I'm writing an android program which must interact with google documents, so I have watched this sample, but it uses an AuthSub token. How can I get an AuthSub Token from an android app?
For accessing Google Docs or any other Google service (or any OAuth based service for that matter) you will need to find a way to do an OAuth based authentication, after which you can u get a secure token which you can use to access a service based on the users credentials.
There are some really good examples to get you started:
This is an example of getting AccountManager to work with a Google
service like Google Tasks, this shows you how to generate tokens and
then how to use them:
https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android
This is an in-depth look into how you can authenticate based on the
users Android credentials, has an example of how things work and how
the UI should be:
http://www.finalconcept.com.au/article/view/android-account-manager-step-by-step-2
For something specific to Google Docs have a look at
http://code.google.com/p/google-api-java-client/wiki/Android
http://code.google.com/p/gdata-java-client/source/browse/trunk/java/sample/docs/DocumentResumableUploadDemo.java
Related
I have an android app which communicates with Google cloud api services like speech to text, translation, NLP etc. The application is using a service account to do this and the private key file is stored in the application itself. I understand that is a bad practice as anyone can see it using dissembler but I am not sure where else to store it for an android device.
The following post suggests to store this file on a build server:
https://brightinventions.pl/blog/securing-your-google-service-account-key-in-builds/
However, I think that it does not fix the issue as the service credential file is getting included in the publish package.
Please let me know if you can think of a solution.
Do not embed service account credentials in applications. Service Account credentials have a permanent lifetime which means you will be breached. You can delete service account credentials, but then you will have to re-release your application.
You have several options:
Implement Google OAuth so that your users authenticate with Google Accounts. When authenticating use the correct Google OAuth Scopes to provide temporary permissions.
Implement temporary access tokens. Your users will connect to your website, authenticate and your code will give them a temporary access token created from service account credentials. This access token will expire. The default is 3600 seconds but you can control this.
You users will make all requests thru your website API's. You control authentication of the users. Your website code then makes the API requests on behalf of the users. This is not an ideal solution as all traffic goes thru your website (Compute Engine, App Engine, etc.) and you will pay for that bandwidth.
I need some guidance to secure my Google API.
I've created an Android Application that sends requests to my API. Once I've put my application up for download, how can i ensure that only my application can call my backend API.
I understand that once they have registered with my application, i would be able to use OAuth to provide the security.
However, before they register, what's to stop someone spamming my backend API on creating a new user (Registration).
You need to generate a client ID for your Android app in the development console (console.developers.google.com), then include this ID in an API annotation for your endpoint.
You can find detailed instructions in the following tutorial, under the heading "Specifying authorized clients in the API backend":
http://cloud.google.com/appengine/docs/java/endpoints/auth#Specifying_authorized_clients_in_the_API_backend
I'm building a Android/iOS/Web app which authenticates with a provider to receive an access token and then uses the token in the API calls to the node.js backend. I've already got it working for facebook using Passport and the Facebook-Token strategy (https://github.com/drudge/passport-facebook-token)
Now I'd like to repeat the process with this library https://www.npmjs.org/package/passport-google-token
Should be easy, right? But google's developer console for android doesn't provide a client secret. Infact there is very little documentation on what to do if you would like to authenticate on the device and use a token to communicate with the server. It was so simple with facebook, is there something I am missing?
FB's (or Google's) access_token is for their API, not yours. Also, most flows with 3rd party providers like FB and Google are intended for web sites (this is the auth code grant). Devices (and SPA) typically use the implicit flow that doesn't require secrets on the client.
You might want to consider authenticating users with Google or FB (or whatever) in your website (using either strategies which are optimized for web flows), and then issue an API specific token derived from that. I would recommend issuing JWT, which are lightweight and simple to use.
On the API side you could use express-jwt. See here for additional details.
Is there a way to request for offline access using the Google play services sdk on android? I know that the raw HTTP api has an option to do this by requesting for a refresh token, but couldn't find a way to do it via the new Google Play services sdk.
The new sdk gives the app an access token using the GoogleAuthUtil.getToken() method, but the access token expires every hour. I could make the raw http request and have the user sign in from a web view or the browser, but would prefer a way to do it natively using the sdk, since that is a much better experience for the user.
Searching the Google docs near and far, it does look like that this is possible. Google calls this "Cross-client Identity" under its "Hybrid Apps" category.
You can apparently massage the string for the scope parameter you pass into GoogleAuthUtil.getToken(...) method to coax it into returning an "Authorization Code" rather than an OAuth2 Token. (For the difference between these, I've found this chart helpful.)
The details are here, specifically the last section titled "Android app obtains offline access for Web back-end".
It seems you'll need to pass in the following as "scope" string to getToken:
oauth2:server:client_id:<your_server_client_id>:api_scope:<scope_url_1> <scope_url_2> ...
The doc then claims this:
In this case, GoogleAuthUtil.getToken() will first require that the
user has authorized this Project for access to the two scopes.
Assuming this is OK, it will return, not an OAuth token, but a
short-lived authorization code, which can be exchanged for an access
token and a refresh token.
Disclaimer: I've not tried this myself yet; our Android developer will shortly. Please report if this is working for you.
After reading all sorts of Stackoverflow postings and various documentation including some on http://code.google.com/p/google-api-java-client/ site I feel utterly confused. So can someone explain to me the best way of achieving the following:
Let user to approve my app. I don't really care if this is done by accessing their registered Google account in accounts/settings and approving the app (preferred way) or by calling Google OAuth authentication page
Obtain the authentication token that can be used to communicate with Google Reader
Another point of confusion for me - I was able to approve my app using AccountManager and get auth token from it but it won't work with Google Reader. So how to balance Account information from the AccountManager and OAuth? Do I still need to do anything with OAuth after I get approved by user in AccountManager settings?
Code example would be nice but I look more for some clear explanation on how all these pieces are related to each other
The account manager lets you get authentication tokens for different services. There are different concrete implementation under the hood: ClientLogin, OAuth, etc. To get it to work with, say, Google Reader, you need to pass the appropriate token type. For ClientLogin, those are short string like "ah" (App Engine) and "reader" (Google Reader). For OAuth, they are scopes, as defined by each service. So, what are you passing as the authTokenType parameter?
Getting the token is asynchronous, since it may involve network access. If there is a cached token, it will be returned right away, if valid. The flow is not that complicated, see the link above for the pretty picture. Once you get the token, you put it in the appropriate header, and use the API as per the spec.
Here's an Android training class on AccountManager that might help:
http://developer.android.com/training/id-auth/authenticate.html
Also, using AccountManager with Google Reader is currently the only preferred way of doing this. Directing your users to a login page with a WebView is not very secure and using a browser isn't supported by Google APIs as far as I know (I'm also not sure if Reader uses OAuth2 or not).