I have been working on a project where I have to develop an android web application of a website that's made with Shopify. I used java for the purpose and in my app, I used firebase authentication because the client wants to store data in firebase. Now the problem is when the user logs in through my app, he gets to see the website view but needs to log in again since the website is on Shopify. Is there any way by which Shopify authenticates the user data from firebase data so the user doesn't have to provide details again?
I searched a lot about it and its something to do with OAuth and access tokens, but I have no clue how to integrate it. Someone, please help me with a solution.
If you are on the Shopify Plus plan, you can auth user on your app backend using Multipass
Documentation starts with the description of the very similar problem to yours:
You're the owner of a successful website forum. All of your users must log in to the forum to contribute. Members of your forum can then purchase a forum t-shirt through your Shopify store. Unfortunately, your users have to log in to the forum first and then log in to your Shopify store before they can purchase a t-shirt.
Multipass login is for store owners who have a separate website and a Shopify store. It redirects users from the website to the Shopify store and seamlessly logs them in with the same email address they used to sign up for the original website. If no account with that email address exists yet, one is created. There is no need to synchronize any customer databases.
By the way, storing e-commerce data outside Shopify is not the cheapest thing to do so I would reconsider the requirements.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I have SiteA storing user information(name, office, department etc.).
The back end has exposed REST WS that give the information to the front end. The site uses Google OAuth2 authentication - Users log in via Google account. With OAuth2 we let google handle the login(without asking for username and password). Google generates an authorization code that is used with the client_id and client_secret to generate an token for the user.
I have SiteB. I am creating a job that is going to be executed once a day.
I need it to login programmatically to SiteA so I can get a security token that I can use in requests to the REST WS API provided by SiteA and fetch the needed information.
I was unable to find a similar question online. Everything usually ends up to the user opening a browser and navigating to an approaval URL.
Something similar is Google Drive API - OAuth2.0: How to Automate Authentication Process? Doubts and Questions, but it is about connecting to Google Drive without login.
I am starting to doubt that it is possible. Have anyone figured out how to implement this way of communication between systems?
The only option that I could thing of is connecting to SiteA DB and extracting records manually, but that would duplicate the login in SiteA and SiteB.
What I was asking is not possible in the time of writing the question.
What we did to solve the issue is to extend the life of the token for the account that is used to login to SiteA and set it it in the header of the request from SiteB:
connection.setRequestProperty("Authorization", token);
We changed the lifespan of the token from the database and since this are internal systems the long life of the token is not a problem.
Another option is to follow How to get offline token and refresh token and auto-refresh access to Google API and generate an offline token, but the idea is still the same.
Hope this helps someone.
I am working a mobile application based on facebook. The application creates local user by facebook login. The steps of application are below.
Login With Facebook
Backend Service Create Local User
Find Friends Who use The App By Facebook SDK
Vote Your Friends
Notes:
I don't want to keep user friends on my database system
I use JWT
Problem:
I have to verify that authenticated user and voted user are friends on facebook. The user must be voted by its friends.
I found a couple solution but they have vulnerability too.
For instance;
I authenticated and i fetched all my friends by facebook sdk. The request is to vote a user like this:
/vote/user_id/vote_id
The backend service checks and verifys jwt token and vote user whose id is user_id as vote_id by authenticated user.
table structure
from_user_id,vote_id,to_user_id
So the problem is that when a user authenticate, it can vote a user from application outside taking jwt token whether it is its friend or not. This is a realy big problem for us. So I wonder how can verify two user are friends without send request to facebook for it. Or how can design the archtecture to avoid this situtation.
This can simply be done making a request to
/me/friends/{id_of_friend}
using the current app user’s access token. If they are friends, you will get back a data structure that contains the friend’s id and name – if they aren’t friends, data will be an empty array.
This of course requires that both users have granted user_friends permission to your app.
As per this SO answer and other google search results, it seems that twitter has stopped supporting username and password based authentication to post updates. However to my surprise, when I downloaded this app, it amazed me as it simply allows me to send tweets using my username and password only, requiring no consumer key and consumer secrets. So how is that possible?
All the tutorial I went through after googling suggested that I need to register my app and use the access token for posting. This also requires entering some PIN if I use it in my app. What I want is that my app must allow the client to enter only username and password to post tweets. So how should I do that in java?
I would even welcome a solution which utilizes the above app only to post tweets.(e.g. using Runtime.getRuntime())
Also refer this unanswered SO question. This is similar to what I want to do. Only that I want to do it using desktop application.
I've developed a Chrome Web Store app using Google App Engine. I'd like to follow these instructions: http://code.google.com/chrome/webstore/docs/identify_user.html#realm
But I need to call User::getFederatedIdentity() so that I can call the Chrome Web Store licensing server and find out if the user has purchased my app.
The trouble with that is, in order for UserService::getCurrentUser() to work, the user needs to be logged in.
The trouble with that is, when I call UserService::createLoginURL() to generate a redirect URL, the redirect URL takes the user to... the OpenID approval screen. This happens even though I've set the App's OpenID realm, as per the instructions in the page linked above.
Is there a way for me to do what I want but still use the User and UserService classes?
(Possibly a legit alternate phrasing for this entire question: using Google App Engine's UserService class, is there a way to request permission from the user to access their federated identiy, without also requesting permission to access their email address?)
Thanks in advance!
Please reread how to skip the OpenID approval screen. Have you set the realm? And are you asking for any information other than the URL? If you request the user's email address (or other information), then it is necessary to inform the user and obtain their permission to grant access to that information.