I followed the tutorial here: https://developers.facebook.com/docs/mobile/android/build/#enablesso
I am able to authenticate on the android side, but what I want to do is to use SSO or some sort of authentication using facebook [preferrably OAuth] to authenticate against my web application on GAE. I expect it to work something like this: blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
This is the sort of flow I expect:
The user starts my app, and is prompted with an option to authenticate to FB.
The FB app/web dialog opens and asks the user to confirm permissions to be given to my app.
Once that is done, FB provides me with a cookie [or something similar].
I use that cookie for subsequent requests to my web service, where I can get the username simply using:
user = oauth.get_current_user()
user.nickname()
Is anything like this possible? The problem I face is that while performing SSO, there is no place where I specify an OAuth end point. GAE provides OAuth endpoints [http://code.google.com/appengine/docs/python/oauth/overview.html], which I think I should be using. Any clue as to how I can proceed about this?
Any help is appreciated. Regards, rohan
You need to implement the server-side authentication flow: http://developers.facebook.com/docs/authentication/
I implemented it in Java: see the LeanEngine oss project. You could probably reuse the android client part: the login dialog.
Related
I am new on developing mobile application and I want to use facebook login for my application by using spring boot. What is the best practice for this to perform it on client side or server side?
If it would be normal username/password login, I would perform it on server side. But by login by facebook, application will be directed to facebook pop-up. Therefore I do not know what is the correct way to perform this. Anybody can advice?
You need to use the Facebook SDK for this. This link will help you get started.
I'm developing a web server (Using J2EE/Wildfly 8.2) with a RESTful API for the Android clients. To authenticate the connected client I would like to use a token (OAUTH2 or whatever is appropriate) from that client rather have to deal with the messy password admin in the server.
Could someone point me at a good example. Ideally it would use the Google account on the Android device as most users (I would think) have an active Google account.
As always, many thanks for your help getting me started on this.
I think it will be helpful for you to take a look at Stormpath. In your backend, you can use the Stormpath Java SDK to easily delegate all your user-management needs. Since you are specifically interested in the social login functionality, this is the way you would do it with Stormpath:
There are two options here...
You can completely delegate the login/register functionality to Stormpath via its IDSite. It supports Google, Facebook, LinkedIn and Github login.
You can create and host your your own social login forms. In this case, your front end will display the login buttons. When the user presses the login button, your front end will send the credentials to the backend-end where you will need to execute code similar to what was documented here
Sorry for the misleading title, but here's I want to do:
Say I have an already running website AwesomeWeb, which authenticate its users using username/password combination. Now I want to develop a mobile app AwesomeApp for it, and at the same time, develop and open up its RESTful API - AwesomeAPI.
To keep things simple, I plan to authorize AwesomeAPI using OAuth2, and make AwesomeApp the first client/application.
But I DO wish AwesomeApp to have a simple sign-in process: input username/password -> click the button -> done. In other words, have a 'non-web' feel just like Facebook or Twitter does.
For those 3rd party mobile apps that want to access resources (like username) through AwesomeAPI, it should embed a button somewhere in the app, which opens AwesomeApp to display a 'allow/deny' page when clicked. Again, this is what Facebook and Twitter app doing.
OK, here's the questions:
At step 3, what do I use: webview or doing http stuffs background or just use OAuth2 password grant type? Pros vs. cons?
After step 3, I get an access token for AwesomeApp. But this token CANNOT be used in step 4 to issue an access token for some 3rd party app, am I right? If so, how to achieve step 4?
Appreciate your help a lot!
Notes: I'm not asking for OAuth2 flow or inter-app communication.
Regardless of whether you achieve the step 3 by implementing "Resource Owner Password Credentials" flow defined in RFC 6749 (OAuth 2.0) or by other means, the authentication should be performed in the background. Note that in "Resource Owner Password Credentials" flow, a client application does not access the authorization endpoint but accesses the token endpoint directly, so the authorization UI (which is supposed to be shown at the authorization endpoint) is not displayed.
To achieve the step 4, you have to implement "Authorization Code" flow or "Implicit" flow.
I have created the SDK and now want to integrate oauth for authentication process. Now I want to do same as Facebook SDK do, if client app is already installed and login, it switch to that app ask for permission and switch back to app who wants to authorise it. if client app is not there is will open the webpage and on login ask for permission and then redirect to my app after login.
We have implemented the oauth on server but not sure which grant_type we will use to achieve the above functionality. We can not store the password in client app.
Let me know if anyone has idea how to achieve this functionality and implementing the same flow as other SDKs(Facebook, Twitter) does.
For mobile based apps use the following URL for authentication:
POST https://api.example.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID
Pass the authentication code from the app if user is login else if user is not login first navigate to login page, on successful login authorization page come as-usual.
NOTE: It might be unsecure as we are sending the code in query param, but doing it in request over ssl enhanced security.
For browser authentication
https://example.com/auth?response_type=token& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
where authentication picks the login session if user is already login.
I think you already answered your own question when you said "I want to do same as Facebook SDK does".
Facebook SDK provides the framework for detecting if Facebook application is installed in order to avoid signing up through WebView interface. Google also provides an authentication and authorization API through Google+ sign instead of a browser. As you can see:
the documentation suggests using the right device infrastructure rather than the system browser.
According to this post, it is possible detecting programmatically check if an application is installed. For Android, I think that boths SDK check if their related apps are installed when you trigger the sign up/in/out process and invoke the system browser if necessary.
Thus, in order to provide a generic OAuth 2.0, you also could do the same programmatically, but I guess that drilling this information, pick the right application, and launch it won't be an easy task.
I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.