I have developed many stateless RESTful webservices for a mobile application in Java and they are working very well.
For example:
http://.../api/coupon
http://.../api/coupon/{id}
...
Now, I have to extend these services because I have to send different data back to the mobile for every user. So I need to know on the server side which user try to get or set information. And I have to prevent the serve of unauthorized users.
There are two different way how user can login into the mobile application:
log in with facebook account
log in with an application account
I need to develop two login and a logout services because the users who use the mobile application have to login into the application.
I read lots of article about auth and RESTful and OAuth.
I think I have to develop two login services with two imput parameters: username and password.
For example:
localLogin(String username, String password) -> token
facebookLogin(String username, String password) -> token
These logon services have to generate a same token and send it back to the mobile application in the http header. And after the login process the mobile client has a token. And the client has to send this token to the server when it makes a RESTful server call.
What do you think? Is my idea good?
If it is, could you help me how can I start to develop this in Java?
If it is not, could you tell me the good way?
You do not need 2 log in procedures. Just use the Facebook SDK!!
i) In your app would be a login with facebook button.
ii) User clicks on it and is then redirected to the facebook login page, where the user enters his credentials and facebook returns a token to you. You do not have to worry about the user's facebook credentials or storing them anywhere! Facebook will handle that for you. Consider the FB login part as black box to your app - you simply make a FB SDK's login call and it will do some processes and give back a access token to your app.
iii) Now, you can exchange the access token for the user's profile information. Enter this profile info to your database - that will ensure authenticated call.
Once you have verified that the user is logged on you can do whatever you want.
Related
I'm currently working with a backend service, which is allowing users to log in using the Google Games library on a client application.
The user can send us through their gplay id in order to log in, or restore an old account. Including their gplay id, the user is sending us the following;
GPlay ID: gxxxxxxxxx
GPGS client id: xxx-xxxxx.apps.googleusercontent.com
GPGS auth code: 4/xxxxxxxx
message_salt: <ByteString#xxxxxx>
Is there any way to use the above data on the server, and verify that the user owns the GPlay ID that they are sending us?
Currently, I'm not seeing any way to authenticate the user's ownership of their GPlay ID - nor am I seeing any obvious way that it can be compared against their client id or auth code to ensure that the user's request to log in/restore an account using their GPlay ID is legitimate.
Does anyone know of any way that you can verify a user with the above data?
The server auth code is the only piece of information you need to send from the client to your backend server. To use the server auth code:
Associate your client app and your backend server app to the same game definition on the Play console.
When building the Google Sign-In configuration, add the requestServerAuthCode() option, passing in the client id of your backend application.
Once the user authenticates, get the serverAuthCode from the GoogleAccount object.
Pass the authCode to your backend server.
On the server, exchange the auth code for an access token. This token is specific to your application and the user. Save the refresh token on the server in case you need to refresh the access token.
Once you have the access token, verify the token by sending a GET request to www.googleapis.com/games/v1/applications/<app_id>/verify/. This returns the information about the authenticated player.
There is a sample of both the client and server side code at
https://github.com/playgameservices/clientserverskeleton
I write a lite instagram client (Instagram is a part of client).
And I need to the user can authorizate in Instagram without web-form (to I don't need to send the user in his web-browser).
At this moment I use a link https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code.
It sends the user to the web-form where he can input his login and password.
How I can send his login and password programatically without using of the web-brower?
No way to login without the Instagram's web interface. Use a Webview to open the auth URL and redirect back to app.
I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.
Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service
So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.
Thanks in advance
Asanka
If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information.
You've got to hit this link - https://graph.facebook.com/me with the access token.
Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object.
(if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.
Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.
PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!
Is it possible to simulate user behaviour on some twitter service that use oauth autorization(you have to enter your twiter credentials and allow to application access to it)?
For example, I have some routine actions with couple of twitter accounts on some twitter service and wanted to write a program(java\python etc.) to make it automatically.
Is there any way to login in such services?
It is possible ton automatize application authorization using username and password. You need to "simulate" user acceptation (on the auth web page) and parse the PIN code on the resulting page.
You need username and password (or manual acceptation) one time only if you retrieve and save user tokens (key and secret).
Some OAuth libs already provide such features
I have created a java web application using spring. I want the users of my application can be logged automatically into my application when they are logged into facebook. Any help will be highly appreciated.
It depends of your app. BTW, facebook have good documentation about this, you have to use javascript auth (there are many examples), with manually processing result or using facebook-java-api (look at FacebookSignatureUtil for example).
PS you have to register your webapp at facebook before using facebook connect
I don't think it is possible for you to get user to automatically logged into your app. Facebook stores the log in token in a cookie, this cookie will get passed back to same server, not to your server.
The click, will send request to facebook and you will get authentication token from facebook.
In fact, it is possible for facebook login button to log you into site even if user is logged out of facebook. You need to ask for "offline_access" permission.