I want to set up actions on the google home console so the user can fetch data about their account from the google home.
Currently, I have a mobile app that uses the Firebase Auth to authenticate my users by having them sign in (via email/password, google, facebook) and then using the Firebase ID token associated with that user, I reach out to Firebase to check if this user exists and who it is, to make calls to my endpoints.
I have read several questions regarding this on stack overflow similar to this. However, they say to use my own separate OAuth flow. The issue with this as said above is that the way I authenticate my user is by using the Firebase ID token from the sign-in firebase user and then using their UID to know who they are and to return the correct information.
Is there really no way to use Firebase Auth through the google home?
If not, how am I suppose to authenticate my users through a separate OAuth because I use the UID from Firebase which is the means of identifying my users?
Is there something I am just not understanding?
Firebase Auth is a type of client-side authentication. A client authorizes with Firebase with one of several methods, and gets an identity token.
Actions on Google is a server-side platform. As such, it is unable to authenticate directly to Firebase. Firebase Auth is not an OAuth server.
You would be unable to directly use Firebase Auth to authenticate your users. If you were interested, you could try to use Firebase Functions as a way to do the OAuth exchange.
Alternatively, you may want to use a service like Auth0 which is an OAuth service. Similar to Firebase, it provides many authentication services like Email/Password, Google, and Facebook.
If you go with Auth0, you may need to do some extra logic to associate the OAuth ID with your Firebase ID by matching the service and service ID.
Related
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I have SiteA storing user information(name, office, department etc.).
The back end has exposed REST WS that give the information to the front end. The site uses Google OAuth2 authentication - Users log in via Google account. With OAuth2 we let google handle the login(without asking for username and password). Google generates an authorization code that is used with the client_id and client_secret to generate an token for the user.
I have SiteB. I am creating a job that is going to be executed once a day.
I need it to login programmatically to SiteA so I can get a security token that I can use in requests to the REST WS API provided by SiteA and fetch the needed information.
I was unable to find a similar question online. Everything usually ends up to the user opening a browser and navigating to an approaval URL.
Something similar is Google Drive API - OAuth2.0: How to Automate Authentication Process? Doubts and Questions, but it is about connecting to Google Drive without login.
I am starting to doubt that it is possible. Have anyone figured out how to implement this way of communication between systems?
The only option that I could thing of is connecting to SiteA DB and extracting records manually, but that would duplicate the login in SiteA and SiteB.
What I was asking is not possible in the time of writing the question.
What we did to solve the issue is to extend the life of the token for the account that is used to login to SiteA and set it it in the header of the request from SiteB:
connection.setRequestProperty("Authorization", token);
We changed the lifespan of the token from the database and since this are internal systems the long life of the token is not a problem.
Another option is to follow How to get offline token and refresh token and auto-refresh access to Google API and generate an offline token, but the idea is still the same.
Hope this helps someone.
I think it will be hard question. Anyone had dealt with cognito and Twitter. Last do not support OpenID. So have any idea, how can synchronize these two things.
Cognito documentation said only: Using Cognito, developers can store information such as user ... that are not natively supported by Cognito, such as Twitter or LinkedIn™
In order to use twitter, you would need to implement it as a developer authenticated identity provider http://mobile.awsblog.com/post/Tx1YVAQ4NZKBWF5/Amazon-Cognito-Announcing-Developer-Authenticated-Identities
The basic flow would be:
Implement an identity provider that prompts the user to log in with twitter on the device. Using the token twitter returns, call the authentication backend you create to validate the token using the twitter api.
After validation, call GetOpenIdTokenForDeveloperIdentity from your authentication backend using developer credentials. Return the identity id and OpenID Connect token back to the device.
The Cognito credentials provider will then exchange the OpenID Connect token for aws credentials tied to that twitter identity.
Full details about the identity provider interface and flow are available in the dev guide:
iOS or Android
If you don't want to manage the communication with twitter yourself, you may want to consider integration with an another service such as Auth0, which itself integrates with Cognito via OpenId Connect tokens and no back end.
See this blog post and this sample app for an iOS example.
Update 2015-04-30: Amazon Cognito has been updated to natively support Twitter and Digits. Read more on the AWS Mobile blog as well as the Amazon Cognito developer guide.
I managed to implement the auth function described by google using a clientid.
So when visiting the html page, one gets asked to authenticate with a google account.
Question: As it is now, everyone can use the site, as long as he/she has a Google account to authenticate with. How do i restrict the usage to a certain group of users? Do i need to manage a list of unique user ids provided by the User object? Or is there already something prebuild, that i can make use of?
I think the safest would be to keep a list of Ids. What are the basis that you expect google or anyone else to know what kind of users you want to allow?
Even if its only geographic there are times when people might be using proxies or using yor site from a remote location.
The site you linked to also says so much :
Specifying Authorized Clients in the API Backend
You must specify which clients are allowed to access the API backend
by means of a whitelist of client IDs. A client ID is generated by the
Google API console from a client secret, such as the SHA1 fingerprint
of a key used to secure an Android app, or from the Bundle ID/Apple
Store ID pair for an iOS app, as described in Creating OAuth 2.0
Client IDs. At runtime, a client app is granted the authorization
token it needs to send requests to the API backend if its client
secret matches one contained in a client ID within the API backend's
client ID whitelist.
Also its only common authentication (who is it), authorization (what they can do on your site) comes from you.
Is it possible to simulate user behaviour on some twitter service that use oauth autorization(you have to enter your twiter credentials and allow to application access to it)?
For example, I have some routine actions with couple of twitter accounts on some twitter service and wanted to write a program(java\python etc.) to make it automatically.
Is there any way to login in such services?
It is possible ton automatize application authorization using username and password. You need to "simulate" user acceptation (on the auth web page) and parse the PIN code on the resulting page.
You need username and password (or manual acceptation) one time only if you retrieve and save user tokens (key and secret).
Some OAuth libs already provide such features