I've successfully implemented user login in my android app with Google Identity Toolkit. I've also created an App Engine Endpoint to communicate from the Android app. Now I want to secure the endpoints with auth.
I know I can create a custom Authenticator for endpoint and do any kind of verification of the data in request header in there and get the job done.
But I don't know how to do the Gitkit verification there.
Basically
What data should I pass to reach endpoint calls from Android app?(token ID?)
What should I do in the custom Authenticator of endpoint to ensure the requests are valid?
I saw people suggesting to use Session or cookies. Will these work if I'm using the endpoint from Android app? If yes please give me some reference on how it can be done.
Gitkit tokens are JWT format, so you validate them on server-side just as any other JWT token.
See example documentation on how to validate JWT here: https://developers.google.com/identity/sign-in/web/backend-auth It's the same format.
I have also my own project to integrate it with Jersey server:
https://github.com/dlazerka/gae-jersey-oauth2. It uses recommended com.google.api-client library to actually verify the token.
Related
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I google search many time about how to authenticate Restful API and Mobile App.
I found a lot answers but I feel not better, or perhaps because I am new in API.
My Willing:
Mobile App request or post data to Restful Server
Restful Server Authenticate Mobile App by Username And Password Login
I want to secure on Restful Server And avoid hacker steal password and request data.
After searching by google they told:
use Https with SSL
authenticate username or password then generate new token and signature
use token and signature to authenticate Mobile App.
Other way use Oauth 2.0. After reading Oauth 2.0 document,
I still think its structure still similar token and signature above.
I think if like that, mobile app can store or use token and signature,
or hacker can debug or see process log in by proxy request.
I feel still not secure
because we still use token and signature on requesting.
I just start my new knowledge in API. If I misunderstand,
I am sorry. I use PHP coding.
I would recommend jBoss's Keycloak (http://www.keycloak.org/). From the first page:
Add authentication to applications and secure services with minimum
fuss. No need to deal with storing users or authenticating users. It's
all available out of the box.
You'll even get advanced features such as User Federation, Identity
Brokering and Social Login.
For more details go to about and documentation, and don't forget to
try Keycloak. It's easy by design!
I am using Google App Engine with Java.
I would like to know, how to integrate custom JWT based authentication in Google App Engine.
I have seen https://developers.google.com/identity/choose-auth but I dont want the users connected with Google Account. I also want the users to sign in without an email address, but a username.
I searched on the internet but everywhere I looked, it is talking about the Google based authentication.
Thanks in advance.
It seems at the moment, there is no library available for doing this.
Also I was unable to find any documentation to do this.
Here is how I implemented it.
The client passes JWT in the Authorization header.
At the API endpoint (not in Filter, it wont work), I extracted the header and validated the JWT. I throws Exceptions from the validation function itself, so that I don't have to repeat a lot of code.
I'm building a backend for my Android app using GAE, and I'd like to authenticate users with their Google accounts, sent from the Android app.
Before OAuth2, you were able to use a Cookie retrieved from the _ah/login endpoint to authenticate users into your web app, but that method is deprecated and I'd like to be able to use the updated OAuth2 method.
In my Android app I've been able to generate a JSON Web Token using the following line:
String jwt = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "audience:server:client_id:1234567.apps.googleusercontent.com");
or an OAuth token:
String oauth2 = GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "oauth2:server:client_id:1234567.apps.googleusercontent.com:api_scope:https://www.googleapis.com/auth/plus.login");
Either, manually, I can pass to my API and validate against Google. But I haven't been able to figure out a way to use a token like this to trigger authentication in GAE like the Cookie used to. The documentation seems to indicate passing it as a header: Authorization: Bearer <TOKEN> but that doesn't seem to work.
What is the correct way to retrieve and pass a token to my GAE endpoint so that it authenticates the user?
The correct and documented way to accomplish this is to:
1) Create an OAuth protected endpoint with the
https://www.googleapis.com/auth/plus.login
or
https://www.googleapis.com/auth/userinfo.email
scope and authorized Client ID for the Android client app.
2) Generate client library and integrate with your app.
I'm having a hard time wrapping my head around how to authenticate a user in my REST service. I plan to use Google Sign-in (on Android, namely). I can't quite figure out how to authenticate users on my server. I do not want to have any authorizations (other than validating the identity of the user), all I want to do is when I receive a request, validate that the user is who he (or she) says he is.
My understanding is that the user will login, get some sort of token from Google, then send that token along his request to my server which I will use to validate his identity. However, from what I read, the user will encode their requests in a JWT (json web token), which I will then use to validate their identity without ever talking to the Google server directly. Did I understand properly?
On Google's documentation, it says
If you do not require offline access, you can retrieve the access token and send it to your server over a secure connection. You can obtain the access token directly using GoogleAuthUtil.getToken() by specifying the scopes without your server's OAuth 2.0 client ID.
But it does not say what the server should do with the token.
You have an android app which enables user to log in via Google+ Sign-In, and then this Android app will call your REST API. What you want is how your service authenticates this request. This Android client will send request to your service with token, and you need to validate this token for authentication. Is my understanding right?
If so, you need to validate the token sent to your service. The reference you mentioned is for Google API calls, in your case; it's your own service API call. For the Android side, just follow the reference, in your service side you can use TokenInfo validation to authenticate users.