I'm writing application which consists of server side on Google App Engine (Java) and client side on Android. They communicate using RESTful web service.
And I really confused with authentication in this application.
How I can implement authentication on Client side so:
User authenticated on client side, I can check if he logged in.
User authenticated on Server side (server side needs to extract some data from FB)
Client and server can communicate (client authenticated on server side)
You can implement or use an existing adndroid AccountAuthenticator.
See this example on android documentation.
Basically, your server side authentication service will return a token to the client if authentication succeeds. The Android AuthenticationManager will store the token for you. Your AccountAuthenticatior will check if the user is logged in. If not, it will launch an activity to request the user to give username, password or whatever you need to log in.
Maybe you could pass to the server the authentication token that you get from FB on the client side? Then you could use UrlFetch on the server side to make calls to FB API. (I don't know if it's safe)
I created GAE-GWT-FB stack, so it's a bit different, but if you want to take a look it's here GWT-GAE-FB
Related
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
For users signing up from our android app and iOS app, we need to generate short lived access token from the app and need to have the server generate the long-lived token.
Referring to https://developers.facebook.com/docs/facebook-login/access-tokens#extending, we see the following -
Make this call from your server, not a client. The app secret is included in this API call, so you should never actually make the request client-side. Instead implement server-side code that makes the request, then pass the response containing the long-lived token back to your client-side code. This will be a different string than the original token, so if you're storing these tokens, replace the old one.
Once you've retrieved the long-lived token, you can use it from your server or ship it back down to the client to use there.
How do we implement this when we have an android app and server and not a web page as the client?
The facebook documentation mentions that Mobile apps that use Facebook's mobile SDKs get long-lived tokens. How do I get short lived access token from android app? How can we have this implementation in a mobile app mentioned in facebook docs - Web client authenticates, exchanges the short-term token for a long-term token via a server, token is sent back down to the web client and then the web client and makes calls with the long-term token. Also they have mentioned in the docs Make this call from your server, not a client - GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Have a look at Design for Facebook authentication in an iOS app that also accesses a secured web service
You just need to create a WebService on your server which receives the Access Tokens, and takes the appropriate actions.
I need to create application (iPhone/android) that:
shows login screen with username/password fields
could create account with info provided by user (email confirmation)
connects to server with provided credentials to retrieve token
uses web api with provided token to store/retrieve data (but only his data, not other users data)
I am familiarized with client side programming. But I need a server that allows creation of account, login using https+basic auth (or some other mechanism), store client data and allow access to his data via web api (GET/POST/PUSH + token).
I could use FireBase but looks like it can't login user to obtain token, it needs another server to do so.
Ideas?
Found out that Parse allows to create API that could have:
users
data
security rules (data can be read/write only by it's user)
user login via WEB API + token
Hope it is usefull for someone.
I am creating an app and want to use the google accounts on the Android phone to get the user's email, name and possibly phone number. How can I securely communicate with a rails server? I could send the auth token but my understanding is that it changes often. I plan on making a private API token for very basic auth but I need a user specific authentication as well. I thought about using an email hash and sending that but there has to be a better solution.
Normally what I would do if the account logins were on the server is login and send a token back and check that token to the database every request but can't do that since I login on the client side.
What would be my best bet to implement something where I log in on the android side but store info on the server?
This is my answer... Uses Google Play API to get a token and verify on server/client side.
http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
I've recently done some OAuth authentications on Android apps (or iOS), but I now have a problem.
When this OAuth authentication needs to be stored in a remote server to perform login request. Which is the best way to do this?
Should I send access token from this oauth provider, and then get otherr access_token just for my app?
Or should it be done in a different way?
Thanks!
Well, there's no general answer but I'll try to explain.
2 basic flows I can think of :
1) If yo don't want that your app directly asks for a username/password, you can use Facebook/Twitter login.
2) Ask the user for a username/password directly and implement your own OAuth service with your server, then use an iOS OAuth library to communicate with it. Your service will need to perform user/pass authentication at some stage.
You can either generate a random UID (user identification) on the client and use that to communicate to the server. Or you can just pass the username/password, let the server generate a UID and from there on communicate using that UID in the request headers.
Hope this help