I'm trying to log in users to a Java Web application written in Java Spark framework using firebase Auth REST API here. Reason is since I couldn't find a better way to integrate with Firebase from this framework.
I can use VerifyPassword end point to login using email provider. But I want to use the Microsoft provider in firebase Auth Console instead of email.
Is there a way to use Microsoft Authentication through firebase using the REST API?
Thanks in advance!
There is. You are looking for Sign In With OAuth Credential section in the Firebase Auth REST API documentation.
You can sign in a user with an OAuth credential by issuing an HTTP POST request to the Auth verifyAssertion endpoint
However, the process won't be pretty straightforward like it is when using Firebase SDKs. You would have to get an access token from Microsoft (or any auth provider) and then pass it in the request body of Firebase's REST API.
Related
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I google search many time about how to authenticate Restful API and Mobile App.
I found a lot answers but I feel not better, or perhaps because I am new in API.
My Willing:
Mobile App request or post data to Restful Server
Restful Server Authenticate Mobile App by Username And Password Login
I want to secure on Restful Server And avoid hacker steal password and request data.
After searching by google they told:
use Https with SSL
authenticate username or password then generate new token and signature
use token and signature to authenticate Mobile App.
Other way use Oauth 2.0. After reading Oauth 2.0 document,
I still think its structure still similar token and signature above.
I think if like that, mobile app can store or use token and signature,
or hacker can debug or see process log in by proxy request.
I feel still not secure
because we still use token and signature on requesting.
I just start my new knowledge in API. If I misunderstand,
I am sorry. I use PHP coding.
I would recommend jBoss's Keycloak (http://www.keycloak.org/). From the first page:
Add authentication to applications and secure services with minimum
fuss. No need to deal with storing users or authenticating users. It's
all available out of the box.
You'll even get advanced features such as User Federation, Identity
Brokering and Social Login.
For more details go to about and documentation, and don't forget to
try Keycloak. It's easy by design!
I've successfully implemented user login in my android app with Google Identity Toolkit. I've also created an App Engine Endpoint to communicate from the Android app. Now I want to secure the endpoints with auth.
I know I can create a custom Authenticator for endpoint and do any kind of verification of the data in request header in there and get the job done.
But I don't know how to do the Gitkit verification there.
Basically
What data should I pass to reach endpoint calls from Android app?(token ID?)
What should I do in the custom Authenticator of endpoint to ensure the requests are valid?
I saw people suggesting to use Session or cookies. Will these work if I'm using the endpoint from Android app? If yes please give me some reference on how it can be done.
Gitkit tokens are JWT format, so you validate them on server-side just as any other JWT token.
See example documentation on how to validate JWT here: https://developers.google.com/identity/sign-in/web/backend-auth It's the same format.
I have also my own project to integrate it with Jersey server:
https://github.com/dlazerka/gae-jersey-oauth2. It uses recommended com.google.api-client library to actually verify the token.
I think it will be hard question. Anyone had dealt with cognito and Twitter. Last do not support OpenID. So have any idea, how can synchronize these two things.
Cognito documentation said only: Using Cognito, developers can store information such as user ... that are not natively supported by Cognito, such as Twitter or LinkedIn™
In order to use twitter, you would need to implement it as a developer authenticated identity provider http://mobile.awsblog.com/post/Tx1YVAQ4NZKBWF5/Amazon-Cognito-Announcing-Developer-Authenticated-Identities
The basic flow would be:
Implement an identity provider that prompts the user to log in with twitter on the device. Using the token twitter returns, call the authentication backend you create to validate the token using the twitter api.
After validation, call GetOpenIdTokenForDeveloperIdentity from your authentication backend using developer credentials. Return the identity id and OpenID Connect token back to the device.
The Cognito credentials provider will then exchange the OpenID Connect token for aws credentials tied to that twitter identity.
Full details about the identity provider interface and flow are available in the dev guide:
iOS or Android
If you don't want to manage the communication with twitter yourself, you may want to consider integration with an another service such as Auth0, which itself integrates with Cognito via OpenId Connect tokens and no back end.
See this blog post and this sample app for an iOS example.
Update 2015-04-30: Amazon Cognito has been updated to natively support Twitter and Digits. Read more on the AWS Mobile blog as well as the Amazon Cognito developer guide.
I'm building a backend for my Android app using GAE, and I'd like to authenticate users with their Google accounts, sent from the Android app.
Before OAuth2, you were able to use a Cookie retrieved from the _ah/login endpoint to authenticate users into your web app, but that method is deprecated and I'd like to be able to use the updated OAuth2 method.
In my Android app I've been able to generate a JSON Web Token using the following line:
String jwt = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "audience:server:client_id:1234567.apps.googleusercontent.com");
or an OAuth token:
String oauth2 = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "oauth2:server:client_id:1234567.apps.googleusercontent.com:api_scope:https://www.googleapis.com/auth/plus.login");
Either, manually, I can pass to my API and validate against Google. But I haven't been able to figure out a way to use a token like this to trigger authentication in GAE like the Cookie used to. The documentation seems to indicate passing it as a header: Authorization: Bearer <TOKEN> but that doesn't seem to work.
What is the correct way to retrieve and pass a token to my GAE endpoint so that it authenticates the user?
The correct and documented way to accomplish this is to:
1) Create an OAuth protected endpoint with the
https://www.googleapis.com/auth/plus.login
or
https://www.googleapis.com/auth/userinfo.email
scope and authorized Client ID for the Android client app.
2) Generate client library and integrate with your app.