I want only people whom I register or with specified email should be able to use google sign in, rest are not allow to sign in.
example:- I run a institution and I have separate id for my fellow students and I want them to only be able to sign in using that id and otherwise they should not be allowed to use any other Id(email to be more precise).
in my flutter application using firebase-> google_sign_in.
hope I am clear!
bro add some g mails in your firestore those people you want they can access my app if this emails exist in your db then they can google signin otherwise show toast your account is not regirsted by admin
try{
FirbaseFirestore.instance.collection("alloweduser).doc().where("emial",isequalto:123#gmail.com).then(){
Goolglesinin()
{
google signcode
}
}.catch(e)
{
showToast("ask admin to app permission")
}
You are talking about authentication vs. authorization.
Authentication: Since google is your authentication provider... anyone with a valid google account is authenticated.
Authorization: Who has access to what parts of the application?
You need to implement an authorization system / flow to determine if an authenticated user has access to the app. By default... all users will have NO ACCESS.
How you implement authorization - depends on your backend and how you store user data. If you are using firebase, something like this will help: https://firebase.google.com/docs/firestore/solutions/role-based-access
Related
I learn Firestore and have beginner question.
If I have a web site that connect to Google Firestore Cloud datastore and the website is pulling documents from the Cloud datastore like name: value json struktur.
Is then the website a "user" or I mean do the website need to sign in even it has apikey?
I read Get started with Cloud Firestore Security Rules and can only see settings that need a signed in user!
I want a website to pull this name: value from Cloud datastore that all I want?
Here is the rules:
service cloud.firestore {
match /databases/{database}/documents {
match /<some_path>/ {
allow read, write: if request.auth != null;;
}
}
}
looks like I must make some Auth for a user not a website?
Please advice!
The answer is that one must be signed in to be able to secure Firestore databas and if a website dont want to force users to sign in the website can sign in(under the hood)
anonymous and if the user decide to sign in later the anonymous account then with the help of linkWithCredential transformeds to the users own account like Google or Facebook sign in.
You can use Firebase Authentication to create and use temporary
anonymous accounts to authenticate with Firebase. These temporary
anonymous accounts can be used to allow users who haven't yet signed
up to your app to work with data protected by security rules. If an
anonymous user decides to sign up to your app, you can link their
sign-in credentials to the anonymous account so that they can continue
to work with their protected data in future sessions.
Authenticate with Firebase Anonymously Using JavaScript
With your security rules, a user that accesses Cloud Firestore directly from the client-side code using one of the Firebase SDKs, will have to be signed in to Firebase Authentication. This applies no matter whether the client is a native mobile app, or a web site.
If you have server-side code that accesses the same Firestore database using either one of its Admin SDKs or its REST API passing administrative credentials, that code actually bypasses these security rules - so is not bound by its requirement to be signed into Firebase Authentication.
So if you render the web site server-side and read from the database in that same server-side code, there is no need for the client-side user/code to be signed in to Firebase Authentication. But if the client-side code is directly accessing Firestore using one of its SDKs or its RET API, the user will need to be signed into Firebase Authentication.
Am a bit confused about the One tap sign in that was announced by google earlier this year. Our application already users Credential Management API in Chrome, which essentially provides the user with login options based on the credentials that user has saved for our site on previous visit (passwords that are saved in chrome). When I read the documentation for One tap sign in, it promises to do the same thing, but using Google's client api id. Our application has its own ID provider with our own database of user name and passwords, from the documentation it looks like One Tap sign in does not support custom ID providers. Can anyone shed more light on this, why would I use one against the other?
Thanks
Karthik
I see two major differences:
One Tap is passwordless - it uses a token based login that never exposes the user's password. Chrome Credential Management API stores and retrieves actual passwords in Chrome's password store.
One Tap is purely web based - Chrome Credential Management API relies on Chrome's specific implementation. One Tap is a purely web based workflow so it will work across browsers.
