm aware that API Credentials and Login are two different problems here.
Example projects maybe?
This is not for critical data like banking, but still I want to follow best practices as much as I can in terms of sec.
I am not sure whether you have researched on Amazon Cognito or not but it can be used to provide authentication for both user interfaces and for APIs. It can easily be integrated with Lambda/API gateway.
As an alternative to using IAM roles and policies or Lambda
authorizers (formerly known as custom authorizers), you can use an
Amazon Cognito user pool to control who can access your API in Amazon
API Gateway.
Further reading :
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
If it helps I have some cloud demo sample UIs that connect to lambdas and use Cognito. You can run them starting here: https://authguidance.com/home/code-samples-quickstart/
The blog has some write ups on how it all fits together - see the index page for further details - there is a post on UI token storage for example.
Long lasting sessions can be managed via refresh tokens - but your apps should still deal with token and session expiry - and scenarios such as logging on as a different user for testing.
I want to add user authorize system in my Android application. At first glance it looks very easy, however; when I start to research, I encountered too many problems. Because every person can download my apk file and can see my auth system code and can send HTTP POST requests from anywhere.
Firstly I founded that link below
http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
It was looked me very complex and I thought that there can be more simple ways that can be fee.
I tried to use Amazon Cognito and completed all login protocols using facebook and google+. Finally I encountered a big frustrating problem. If user would use different login system in different devices, Cognito can not understand that are the same user. I asked this problem in Cognito forums and their offical answer is below.
We use tokens issued by providers to determine identity. If you login
using Facebook on one device and you use Google on another device,
there is no way for us to determine that these tokens belong to the
same user
then I decided to use Google Cloud mobile Solutions but I learned that It is banned in China mainland which My app will also be Chinese.
parse.com is very slightly but It does not have Google plus login.
I haven't only tried Microsoft Azure because Its documentations are very confusing. But If I can be sure that It compeletely works, I would learn everything about Azure.
I am enhuaist to search the best suitable way save my users data on remote server. What is your suggestions ? Which way should I follow ?
Thank you.
Why is Cognito not working for you? There is no identity provider who will ever be able to tell a Facebook user and a Google+ user are the same person. They are completely separate platforms. With Cognito, if a user logs in to both Google+ and Facebook on the same device, then it will know they are the same person. Amazon SNS (Mobile push) can also push to Chinese devices.
There is a lot of information but I can't find an up-to-date answer for my question.
I've got
1) Android app where user has got auth token (say from GoogleAuthUtil)
2) Google AppEngine app which provides custom REST API
Question
Is there any way to use token (got on Android side) to authenticate against AppEngine application? On the AppEngine side I just need to verify e-mail of the user
P.S. I don't want to use Endpoints since they don't support custom domains
For those who will be interested - here is the result of my research on what is the best way to authenticate against AppEngine app
I ended up with solution described in this brilliant article by #Tim Bray.
The solution has following advantages:
1) It works for local testing
2) There is no limitations on domain (Endpoints don't support custom domains)
3) If you have custom REST API you just need to add token verification (other code stays as it is)
4) It utilizes Google OAuth mechanism implementation, so I consider it as one of recommended methods
5) It's really easy to implement
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.
I was wondering if anyone knows of a way I can Authenticate a Google Apps User in a Android Application?
One approach I know of is to take could take their username and password in a android view, and use the clientLogin interface (http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html).
However I was wondering if there was a different approach, maybe pushing to a browser window where it would show the google login for that domain, but I would not know how to get the details back to the application, after the authentication is done.
Any ideas on how it would be done?
I wrote up how to get a google auth token from android (works fine in any java really) so you can call app engine hosted web services as an authenticated google user:
http://javagwt.blogspot.com/2009/12/authenticating-android-app-to-google.html
hope this helps
You could also try using OAuth. It's supported by Google Apps, and has a Java client library.