I am integrating the scores API for facebook in an Android game. I had the exact same problem as this question: Facebook Graph API Explorer won't POST scores. The fix was to set my app as Web instead of Native/Desktop. Is it because scores API should not be used by native games? Is it somehwat dangerous to set up Web for a Native app?
Thanks
I have noticed this too, however I wondered if it is 'by design' as to use the Facebook Scores API you need access to the app access token (in order to do things like submit scores) however this isn't considered a safe thing to use from a native application. Here is a quote:
"App Access Tokens should only be used when the posting functions are originated directly from your servers in order to keep them private to the app. For example, you should not publish using an App Access Token from within a native mobile app. Doing that could allow the user to obtain the App Access Token, which could then allow them to take actions on behalf of your app. Instead, you should have your native mobile app queue actions up with your server and then have your server publish the stories to Facebook using the App Access Token."
Here is the website in question: http://developers.facebook.com/docs/opengraph/using-app-tokens/.
So, it sounds like the only way to really use the Scores API is to have the native application securely talk to a separate, secure, server (potentially on Heroku) then once that server has verified the passed data, it would then talk to Facebook and submit the score using the app access token (which it can safely use without the user getting hold of it).
On top of this, the Facebook Scores API only supports having one score per application (not per level, per mode, etc.) scores, so in order to have anything more advanced the extra server is required anyway, so a database can be stored that maps Facebook user IDs to the various scores one wishes to score.
Related
I wanted to know if when there's an firebase authentification, it's possible to get the source of this authentification?
To know if it's from my iphone app, android app or web app.
Why :
My web app isn't on the web, but on local server. I want to distribute this web app with server (It's for a personnal project but it could have 10 prototypes). So everybody can get my firebase config. And I don't want that someone can create account from the web firebase api because I accept google/apple and email/password auth. I can't disable email/password for my project purpose.
I hope this is clear.
To be more clear, if the email/password auth is created, is it possible to know if it's from android app or iphone app or webapp?
Thanks
The provided APIs for Firebase Auth don't give any indication which platform was used to create the account. Firebase intends for all accounts to work across all platforms using the provided SDKs and APIs accessible for each platform.
If you want to record your own per-user data in a database, you're free to do that. Note that this is not really "secure" in that each user could effectively manipulate your database or APIs to indicate whatever they want about their platform. If you do not have this sort of security in mind, then you can simply trust your own code to write, and late read, the user's platform in a database after they sign up.
To be more clear if the email/password auth is created, is it possible to know if it's from the Android app or iPhone app, or web app?
Yes, it's possible. Let's say we want to know if a user has signed in from Android. When the user creates an account from an Android device, most likely you are storing user data as objects in the database. The simplest solution I can think of is to add another property in your User class, called "platform" and set it to "Android". If the user signs up with an iPhone, then set the property to "iOS". Same thing for the web. Knowing that the user might change the device, every time the user opens the app check that value against the OS the user is using. If the OS is changed, also change the value accordingly. This way you'll always know the OS the user is using. If you allow the users to use multiple platforms, for Android, there is a function called getProviderData():
Returns a List of UserInfo objects that represents the linked identities of the user using different authentication providers that may be linked to their account.
Similar functions can be found for the other platforms as well.
I am working on an Android app for daydream that is paid and has no login screen.
I want to emulate the user auth flow that I used when developing for Oculus outlined here in which you first make a local license check, then use the data returned and the userId to make a server-side check from my backend to Google Play's over http/REST.
I can't seem to find a way to get an Android App's userId (or token) in order to make this check without logins. The current path I am heading down is one in which uses the sorely outdated License Verification Library (for local checks) as outlined here and then uses the Google Play Developer API to preform a server check.
Is this the proper way to approach this, or is there a better/more modern way to do this? One that perhaps models after the Oculus flow more? Additionally, I want to limit the permissions I need to request the user for, since with Daydream VR, the user must remove the headset to accept permissions at the moment.
Thanks
Check the Using OAuth 2.0 for Web Server Applications as it's about handling OAuth on the server side. The flow you've shown is also a bit similar to the Web server applications diagram.
I'm writing a game that use Google Play Game Service's quests and events system - https://developers.google.com/games/services/android/quests.
Game will use it on Android devices, but I want to submit certain events from server. I found web rest api for this https://developers.google.com/games/services/web/api/events/record, but it's not clear to me how to proceed with authorization.
Can i somehow send all needed authentication info from client to my server, to use GPGS' rest api in future?
What you want to do is informally called hybrid authorization, and the best way to do that is to send an Authorization Code from the Android app to your web server. The web server can then exchange the code (one time) for an Access Token and a Refresh Token. This is not specific to games and is something that many apps using Sign-In with Google do all the time.
The Google+ Haiku+ Sample shows and example of this flow. The specific pieces you may want to look at (in the Android app) are MainActivity.codeSignInRequired(), the private class in MainActivity called CheckOrRetrieveCodeTask, and HaikuSession.getCodeSynchronous() which calls the GoogleAuthUtil.getToken() method to get the one-time code.