One Tap is a much better long term login solution in my opinion. The Credential Management API is experimental and currently only supported in Chrome.
https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API#Browser_compatibility
I lead product development at Google for the one-tap/auto sign-in library, we designed it such that the library includes the Credential Management API and extends to provide assistance in account creation, secure passwordless, and cross-browsers support.
In particular, if you make a request for existing credentials with code like this:
googleyolo.retrieve({
supportedAuthMethods: [
"https://accounts.google.com",
"googleyolo://id-and-password"
],
supportedIdTokenProviders: [
{ uri: "https://accounts.google.com", clientId: "CLIENT_ID" }
]
});
then any saved username/passwords from the Credential Management API will be returned (in browsers supporting the API) along with token data for Google Accounts. The one-tap/auto sign-in JavaScript library wraps the Credential Management API for credential retrieval.
Furthermore, the library provides a googleyolo.hint method to show an email selector for one-tap selection of a verified email address to assist in new account creation, or to link to an existing account, and then be auto signed-in next time with token instead of password, across all browsers, so long as the same Google Account is active.
I'd suggest using the one-tap/auto sign-in library and consuming tokens as well as passwords in order to get assisted sign-up, keep existing users signed-in automatically, and provide functionality even if the browser does not support the Credential Management API.
As for the question about using your own database of username / password, the hope with this library is you could implement the ability to create accounts and auto sign-in to these and existing accounts with an OpenID Connect ID tokens representing the user's identity. With the one-tap / auto sign-in UX, these are not only much more usable, but far more secure then passwords and mitigate creation of weak/re-used passwords. Please consider this or, even better, a hosted auth solution like Firebase Auth or Auth0 and include the one-tap UX in the frontend UI.
Many mobile apps require user login. That's why Ionic launched their Auth service (https://docs.ionic.io/services/auth/). I can create users via the Auth service itself or via the Ionic API. I also can save custom data for each user. Very nice is also that I can sen targeted push notifications to my users. Seems like a nice out-of-the-box solution.
But most of the time apps have more complex logic (user can post something, user can order something, make a payment, ...). The simple user with some atributes from Ionic does not help much in those cases.
So I need to authorize the users not only inside the app but also against some custom API. And this is where my questions come up...what's the best way to do this?
Some things that came to my mind:
When creating the user in Ionic, also create the same user with the same email and password in my API. So I can make authorized requests. But this does not user any token and I would have to pass my password in every request, also I am worried about data consistency. What if the user changes its password?
Use the internal Ionic user ID, create one global token and use user ID and global token to authenticate the user in my API. But is this secure?
Another worry in my mind: If I save user name, email etc in the Ionic Auth system I would have to access it via their API every time I need it in my own system. For example: A user orders a product in the app. Then my system needs to send out a confirmation to the user. I would have to access the Ionic API to know that users email...and so own.
I think this is all confusing.
Is Ionic Auth not made for those situation? Then, I don't see what it's made for at all...
Is ionic Auth just not there yet...?
Am I just not getting it?
I'm evaluating whether to use Ionic's cloud Auth service and it seems like it's relatively easy to implement client-side, where you can check this.auth.isAuthenticated. You can also set the user info from the client side as well.
However, if I want to do check their identity server-side, such as check that a user is authenticated when they call my custom api to post a comment - how can I get some sort of token (preferably a JWT token) that I can use to validate their identity server-side? Assuming we are using email/password authentication.
Also - using their send notification on a user's birthday example, how can I query the user data in ionic cloud's database to say find all users who have a birthday today. Can I export out the user data in any way if I want to migrate away in the future?
You should implement a JWT authentication service server side.
In other words when the user is authenticated, the app can send a JWT token to the server which should be evaluated to trust the remote user.
For more info reads: https://docs.ionic.io/services/auth/custom-auth.html
A php example here: https://github.com/driftyco/custom-auth-examples/tree/master/php
Regards from Italy
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.