I'm trying to authenticate a HTTP request using a token sent by an Android application, but I have no idea how to do this.
To get this token I must to send an user a password, to my ruby application that returns the token, but I want to know how to verify all requests from my android application using this token.
I know the "before_filter" on ruby, but I think that it could have problems with my first authentication, because I have to login with the user and password just once, but every time with the token.
If you can indicate any links or some pieces of code ...
Thanks in advance.
After successful log-in you should save Token in Constants and should send this token with each HTTP request.Server will verify user with access token and return result.
Related
I am trying to provide a login and registration system using own login system that is JWT(JSON Web Token) authentication and also want provide social media Login(Facebook) and registration. But my problem is how am I going to make these two complete different authentication as single consistent authentication system.
Can anybody help with this.?
You can take exam of stackoverflow sign up and sign in with facebook and later it can change to its own login system.
If you are using client side authentication from fb.
Get the access token and send it to server.
Authenticate the access token and get the refresh token(long time token).
If you are able to get the refresh token from server, that means that the user is valid. Now you can generate the JWT token for the user.
In case you need other information of the user before creating a JWT, then in that case you need to create an intermediate JWT token, that can be used just to get the required information. After this info is provided, you can then generate a full fledged token for the user.
A lot of questions here are talking about validation process of Facebook access token on the server side. I am bit confused how is still secure?
My client and server flows are:
User Continue with Facebook using Mobile SDK on the client side.
Facebook returns User access token to the client side.
Server endpoints receive user access token (via POST method) and validate the access_token using Graph API.
In case of authenticated user return the JWT authorization token in response
In the meantime (within an hour), If hackers find out the endpoint and pass the new access_token to the hacked endpoint.
What will happen if 5th point gets executed? It's difficult to hack the POST parameters but it might be possible after decompiling the app and see the classes file (At least for android apk). In this case, Server will not recognize the forged request and will always return the JWT Authorization token to make further calls.
The validity of Facebook access_token is 60 days. Do I need to provide an extra layer of security at the time of validation endpoint to make sure that the request is only coming from the application?
Is facebook user access_token always changing whenever a user is requesting to sign in?
Any kind of help would be appreciable. Thanks
Solution:
Generated access_token will always belongs to an App. To verify it pass the access_token and app_tokenin:
https://graph.facebook.com/debug_token?
access_token=ACCESS_TOKEN
&app_token=APP_TOKEN
I am working on an App which allows login through Facebook and then after it makes REST API calls to fetch data.
What i want to do:
Most of the APIs are supposed to be secured hence I want to protect the APIs using a session token. That mean with every request i will send USER's ID and a Session token which will be saved on DB. My API will first authorize the request and then will send data.
I want this token to be generated from Server side when user logs in using facebook or google. As if i do it from client side then any one can make that call from REST client like postman or something else.
I can do this when login is done on Webpages but not able to figure out the same when done on native android app.
Let me know if you need any information.
I am posting this because i am not finding any info.
I think there's a simple way.
ANDROID APP
Login using Facebook and get AccessToken
Send this token to your server
SERVER
Use AccessToken to get user's data.
Return YOUR user's id and token as response
Hope it helps
You can use Facebook Graph Api to get access tokens and then you use them to Get/Post data on facebook.
I am trying to authenticate my app with the server using token.
when I login to my system, server sends the token and I store it in current Session/ Application instance.
Later I need to pass that token on each request along with the other data.
Could anyone please provide me a way of sending the token to server? Do I need to do anything for security for eg. encryption etc. ?
Pass your token in as Auth Header in your request header
for example
request.put("Auth","token_here");
Here is what I'm thinking about rails server and android. Please let me know if following steps make sense.
At first, when the android app is launched for the first time, user will type in his/her email address and password.
Then, the app will request to authenticate the user to the rails server, and the server will answer back with token (in token authentication).
The app stores the token and attach the token for subsequent requests. (example : http://myServerUrl.com/books/list?auth_token:xxxx ) And the server will check if the token exists is user table and then send credential data back to the app in JSON format.
My questions are,
For the first time, when there is a request to server with email address and password in HTML body (in case of POST), is it secure? If the user uses wifi, the whole plain text will be exposed to the public. Is there any secure way to send email and password to the server? Is SSL or assymmetric crypto or HTTPS needed?
After receiving the auth token from the server, the app will attach that token for sebsequent requests. In other words, the auth token will be exposed as a plain text as well. Is there any secure way to make requests? If someone dumps the one full request and send it to the server, how can server know if it is a valid request?
Since I'm farely new to ror and android apps, any help will release my pain greatly.
I guess I figured it out...
First, android app need to sign in with email and password.
Server will response back with the auth token.
App will access credential data with the token but the request should be sent as HTTPS.
Jav_Rock wrote the comment that all connections be handled in HTTPS.
I plan to test whether HTTPS connections give reasonable speed when compared with HTTP.
If response time matters, HTTPS might slow down the app.
I will post again after I test HTTPS.