I'm building a small Java client with a Angular frontend to be distributed to clients.
At the moment I have a login screen via Angular which returns a valid firebase token. Where I'm unsure is how can I use that token to authenticate the user against the Java part of the application, so the Java client can perform actions such as file uploads.
With the Admin SDK I can do something like:
public FirebaseAuth firebaseAuth() throws IOException {
FileInputStream serviceAccount = new FileInputStream(new ClassPathResource(SERVICE_ACCOUNT_KEY).getFile());
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl(String.format("https://%s.firebaseio.com/", DATABASE_NAME))
.build();
FirebaseApp.initializeApp(options);
return FirebaseAuth.getInstance();
}
Which I can then go on the standard flow of of validating the token against Firebase and getting the user details.
Since I'm distributing both the Angular frontend and the Java client to end users, I can't use the Admin SDK.
How do I go about solving this? Is there some other type of flow I should be looking into? or can I make use of the Firebase token somehow?
The Firebase Admin SDK doesn't have the ability to scope its access to a single authenticated user. It's intended for use on backend systems that you control fully. Initialized with a service account, it will have permission to do anything that service account can do. It's not intended to be distributed to end users or any entity that you don't trust with full access to your Firebase project.
When it comes to actually authenticating the end user, Firebase Authentication is only meant to be used in the client apps (Android, iOS, web, and derivative environments).
Related
I have a problem auth with microsoft graph api. I never work with it.
I try to write application responsible for downloading attachments from mails.
The program will be scheduled from platform so it cannot get admin consent (therefore authorize using Client Credentials).
Every code example I found required an user interaction to sig in on microsoft to get a token.
I received from admin in my company below items:
clientID, tenantID, app name, mailbox address
and permission EWS.AccessAsUser.All (should I request about Mail.Read permission? mailbox can be easily migrate to 0365. If I well understand EWS is for exchange)
I'd like to connect to mailbox and download attachments.
Is any way to receive authentication with clientID, tenantID ? any provider exist ? without user interaction to get a token?
You can obtain an app-only token by using Microsoft Graph Java SDK.
ClientCredentialProvider authProvider = new ClientCredentialProvider(
this.clientId,
this.scopes,
this.clientSecret,
this.tenantId,
this.endpoint);
IGraphServiceClient graphClient = GraphServiceClient
.builder()
.authenticationProvider(authProvider)
.buildClient();
You can find a full example in the java spring webhook sample. There's however a small caveat because of the authentication SDK as described here.
The permission you need to request is Mail.Read of type Application Permission under Microsoft Graph in the application registration portal. Once you've added that permission, do not forget to click the Grant admin consent for XXX button on top of the permission list (this is how you grant permissions if you don't have a UI flow).
Lastly, EWS is a separate API from Microsoft Graph, you shouldn't need any permission for it in your case.
you can get Access token using below code reference from Microsoft which uses Java SDK.
https://github.com/Azure-Samples/ms-identity-java-daemon/blob/master/msal-client-credential-secret/src/main/java/ClientCredentialGrant.java
I want to set up actions on the google home console so the user can fetch data about their account from the google home.
Currently, I have a mobile app that uses the Firebase Auth to authenticate my users by having them sign in (via email/password, google, facebook) and then using the Firebase ID token associated with that user, I reach out to Firebase to check if this user exists and who it is, to make calls to my endpoints.
I have read several questions regarding this on stack overflow similar to this. However, they say to use my own separate OAuth flow. The issue with this as said above is that the way I authenticate my user is by using the Firebase ID token from the sign-in firebase user and then using their UID to know who they are and to return the correct information.
Is there really no way to use Firebase Auth through the google home?
If not, how am I suppose to authenticate my users through a separate OAuth because I use the UID from Firebase which is the means of identifying my users?
Is there something I am just not understanding?
Firebase Auth is a type of client-side authentication. A client authorizes with Firebase with one of several methods, and gets an identity token.
Actions on Google is a server-side platform. As such, it is unable to authenticate directly to Firebase. Firebase Auth is not an OAuth server.
You would be unable to directly use Firebase Auth to authenticate your users. If you were interested, you could try to use Firebase Functions as a way to do the OAuth exchange.
