I managed to re-authenticate the users with Apple, Facebook, Google, Email, and Phone in Firebase with SwiftUI, but when the users re-authenticate with Facebook or Google, the provider information is already stored there, so the user doesn't really re-authenticate. How can I make the user write their credential information for Facebook and Google when they re-authenticate?
For anyone stuck on the same thing, the best alternative was to use either an email-link or phone number to re-authenticate. And since all users have both, the re-authentication is simple.
Also, side note: If the user signed up by using Google provider and they try to re-authenticate by a email-link (I assume this happens with Facebook and Apple too) Firebase automatically links authentication for Passwordless-autentication to their Google account on my app, which makes re-authentication for sensitive actions really simple!
Related
So on my mobile app, I wish to use Google login API for users registration. I'm saving the user details like first name,Lastname, email. The above data will be stored in Firestore.
My question is
will this uid and OAuth Token be useful later? if yes in what way it'll be useful?
After registration what should I do to verify the user and make the user login? Since we don't use any passwords for verification.
and what is the professional way of storing user data in a database?
The Oauth Token allows you to make calls to google API based on the authorised scopes. When working with identity attach make a call to...
https://www.googleapis.com/gmail/v1/users/me/profile
Attach the Oauth token to the Authorization Header. If you get a response then it means the user is signed up.
With the Google Login API this is pretty much all you can do with the token. :)
I can't really figure out what exactly the facebook API and its services are capable of in terms of user management. Given that I would completely rely on facebook for registration and login, does facebook only provide the authentication and registration process and return me data to store in my own database or does it also itself store a list of already registered user accounts which I can query later on so that I could completely outsource user management from my servers?
If you only need to authorize a User, you don´t need to store anything. You only need to store them in a database if you need to identify returning Users, or if you need to use his data while he is not online.
There is no user management though, you can´t just get a list of all users who authorized your App from Facebook. That´s what you have to store on your own. Make sure to implement the possibility to remove a User from your database, Facebook offers a deauthorization-callback in the App settings for that.
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
I'm trying to implement facebook connect to my website, and i have couple questions.
1: Is it possible to register user in my website using his current facebook email/password.
Let's say user clicks on link Register via facebook and then he have to give me permisions to access his password, email, etc... and after that is done i put that info in my own database and he will be able to login with that account any time he wants without needing to give me permisions any time in the future.
2: If that kind of registration is not possible, what's other solution would be the best for me? Because i need to somehow keep track of that user who logged in with facebook, because he can upload photos, send messages etc.
Anyways, i'm quite new with facebook and similar things, so i'm really lost here, hope some one can help me :)
EDIT Thank you all for wonderful answers it helped me a lot, now all that's left is to read documentation :)
Yes it is, it is possible to get the information of the user. But it is rather complicated, when you have never dealt with it.
First you need to send the user to the following link:
https://m.facebook.com/dialog/oauth?client_id=your-client-id&redirect_uri=xxx&scope=listof-information-you-want
Facebook will then return your client to the uri specified, if the user rejected it will give a reason. If it is not you will get an code in urlencoded format.
This code is needed for the following step, the request of the access token:
https://graph.facebook.com/oauth/access_token?redirect_uri=xxx&client_id=xxx&client_secret=xxx&code=xxxx
This will give back an access token, if the authorization didn't fail.
After that you can ask for the information you want:
https://graph.facebook.com/me?method=GET&metadata=true&format=json&access_token=access_token
This will include a facebook uid, which is unique for all users. Store it and you can discern between a register and login.
This is roughly the process for any oauth2 application.
Facebook will not ask repeatedly for permissions after the user granted them to you. So you can store the access token and reuse it for backend stuff and also use the same procedure you use for register for login.
You can never access the user's password from Facebook even with his/her permission, so the user will always have to authenticate via Facebook and have Facebook pass you the user id of the logged in user once authentication succeeds. You can store all kinds of other data locally, but not enough to authenticate the user yourself.
Once the user is authenticated, you'll have access to the user's Facebook user id via the API, which should be enough to connect all kinds of information to that specific user.
Facebook does not provide access to accounts when passwords are taken from your controls. It provides it own canvas for login information. Therefore you cannot use your first approach to store passwords in your databases. Check this out.
You can however store email addresses once user logins into his account using the facebook sdks. Check this out link for the example of C# SDK sample code.
You can use the Facebook APIs to fetch user email-id, photos, friendslist and other information and then play around accordingly.
You don't get access to the users password - only email if you ask for it.
Best way would be to have a table of users and their Facebook account id's.
If you want to allow users to sign up without Facebook then have a nullable field for their password and facebook id, and also have a field for username - which you could populate from Facebook if they register via that route.
If you have a web application that will allow the users to opt-in to sharing their activity on Facebook and Twitter I'm wondering what is the right way to architect that social authentication into your application (and what is inline with Facebook and Twitter policies) so that you can tweet and post on your wall.
Do you store the users username and password in your database?
And then call the social APIs with these credentials. From what I have learned so far both these APIs make you do an OAuth redirect thing. Is their a way to do that without the dialog interaction since you now have stored the username and password anyways.
Not sure if this is an issue, but do you have to do two OAuth handshakes one right after the next to post to Facebook and then Twitter for those users that want to share on both.
And would you have to do this each and every time the user shares something?
I just launched TweetDeck and I wasn't required to get redirected through some exchange with Twitter. Confused.
Just need some help and guidance with "how most people do it" for web-based applications.
The less prompting and less redirects the better.
I don't think storing the username and password would be a good way to go since I think most users would object to you keeping thiere usernames and passwords on file. I have not done any work with Twitter, but on Facebook you need to create an App and then ask the user to grant your app rights. These rights require the user to be loged in to Facebook in order to work, unless you request the offline_access permmission. From my experience, the fewer permmissions you request, the more users will be willing to grant you these permmissions. My approach is to always request the minimal permmissions I need to get the App to work. After granting your App permmissions, you need to get an OAuth token each time you want to interact with the user's Facebook account. (These tokens are good for about 60 minutes, as far as I remember) Storing these tokens will not help, since they expire. Hope this points you in the right direction.