I am working on an application that is authenticated by Google for the login part. The application is on AngularJS and is managed by Java RESTful services. The domain that we are using is managed by Google. The requirement is that I need a service from back end to check with Google if the email is still active or not. Let us say that the Admin disabled or suspended a user while the user was logged in. I need a way to check with Google if this email is still active or not. The only way that I found so far is by having the user name and password.
I wanted to know if it is possible if Google can call my service for me to disable the user from my end and if it was not possible how can I check the user status without the need of using the password.
Thanks in Advance
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.
Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service
So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.
Thanks in advance
Asanka
If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information.
You've got to hit this link - https://graph.facebook.com/me with the access token.
Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object.
(if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.
Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.
PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!
I am getting confused.
I have to write an Java Serverapplication for an mobile application. We have our own user management in that application, meaning the user can register and login on our servers without using an OAuth-Provider at all.
Now I want the user to be able to alternativly register via an OAuth Provider.
These are the options I see:
Let the user register local only.
Advantage:
The mobile applications can use the frameworks which are able to login and retrieve an access token for our application
Everything is prestyled by the platform itself, so no GUI work on that
Disadvantage:
How does the server know if the user is logged in or not? One way to figure that out could be to send the access token to the server and let the server start a request to the provider to check if the token is valid or not.
For the registration I have to send all user information which the client got from the provider to our servers.
I dont like this option, cause I would send Userdata and Accesstoken arround. Yes, it would be crypted via https of course, but it just feels wrong.
Let the user register via our servers
The user requests the OAuth provider itself to retreive the code with which you could request the access token.
Send this code to the server and let the server retreive the acess token.
Advantage:
The Server can be sure now, that the user is logged in
The server can retreive all user specific information about the user (such as username etc) from the OAuth provider itself, without sending the arround.
On a login you can repeat this, to make sure that the user is logged in correctly
Disadvantage:
I have to write the OAuth connectors (or using some library for that)
We are not able to use the sdk's, cause they're just returning the actual access token.
We still prefer the first option (register local only)
Because
they WANT to use the sdks. "'cause everyone does it."
If the user would start the application the first time and he was logged in already (with i.e. the FB client), he just has to accept the scopes, we setted up for our application.
Easier to handle the actual login, cause the sdk's where made for it
Does anyone know how to do something like that correctly? Both solutions seem a bit wrong to me.
I've developed a Chrome Web Store app using Google App Engine. I'd like to follow these instructions: http://code.google.com/chrome/webstore/docs/identify_user.html#realm
But I need to call User::getFederatedIdentity() so that I can call the Chrome Web Store licensing server and find out if the user has purchased my app.
The trouble with that is, in order for UserService::getCurrentUser() to work, the user needs to be logged in.
The trouble with that is, when I call UserService::createLoginURL() to generate a redirect URL, the redirect URL takes the user to... the OpenID approval screen. This happens even though I've set the App's OpenID realm, as per the instructions in the page linked above.
Is there a way for me to do what I want but still use the User and UserService classes?
(Possibly a legit alternate phrasing for this entire question: using Google App Engine's UserService class, is there a way to request permission from the user to access their federated identiy, without also requesting permission to access their email address?)
Thanks in advance!
Please reread how to skip the OpenID approval screen. Have you set the realm? And are you asking for any information other than the URL? If you request the user's email address (or other information), then it is necessary to inform the user and obtain their permission to grant access to that information.
I have created a java web application using spring. I want the users of my application can be logged automatically into my application when they are logged into facebook. Any help will be highly appreciated.
It depends of your app. BTW, facebook have good documentation about this, you have to use javascript auth (there are many examples), with manually processing result or using facebook-java-api (look at FacebookSignatureUtil for example).
PS you have to register your webapp at facebook before using facebook connect
I don't think it is possible for you to get user to automatically logged into your app. Facebook stores the log in token in a cookie, this cookie will get passed back to same server, not to your server.
The click, will send request to facebook and you will get authentication token from facebook.
In fact, it is possible for facebook login button to log you into site even if user is logged out of facebook. You need to ask for "offline_access" permission.