Alternatively, you may want to use a service like Auth0 which is an OAuth service. Similar to Firebase, it provides many authentication services like Email/Password, Google, and Facebook.
If you go with Auth0, you may need to do some extra logic to associate the OAuth ID with your Firebase ID by matching the service and service ID.
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I'm currently working on an AWS mobile app project in Android Studio, and I'm currently trying to set up a MQTT-connection to AWS IoT through AWS Cognito & IAM authentication.
If I run the MQTT-client as a stand-alone project without authentication, assuming an unauthenticated IAM role, I'm able to connect to MQTT, and subscribe & recieve from the given topic.
However, once I try to run my MQTT-client through an authenticated user (through a log-in on my mobile app), the client is restricted, and constantly tries to reconnect.
I enabled logging in AWS CloudWatch, and the following debug message is given:
"... EVENT:MQTT Client Connect MESSAGE:Connect Status: AUTHORIZATION_ERROR"
The unauth and auth roles in the IAM console have identical policies & resource access, yet something's stopping the MQTT connection.
PS. The Auth role can, in my app, access userfiles & S3, the probelem seems to be unique for IoT access.
Does anyone know if it's possible to allow connections through an authorized user without using cert-files, if so, how? Unless I'm mistaken Cognito and IAM should be able to perform the required authorization to access resources (and it does, as long as I'm not logged in to the auth role)
Appreciate any tips I can get at this point, been struggling for a while.
I eventually figured out the issue by reading the AWS documentation more thoroughly.
The AWS credentials provider does not store the required information to authorize access through AWS. So I solved the issue by retreiving the required user tokens into a hash, and setting these to the credentials provider, and the issue was finally solved.
AuthenticationResultType authenticationResultType = new AuthenticationResultType();
String idToken = authenticationResultType.getIdToken();
// Initialize the AWS Cognito credentials provider
credentialsProvider = new CognitoCachingCredentialsProvider(
getApplicationContext(),
COGNITO_POOL_ID,
MY_REGION
);
Map<String, String> logins = new HashMap<String, String>();
logins.put("yourAWSEndpoint", idToken);
credentialsProvider.setLogins(logins);
I have a desktop Java application that communicates with a GAE server. The client application signs in to the server using OAuth 1.0 with signpost via the provided endpoints
(appname.appengine.com/_ah/OAuthGetAccessToken and the like) with consumerkey and consumersecret set to "anonymous" and scope set to the GAE domain. The login process appears to be working fine:
Retrieve Request Token
Let the user visit the resulting authentication URL
Ask user for verification code
Retrieve Access Token
At this point, I have a seemingly valid token and token secret. If I use these to sign a request to the GAE server, I get an OAuthRequestException when identifying the user:
OAuthService oauthService = OAuthServiceFactory.getOAuthService();
try {
user = oauthService.getCurrentUser();
if (user != null) {
ri.userName = user.getEmail();
}
} catch (OAuthRequestException t) {
t.printStackTrace();
}
This used to work fine until this morning. I am using a modified version of the Chrome to Phone GAE backend. I noticed that Chrome to Phone is having the same issue: I cannot login to the service anymore, so I don't believe this is an error on the client side. Logins don't show up in the Google Connected Sites, Apps, and Services console. Here is a link to the affected line in Chrome to Phone's GAE service: Chrome2Phone affected source.
I already tried registering the application in the Google API console and provided comsumer key and secret, with the same result.
We made some back end changes to our authentication system which ended up not being compatible with App Engine code relying on the authentication system. It appears to be a rather straightforward issue and we are in progress with a fix. We don't have an exact timeline on resolution yet but expect it to be soon.
Update: the fix has been rolled out to production as of about 8pm PST. Thanks everyone your patience.
This isn't exactly an answer, but I'm seeing the same new behavior on a python app engine app using the built-in oauth provider libs (google.appengine.api.oauth). Existing saved tokens continue to work, but requesting a new token and then using it to call a protected service results in a InvalidOAuthTokenError. This is with unchanged consumer and provider code that worked flawlessly until last night (approximately midnight CST).