I'm currently trying to write a task manager in android which syncs with google tasks. The app uses google client API along with AccountManager to communicate with google servers. It works under android. However, I want to run it under android player on Blackberry playbook. Although the .apk file converts to a blackberry application, it seems that AccountManager does not work under playbook android player as it is not tied to a google account. I'm finding it difficult to communicate with the google servers without the account manager. I've tried adding an account manually to the AccountManager but it also throws a security exception. I'm curious if there is any other way to log into google services given an username and password (along with the API key for access)? Thanks
The AccountManager and the Google Play Services that both allow you to go through an OAuth 2.0 authorization flow with a native experience on Android (for Google APIs only) are only available on Google Experience devices. The Android Emulator of the Blackberry Playbook is likely not a Google Experience environment.
So in that case the best way is to implement an OAuth 2.0 flow by using a WebView. This is also the technique you need to use for non-Google APIs (Facebook, Microsoft, Salesforce, Dailymotion, ...)
Basically you will have to send your new users to a special URL in a WebView where Google (or the other OAuth 2 provider) will ask them to grand you access to the APIs requested. Then you will need to extract the auth code from the URL or from the content of the page once it has been generated and returned by Google auth servers. The last step is to exchange that auth code for a refresh and an access token.
You need to read and understand how OAuth 2.0 authorization flow works for Installed application: https://developers.google.com/accounts/docs/OAuth2#installed
The step by step process to do OAuth 2.0 with a WebView on Android is as follow:
Redirect Users to the grant screen URL in an embeded WebView
Use http://localhost as the redirect URI
Register a WebViewClient with an onPageStarted method to intercept page changes
Detect successful/failed authorization by detecting redirects to http://localhost and read the auth code from the URL of the WebView
Finish the OAuth 2 flow by exchanging the auth code for tokens and save these tokens in local database for further use
You can find an open-source sample that does this on Onavo's GitHub.
Related
I am trying to make an android app to get my VSO items.
I am following the documentation here for the OAuth flow https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/oauth
The authorisation and authentication calls require a redirect_uri to be passed in the POST requests. What would be that value for an Android app?
The URL must be secured as per VSTS guidelenes.
Based on Authorize access to REST APIs with OAuth 2.0 article:
Q: Can I use OAuth with my phone app? A: No. Right now, Visual Studio
Team Services only support the web server flow, so there's no
supported way to implement OAuth for Visual Studio Team Services from
an app like a phone app, since there's no way to securely store the
app secret.
The workaround is that you can build a web app, then send the request to that web app from your Android app to retrieve necessary data.
Update:
If you can use Personal Access Token or Alternate authentication credentials, you can use it on your android app directly. (Can't access account and profile information)
I followed the following guide on how to set up Web API with Google authentication.
Basically the Azure page has to redirect to Google and the Google login has to redirect back to an Azure page that gives an access token that I can put in a header to get data specific to that Google Account.
It works on Android when I use a WebView but apparently this is frowned upon for security issues and on IOS, Google blocks me from entering a password.
So my question is how do I do the same thing but without using a WebView? I tried implementing Google+ Sign In but I was only able to retrieve an authentication token and I don't know if this is useful at all.
I'm wrapping a Rails mobile website with an Android WebView wrapper, but it's also supposed to be available through the browser as well. The website is using Google/FB OAuth authentication, but that's not essential.
When the wrapper is used, I wanted the user to be already signed in with its primary email.
Are there any secure methods to achieve this? Something which will not allow using this method in the browser?
I was thinking about sending some kind of checksums / secure tokens but this could be easily reverse engineered.
Would the authentication with device id and android id be enough? I mean, these are available publicly for other apps so I guess possibly not. Maybe there is something that is unique to the app instance and private?
There is nothing automatically secret in an instance of an Android app that your server could verify. Using Google/Facebook OAuth login is a reasonable choice.