Note that getting this code requires your user to see and accept the standard Google SignIn consent dialog. Additionally, once you use the code once it is invalid (for security reasons) so make sure that your server saves the tokens that it gets from exchanging the code.
The Haiku+ Java Server has a good example of how to exchange the authorization code for tokens.
Once you have the access token, you can call any Google APIs to which the user consented on the client. The Haiku+ Java Server shows an example of this when it fetches the users circles.
Yes, this is a complicated flow but it is the best and most secure way to do this. If you don't want to do all of this, I'd recommend submitting Events from the client. The Google Play Games SDK for Android makes this very easy and automatically handles all of the caching and retry logic.
I am quite new to android and recently started building an application which requires
Registration using a google id.
Continuous interaction with a back-end server.
For the registration , i was wondering if it is possible to have a python webapp on Google App Engine which has the OAUTH2 authentication .
This page if opened in a webview should return the token to GAE (please correct me if i am wrong here , because i am not sure the token won't just go directly to the app).
Then again on the backend i generate a token(newly generated) and update the user tables with this new token and pass this onwards to the application.
Every subsequent request made by the app will be referenced using this token.
Is this feasible or is there a better standard way to do it (i do not want to use the login info already stored in the phone) ?
Also , how can i get information from a google account(name,email) like Facebook has access to the graph is there a google counterpart ?
As far as I understand, you implement your Android app using WebView. This means that the app interacts with the server the same way as the built-in Android web-browser. As a result you don't need to add anything special to your Android app with regards to authentication.
Built-in Users service
In GAE, you get out-of-the-box support for three different types of authentication where all of them are designed in a way that your app doesn't store user credentials but rely on user authentication from identity providers:
Google Accounts (e.g. jonny#gmail.com)
Google Apps Domain (e.g. jonny#mydomain.com hosted in Google Apps)
or Federated Login (a.k.a. OpenID, e.g. Google, Yahoo!), which is going to be replaced by Login with oAuth2 (OpenID Connect)
All three types allow your app only access to very basic information of the user. Enough to match a returning user of your GAE app to their data, and an email address or unique ID, but that's it. For more, see below (oAuth2 consumer).
In appengine console, you can select your preferred authentication type in page Administration > Application Settings.
Whatever of these types you use, in your Python code you can use GAE's Users service which will deal with the authentication of your users. Basically, you just write something like:
from google.appengine.api import users
user = users.get_current_user()
if not user:
# The user is not signed in.
else:
print "Hello, %s!" % user.nickname()
On development server, you will be prompted with a dummy login page for requests where you require login or admin login. In live environment they will be replaced by GAE with real login page flow. There are also articles linked in the docs with HTML/JS examples if you want to show custom login pages to your users, for example User Experience summary for Federated Login
oAuth2 for authentication and authorization with Google
Regarding oAuth2, with the built-in authentication it is rather easy to integrate the builtin oAuth service, so your GAE app becomes a service provider, i.e. a user of your GAE app can share data with any 3rd party app or website through some simple API. You also can have your GAE app consume data that your users have stored somewhere else (e.g. Google) and they want to share with your GAE app (consumer). If you are especially interested into accessing user data in Google services, there is this good overview.
Custom user management
Finally, you could implement your own authentication mechanism, rather than relying (and depending) on GAE features. For example you can implement your custom user management based on webapp2. This means that you have control of the user-accounts and credentials, but aside of eventual security risks the disadvantage is that it can be really hard and tricky to integrate services and APIs like Google Cloud Endpoints.
I'm working on an app which comprises of a web component and a mobile component -
an end user can access the service directly via the web or via a mobile. I would like to have facebook based authentication for the service.
I have developed a simple facebook javascript SDK based login mechanism for the web interface. The server side determines which user is logged in via the cookies. This works fine.
From the Android side, I'd like the user to be able to log in with their facebook credentials to access services on the server side (not facebook specific services). I would like this to work by having the user present the same cookies with the request as are presented when using the javascript SDK.
Having looked at the documentation, it seems that there are more or less two options:
use the facebook Android libraries to enable the mobile app to directly access facebook
use mobile web to afford login to the services
Neither of the above is really what we want - the first is for direct facebook access from
the Android app and does not really relate to a situation in which there is a web service; the second does not integrate with the native mobile app.
I'm guessing that folks must have done this before - any pointers on how to do this?
TIA,
Seán.
You could always develop your application using PhoneGap? It'll save you a load of time and enable you to use your existing FBC code.
I have the same scenario. I have a JSON service that I would like to call from my Android app but as an authenticated user.
Think about it this way. Normally a web service would have some kind of authentication, not necessarily different for every user. So why not conceptually separate out the authentication with Facebook and the authentication with the web service.
The app controls what a user can do and see and thus controls the authentication. If the login to Facebook fails then the app denies the user access to the service.
On the web service side you could just require an api key which you issue to the app like any other api. This key initialises a session so that each device will have a separate session id but they would all use the same api key. Alternatively the email address provided from Facebook could be used as a username together with the api key to initiate a session.
Any thoughts?