You can use the Facebook SDK for Android to allow the user to log in using their Facebook account, and as a.ch. mentions in the comment you can do the same with the Play Services SDK to log in via their Google account.
In both of these cases, this works because there is a local broker app (Facebook, or Google Play Services) that is trusted by the identity server (facebook.com, or google.com). The broker app has the user's credentials, can verify the identity of the app that is requesting access, and can display a view where the user can approve/reject the request. Once the identity server knows that the user has logged in on the device, knows the identity of your app, and knows that the user approved the login request, it can safely send back a token to your app via the broker. That token allows whatever permissions your app requested and the user approved.
Your WebView can then include that token in an initial request to your rails server, which checks the token with Facebook/Google. From this point, the code should look similar to the existing desktop web, at least with respect to user authentication.
You can download the Facebook SDK for Android from https://developers.facebook.com/android/, and you can get the Google Play services SDK in the Android SDK manager ('android sdk') under Extras. Both have tutorials to help you get started.
I'm completely new to Android development and would like to find out if the following is at all possible, and the best way to approach it:
User logs into Google account - NOT stored on the phone (OAuth??)
App displays their GMail emails - does not need to send, only receive/read
App can access their calendar and display events - again read only
That's all for the Google side of things! I've only ever used Facebook auth - so am unsure as to how Google works. I can't seem to find any definitive answers on the web.
Yes, this is all possible.
Use Google Play services to get an OAuth 2 access token for the Google APIs. For GMail IMAP and read-only Calendar API access you will need to state these scopes:
https://mail.google.com/
https://www.googleapis.com/auth/calendar.readonly
Use some IMAP library for Android using your OAuth 2 access token (e.g. JavaMail, check out this Android JavaMail tutorial and Google's sample for using OAuth2 with JavaMail).
See the Calendar API documentation for how to access the user's calendar.
You can register a web application that uses OAuth to log onto google.
https://developers.google.com/accounts/docs/OAuth
then you can use GMail API's to use the OAuth token to access user's email
https://developers.google.com/google-apps/gmail/oauth_overview
then for calendar you have the Google Calendar API's also accessed using OAuth.
https://developers.google.com/google-apps/calendar/
You can create a web app and use your android app to access your web server database via API's you create. Using this data you provide a nice GUI for your android users and provide user interactions.
Another method would be to use only the android client without a web app as mentioned by Jan Gerlinger.
You can also check out the source code for k-9 mail app for ideas here:
https://github.com/k9mail/k-9
It's a full-featured, open source android email client that supports many protocols including IMAP, SMTP and Microsoft Exchange accounts too. You can dig through the source code to find out how they do it.
In my app my cloud services are provided by google drive (formely google docs)
to interact with google docs I use this library:
http://code.google.com/p/google-api-java-client/
It works great but requires that the device has the Google Apis on it and a google account set up
Is there any other way to authenticate on google docs without using this library?
Or do I have to migrate my cloud provider to Dropbox?
Thank you
Your best bet is to use OAuth 2.0 using the Client-side flow which is designed (partly) for mobile devices.
Basically what you'll have to do is use a Web View and redirect your users to the OAuth 2.0 grant page and then after they have granted you access to their data you simply:
Catch the auth code inside the web view
Close the web view
Exchange the auth code for a refresh and an access token
Keep the refresh token in your local database because it gives you unlimited access to the API => no need to trigger Auth flows any more.
That's it! With the newly acquired OAuth 2.0 Access Token and Refresh Token you've got all you need to access the user's Drive data on their behalf and use the API. You've circumvented the Android Account Manager.
There might even be some OAuth 2.0 / Web View client libraries available somewhere for Android, that would help a lot.
PS: this technique is widely used, for instance on iOS if you use the Facebook library, it will first check if there is the Facebook app installed. If the Facebook app is not installed it will use OAuth 2 and the Web View technique automatically. Google's Objective-C client library also uses that technique (as I've heard, never used it).